Penetration test: How secure is your WordPress website really?
Share the blog with others
From the Daily Pentest Business
A penetration test uncovers security gaps in a WordPress site, but the security gaps are not directly related to WordPress. We show how secure a WordPress website can really be.
What is a penetration test?
Basics of a Pen Test
Pentration tests, or pen tests, are simulated cyberattacks conducted by security experts to find vulnerabilities in IT systems. These tests help identify and mitigate security risks before real attackers can exploit them.
The start of the test
Discovery of the .bash_history file
Our test began with a discovery on the client's WordPress site, where we came across the .bash_history file. This file, which is typically hidden, stores command history and should not have been accessible. Its presence indicated a security vulnerability.
Analysis of the discovery & insight into the backup
The information found in the command history allowed us to download a backup file. This not only contained all the website's data but also sensitive information like email credentials.
Cracking the encrypted password
Access to the email account
By decrypting the password stored in the database, we were able to gain access to an important email account. This account was used not only for WordPress notifications but also for other critical business services like the ticketing system.
Expanding access
Access to additional business services
With the credentials, we were able to access the customer's Microsoft 365 account, which gave us insight into sent emails from the inbox, notifications with the content of the ticket system updates, MS Teams channels, and SharePoint folders.
Security in everyday comparison
A penetration test is comparable to a test of whether the doors and windows of a house are securely locked to deter burglars. Thus, we prevent digital "break-ins" into your IT infrastructure.
Security recommendations and best practices
Protective measures for your IT security
File Protection: Sensitive files like .bash_history must be protected.
Backup Security: Store backups securely and password-protected.
Email Management: Consider whether storing sent emails is necessary and delete them regularly.
Dedicated Email Accounts: Use separate accounts for different services/applications.
Are you ready to assess the security of your systems? Contact us for a professional evaluation and improve your security measures. Let's secure your digital future together.
