WPScan Glossary

Basic: “Cross‑Site Request Forgery is a type of cyber attack that tricks a website into thinking that you asked for something to happen. It can be used to steal information or do things without your permission.”

Advanced: “Cross‑Site Request Forgery (CSRF) is an attack technique that exploits the trust between a web application and its users in order to execute unwanted actions on behalf of an authenticated user. CSRF attacks usually involve malicious actors using malicious code, such as HTML code or JavaScript, to construct a malicious request that is then sent through the victim’s browser. This request contains data that can be used by the attacker to perform some action on behalf of the user – such as making changes to their account settings or making purchases from their account.

The fundamental concept behind a CSRF attack is that the victim unknowingly submits a malicious request to the vulnerable web application, who in turn interprets it as a legitimate one from an authenticated user. As the browser does not send credentials for authentication with each HTTP request, this type of attack takes advantage of this trust relationship between the web application and its users. This means that attackers have access to sensitive information without having to authenticate themselves, allowing them to bypass authentication protocols and steps.

In order for attackers to successfully launch a CSRF attack they must first identify vulnerabilities within the target website – such as weak input validation – which they can exploit in order to modify requests made by unwitting victims. Attackers typically use social engineering methods like phishing emails and malicious links in order to deceive victims into submitting these forged requests.

As CSRF attacks are based on tricking web applications into executing unauthorized actions without any knowledge of the user, they can result in serious damages when used against e‑commerce websites or other online services where users store sensitive information such as credit card numbers or personal data.”Accordion Content

Basic: “Authentication bypass attempts are when someone tries to get into a system without using the right password or other login information.”

Advanced: “Authentication bypass attempts are malicious attacks against a system in which an attacker attempts to gain access to restricted information or resources by circumventing the authentication process. This type of attack is often directed at systems that rely on usernames and passwords for authentication, as attackers will attempt to guess or exploit known vulnerabilities in the system to gain access. Authentication bypass attempts may also be used to gain access to network systems, computer databases, or application programs.

Authentication bypass attacks could involve a variety of techniques, such as exploiting weaknesses in weak passwords, guessing credentials, using brute force attacks to guess passwords, using social engineering tactics such as phishing or pretexting, using privilege escalation techniques such as exploiting known vulnerabilities in software and hardware devices or trying default account logins. These attacks can have serious consequences if successful: confidential data can be stolen from corporate systems and individuals’ personal information can also be exposed if authentication is not properly secured. As such, organizations must take steps to ensure their authentication processes are secure by implementing strong password policies and ensuring any known vulnerabilities are patched quickly. Additionally, organizations should monitor their networks for signs of unauthorized access attempts so they can take immediate action when necessary.”Accordion Content

Basic. Cross‑Site Scripting is when someone adds bad code to a website so that it does something it is not supposed to do.

Advanced: Cross‑Site Scripting (XSS) is a form of computer security vulnerability that enables malicious attackers to inject code into web applications. It typically involves injecting malicious JavaScript, HTML or other types of client‑side code into webpages viewed by victims, allowing the attacker to execute malicious activities such as harvesting sensitive data from users or redirecting victims to malicious websites. XSS attacks can also be used to hijack user sessions and assume control of user accounts. XSS attacks are most commonly found in online forums and comments sections, but they can also be present in other areas such as contact forms, logins pages, search boxes and more. The goal of the attack is generally to gain access to confidential information stored on the website such as credit card numbers, passwords or other personal data. In order to protect against XSS attacks, developers should use input sanitization techniques when receiving user input and make sure to encode any special characters that may be included in user input prior to displaying it on a webpage. Additionally, it is important for developers to maintain an up‑to‑date version of their web application framework that includes the latest security patches and updates.

Basic:  Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.

Advanced: Path Traversal, also known as directory traversal and sometimes referred to as ‘dot dot slash’, is a type of vulnerability that allows attackers to access restricted directories on a computer system or network. It exploits the vulnerability of an application’s inability to properly sanitize user‑supplied input and can be used to gain unauthorized access to sensitive data or files such as system configurations, source code, databases, passwords, and other sensitive information. Path Traversal attacks are typically done by inserting “../” into web addresses or other user‑supplied parameters in order to traverse back out of the current folder/directory structure.

For example, if an application were vulnerable to Path Traversal it could allow an attacker to bypass restrictions by entering a URL such as http://www.example.com/restrictedfolder/../index.html which would result in the unrestricted index page being served instead of the restricted folder contents. To prevent this type of attack from occurring, developers must make sure their applications properly sanitize all user‑supplied inputs using strict validation routines that prevent users from passing unanticipated strings such as “../” in any inputs given by them.Accordion Content

Basic: Hardening is a process of strengthening the security of a computer system or network to protect it from malicious activities.

Advanced: Hardening is a process that strengthens the security of a computer system or network. This involves installing and configuring security measures to protect against potential attacks as well as testing the system to ensure its secure configuration. Hardening can include physical security, such as locked doors and fences around the building or server room, or it can focus on digital protection such as firewall rules, antivirus software, and patch management. Hardening also requires updating operating systems, disabling unnecessary services, applying protocol passwords for authentication, and using encryption methods for sensitive data. Hardening is an ongoing effort that must continuously be monitored and updated to keep up with ever‑changing threats from cyber criminals. A successful hardening strategy should take into account all angles of attack—from physical access control to application layer defense—and provide comprehensive protection from both external and internal threats.

Basic: ModSecurity rules are instructions that help keep websites safe from people who want to cause trouble.

Advanced: ModSecurity rules are security rules designed to protect web applications and websites from malicious attacks. These rules provide an additional layer of protection in addition to the traditional firewall and antivirus software. ModSecurity rules use a combination of specialized filtering, attack detection, and blocking techniques to help protect websites from common web application attacks such as cross‑site scripting (XSS) and SQL injection. These rules can be used both on the server‑side of a website or at the network level.

At the server‑side, ModSecurity rules analyze incoming requests and responses for malicious content, blocking requests that it identifies as dangerous. The rule sets also have features that allow administrators to customize them to suit their particular needs. For example, they may specify which HTTP methods are allowed on a particular page or what type of content is permitted. This can help prevent attackers from exploiting commonly used web application vulnerabilities such as remote file inclusion flaws or directory traversal issues.

At the network level, ModSecurity rules can be used to detect suspicious traffic patterns and block requests associated with malicious activity. They also provide an additional layer of defense against distributed denial‑of‑service (DDoS) attacks by monitoring communication between a web server and its clients for suspicious behavior. By doing so, ModSecurity can detect attempted DDoS attacks before they succeed in causing significant disruption or damage to the system.

Overall, ModSecurity’s ability to analyze both incoming requests and outgoing responses make it an effective tool for protecting web servers from malicious activity. The rulesets included with the product are highly flexible and customizable, allowing administrators to tailor them according to their specific security needs. Furthermore, using ModSecurity helps secure both websites against known attack vectors as well as helping defend against unknown threats by detecting suspicious behaviors impacting either server‑level or network‑level operations.

Basic: Malware attacks are when someone tries to damage a computer by sending it a virus.

Advanced: Malware attacks are malicious cyber‑attacks that utilize malicious software, also known as malware, to compromise the security and privacy of a system or network. Malware is a broad category of malicious software including viruses, spyware, ransomware, trojans, worms, and other types of malicious programs designed to damage or gain unauthorized access to a system. Malware can be spread through email attachments, websites offering downloads, peer‑to‑peer file sharing networks, and more. Once downloaded on the user’s device or computer, malware can be used to steal the user’s sensitive data and login credentials; track their online activity; modify files; launch denial of service (DoS) attacks against servers; encrypt data and hold it for ransom; hijack web browsers or entire computer systems; mine cryptocurrencies without user consent; install additional malware payloads on the victim’s device; allow remote access to an infected machine; and perform many other malicious activities.

To protect against these threats, users should always use strong passwords for all their accounts and regularly update them. They should also regularly scan their devices with up‑to‑date anti‑malware software as well as keep their operating system and apps updated with the latest security patches. Additionally they should avoid downloading files from untrustworthy sources such as email attachments from unknown senders or websites offering free music or movie downloads.Accordion Content

Basic: A backdoor is a way for someone to get into your computer without using the normal security. It is like a secret window or door that only certain people know about.

Advanced: Backdoors are a type of malicious software (malware) that allows an attacker to gain unauthorized access to a computer system or network. They are typically used by cybercriminals to secretly steal data, install malware, or even sabotage the system. Backdoors can be installed in a variety of ways, including through email phishing scams, malicious websites, vulnerable software, and unsecured Wi‑Fi networks. Once a backdoor is installed on a system, it can remain undetected for long periods of time and enable unauthorized access from any location.

Backdoors generally consist of two components: one for the attacker and one for the target machine. The attacker’s component is typically disguised as legitimate software that provides remote access capabilities to the target machine. This type of backdoor often has built‑in security measures to prevent discovery by anti‑malware tools and other security measures. The target machine’s component is used to transmit data back and forth between the attacker’s machine and the target machine without triggering an alert from any security measures in place.

In some cases, backdoors may also be hardcoded into computers or other digital devices during their production process or after they have been shipped out. These types of backdoors are difficult to detect because they are built into the device’s hardware or firmware rather than being installed as software by an attacker. By exploiting these types of backdoors, attackers can gain persistent access to systems without needing credentials or other authentication mechanisms as they would with more traditional methods such as phishing scams.

Basic: SEO SEO (Search Engine Optimization) Spam is when someone puts words or phrases on a website that are not related to the topic of the website in order to get more people to visit their website.

Advanced: SEO spam, also known as spamdexing, is an unethical practice used by unscrupulous webmasters to manipulate search engine rankings. It involves using various methods to artificially boost their website’s ranking in search results. This includes submitting multiple versions of the same page with different keywords, stuffing pages with irrelevant keywords, and adding large numbers of unrelated backlinks. These tactics are intended to fool search engines into ranking a page higher than it should be, thus gaining more visibility and traffic to the website. SEO spam can have a detrimental effect on users since it provides bogus information and can lead them away from quality content. It can also damage a website’s reputation in the long run. To prevent this type of manipulation, search engines employ sophisticated algorithms that are designed to detect such practices and filter out pages that engage in SEO spamming.Accordion Content

Basic: Fuzzy rules are instructions that computers use to keep things secure. They help a computer decide when it is safe to do certain things.

Advanced: Fuzzy Rules in computer security are a form of advanced artificial intelligence that can be used to detect potential threats. They use fuzzy logic, which is a type of mathematical system that allows for the expression of distinct truth values that are not necessarily true or false. This technology can analyze large amounts of data and identify patterns in the data that may indicate malicious activity. For example, if a certain pattern of network traffic occurs at regular intervals, then it can be analyzed to determine whether there is an attack occurring or not.

The goal of fuzzy rules is to provide better accuracy than standard rule‑based systems when detecting potential threats. By utilizing fuzzy logic, they can take into account multiple factors at once, such as the frequency of certain activities or the size of file transfers. This allows for more accurate threat detection as it takes into consideration things like changing circumstance and user behavior instead of simply relying on static rules.

Fuzzy rules also have the advantage over traditional algorithms in that they can learn from their mistakes and evolve over time based on new data inputted into them. This means they become increasingly accurate and efficient as they gain more experience and knowledge about specific types of threats and environments. This level of adaptability makes them powerful tools for protecting against cyber attacks over time and across different networks.Accordion Content

Basic: A botnet is a group of computers that are connected together on the internet. They are controlled by one person, who can use them to do things like send spam and attack websites.

Advanced: Botnets are networks of internet‑connected devices that have been infected with malicious software and can be controlled remotely by cyber criminals. The malware responsible for creating and controlling a botnet is known as a bot. Botnets are most commonly used to launch large‑scale distributed denial‑of‑service (DDoS) attacks, in which the network of compromised machines floods a targeted system or website with traffic, overwhelming it and rendering it unavailable to legitimate users. Botnets can also be used to send out spam emails, spread malware, steal data, mine cryptocurrency, and more. The devices in a botnet can range from computers to smartphones to IoT devices such as webcams or routers.

Most often, bots infect vulnerable systems by exploiting known security flaws or by tricking users into installing the malicious code (e.g., via phishing campaigns). Once inside a device, the malware will establish communication channels with its command‑and‑control (C&C) servers and wait for instructions from its operators. The C&C server then issues commands that direct the bots to perform certain tasks.

Botnets pose serious security threats because they allow attackers to remain anonymous while launching powerful attacks on their targets. Furthermore, since many botnets use peer-to-peer or decentralized architectures, they are difficult to detect and disrupt—making them even more attractive tools for cybercriminals.   

Basic: SQL Injection is when a person tries to get into your computer without permission. They do this by entering things that they should not be allowed to enter. This can be dangerous and can steal your information.

Advanced: SQL Injection is a type of web attack that takes advantage of the vulnerabilities in Structured Query Language (SQL) to exploit sensitive data from databases. It’s a malicious code injection technique used to attack applications and websites. The malicious code takes advantage of insecure SQL statements, such as those used for authentication and authorization functions, to gain access to confidential data within a database. When done successfully, it can result in the application executing arbitrary commands in a database server, as well as allowing attackers to view, modify, or delete information in the database.

An attacker can use this type of attack by submitting crafted input with malicious SQL commands into an application or website field which uses SQL queries. This will cause the application or website to execute unintended commands on the backend database server and further allow an attacker to gain access to sensitive information such as passwords, credit card numbers and other personal credentials.

To prevent SQL injection attacks, developers should ensure that all user input is properly sanitized before being passed into an application’s query logic. This means that any potentially dangerous input should be filtered out or escaped so no malicious code can be injected into the statement. Other methods include using parameterized queries which can help protect against this type of attack by separating user input from command logic and preventing malicious data from passing through. Lastly, implementing security measures such as regular vulnerability scans can also help detect any gaps which may be vulnerable to attack.

Basic: User name enumeration is a process whereby attackers try to guess the usernames of valid accounts by systematically trying different combinations of usernames.

Advanced: Enumeration is a brute force attack where hackers use automated tools to cycle through a list of possible usernames and passwords in an attempt to access accounts. WordPress is susceptible to this kind of attack because it exposes usernames in various locations, such as author archives and comment sections, making them an easy target.

Once a hacker has obtained a list of usernames, they can use them in password‑guessing attacks, which may lead to the compromise of sensitive information. The attacker can launch several types of attacks, such as password spraying and dictionary attacks, which is a technique that tries a combination of passwords and usernames until a match is found. The results of these attacks can be devastating, ranging from data breaches to financial losses.

Preventing WordPress user enumeration is essential for keeping your website secure. There are several ways to do this. One way is to limit the number of login attempts by using plugin tools that block user access after several unsuccessful login attempts. Another way is to change the default WordPress usernames, which can be accomplished by creating custom user names that are difficult to guess.

Other ways to prevent WordPress user enumeration include limiting the visibility of usernames by disabling author archives or login rewards, removing usernames from comment sections, and using two‑factor authentication to prevent unauthorized access.Accordion Content

Basic: Media file enumeration is the process of identifying and collecting media files from a WordPress site, thus seeing what an outsider might have access to.

Advanced: Media file enumeration is the process of systematically identifying and documenting the various types of media files stored on a computer or network. This involves categorizing the files according to their type, such as audio, video, text, image, etc. It can also involve capturing details about the file’s size and location. Additionally, it may include cataloging information about any metadata associated with the file such as its artist/creator name, title, year of creation, license type, etc. Media file enumeration is important for storage management purposes since it can help identify duplicate or obsolete files that can be safely deleted from a system in order to reduce clutter and save space. Additionally, it can help to detect malicious files that have been obtained by unauthorized users which could represent a security risk if left unmonitored.

Basic: TimThumb is a simple, flexible, PHP script that resizes images. The TimThumb script is problematic though, in that it has experienced several security exploits over the years.

Advanced: WordPress core has a better solution for thumbnails built in. Different image sizes are created when images are uploaded, and WordPress uses the Featured Image for each post to determine which image to use as a thumbnail. It’s best to not use TimThumb and instead using the features native to WordPress. That said there might be some legacy sites with TimThumb files where WPScan can be useful.

Basic: A backed‑up wp‑config.php file is a copy of the original, essential configuration file for WordPress.

Advanced: A backed‑up wp‑config.php file is a copy of the original file that is stored in a backup folder on the server or locally. A backup file can contain sensitive information, such as database credentials, that can be used to access the site’s database by third‑party attackers. It is essential to store backup files in a secure location on the server that only authorized personnel have access to, and periodically delete old backup files that are no longer required.

A publicly accessible wp‑config.php file is a file that can be downloaded by anyone from the internet. This can occur in situations where a misconfigured server is allowing directory listing or a developer has mistakenly left the file in a public directory. If an attacker can access your wp‑config.php file, they can potentially obtain the database credentials and gain unauthorized access to your WordPress site.

How can you protect your wp‑config.php file?

To protect your wp‑config.php file, you need to take the necessary measures to secure it and prevent any unauthorized access. Here are some best practices to follow:

1. Keep your WordPress site updated to the latest version regularly.
2. Use secure passwords for your database users and WordPress site login credentials.
3. Check the permissions of the wp‑config.php file, and ensure that only the necessary users can access it.
4. Back up your wp‑config.php file regularly and store it in a secure location with limited access.
5. Check your server configuration settings and make sure the directory listing is disabled.

Basic: There are many tools and WordPress plugins that allow you to create a backup of your database and export it to a file. Sometimes these backup files can end up in publicly accessible locations and with predictable names, such as backup.sql, database.sql, example.com.sql, and so on.

Advanced: WordPress comes with a default database that stores all of the website’s data, including user credentials, plugin configuration, and much more. If there is a data breach or the database is accidentally exposed to the open internet, all of the website’s data may be publicly accessible. 

What are the security risks with WordPress database backup file dumps?

As mentioned above, if these database backup file exports are left in a publicly accessible directory on the webserver with a predictable file name, then they could easily be accessed by an attacker. All the attacker has to do is guess the correct backup file name and its directory to download the file.

Database backup files usually contain the entire contents of the WordPress database. This could include hashed user passwords, private blog posts, the URLs of sensitive media, sensitive customer data, payment details, and so on.

If an attacker can access a backup of your WordPress database, it could result in your website being entirely compromised, or your users seeking litigation due to privacy laws such as the European General Data Protection Regulation (GDPR).

Back in 2018, Ryan Dewhurst, a WPScan founder, did some security research to assess the risk of database backup files being exported to publicly accessible locations. During his research he identified 736 publicly accessible database backup files within the Alexa Top 1 Million websites, and that 39% of the affected websites were running WordPress.

Types of issues:

1. Misconfigured Database Credentials:

The most common way a database dump may become publicly available is when the database credentials are misconfigured. This often happens when a developer sets up a new WordPress site and forgets to update the credentials, leaving the default database username and password. Hackers can use automated bots to scan the internet for sites with misconfigured database credentials, and once they find a site, they can dump the database and exfiltrate sensitive information.

2. Server Configuration Issues:

Sometimes server configuration issues may also lead to publicly accessible database dumps. For example, the server may be set up in such a way that it exposes the database without any authentication. In other cases, the server may have vulnerable software running, which a hacker can use to gain access to the database.

3. Unsecured Cloud Storage:

WordPress sites are increasingly moving to the cloud. While cloud storage is generally secure, if not configured correctly, it may expose website data to the public. Cloud storage providers, such as Amazon S3 or Microsoft Azure, provide access controls to prevent unauthorized access to data. However, developers can sometimes configure cloud storage containers with weak access controls or without access controls at all, leaving the database vulnerable.

4. Intentionally Public Database:

In some cases, a WordPress site owner may intentionally make the database publicly available, for example, to make it easier for developers to test new features or to enable public access to site data. However, without proper access controls and security measures, the publicly available database is a treasure trove for hackers. 

5. Third‑party Plugins and Themes:

Lastly, third‑party plugins or themes can also expose the database to the public. Poorly coded plugins or themes can introduce security vulnerabilities, including unsecured database connections, that a hacker can exploit to gain access to the database.

How to check for publicly accessible backup files

WPScan WordPress Security Scanner

Our WPScan command line interface WordPress security scanner can enumerate backup files from an attacker’s outside perspective, as shown below.

The command to run to enumerate database backup export files is:

wpscan --url http://example.com/ -e be

Basic: The wp‑cron.php file is responsible for scheduled events in a WordPress website. When a request is made, WordPress will generate an additional request from it to the wp‑cron.php file. By generating a large number of requests to the website, it is therefore possible to make the site perform a DoS attack on itself.

Advanced: It is possible to run a DDoS attack against wp‑cron.php since it will return a 200 code when executed.

There are usually three ways to run it: the internal automatic system, the system to turn off the cron but to run it via an HTTP call, or to run it via an internal cron / WP‑CLI.

In these cases, it may be interesting to warn that the WP‑CRON is publicly accessible if it returns a 200 code or if it is protected when it returns a 403 or similar.

Basic: Full Path Disclosure (FPD) is a type of vulnerability in which sensitive system information is revealed by the Web server. This can include information such as the full path of the application, directory structure, and other file system details.

Advanced:

By exploiting this vulnerability, an attacker can view the full file system structure and potentially gain access to critical files, such as configuration files containing passwords or other sensitive data. This type of attack is particularly dangerous because it does not require any authentication, meaning anyone with access to the website can exploit it. Furthermore, there are also techniques attackers can use to hide their activities.

The main cause of WordPress Full Path Disclosure is insecure coding practices. If a developer uses hard‑coded paths in their code or does not properly sanitize user input before passing it into functions that generate paths, then an attacker may be able to craft a malicious URL that will display information about the web server’s directory structure. Additionally, if PHP’s “Display Error” configuration option is enabled on the webserver, then attackers will be able to see error messages that contain detailed information about the location of files on the web server and their contents.

To protect against Full Path Disclosure attacks in WordPress, developers should always use relative paths when including resources from other locations (such as images) and use proper input validation and sanitization when handling user input. Additionally, organizations should disable PHP error messages in production environments by setting ‘display_errors’ off in their php.ini file or using .htaccess configurations. Finally, regular security scans should be performed on all websites to detect any potential vulnerabilities that could lead to Full Path Disclosure attacks or other types of security incidents.

Basic: When WordPress developers are working on coding a theme or plugin, it is often useful for them to log important data to a file, such as error messages, so that they can view and fix any problems. If these are public, the site is vulnerable.

Advanced: In WordPress, the debug log file is created with a known file name, debug.log, and usually stored in the publicly accessible /wp-content/ directory.

To enable debug logging in WordPress, the developer has to set the following constants in the wp‑config.php file:

define( 'WP_DEBUG', true ); define( 'WP_DEBUG_LOG', true ); 

These constants should not be enabled when the WordPress website is live in a production environment as they will expose sensitive data to attackers.

What are the security risks with WordPress debug log files?

As mentioned above, the debug log files are left in a publicly accessible directory on the webserver with a predictable file name and can easily be accessed by an attacker. All the attacker has to do is guess the correct debug log file name and its directory to download the file. And this is easy, as it is usually within the /wp-content/debug.log file.

Debug log files can contain all sorts of juicy information that could aid an attacker. This could include server‑side directory paths, server errors, usernames, and in extreme cases, plaintext passwords.

Debug log files are so often left exposed that many can be found on Google when using the correct keywords. 

WPScan WordPress Security Scanner

Our WPScan command-line interface WordPress security scanner can detect debug log files from an attacker’s outside perspective.

WPScan will check if the /wp‑content/debug.log file exists by default, for example, with the following command:

wpscan --url http://example.com/