💪
YJ's Internship/Why focus on Attack Surface? (Experience SSHD brute-force...)/
Apply what you learn (for SSHd) to WordPress
Apply what you learn (for SSHd) to WordPress

Apply what you learn (for SSHd) to WordPress

Assign
Date
May 14, 2021 → May 18, 2021
Status
Completed
Property

Learning Points (Why do these?)

  • Student had experience a specific type of Attack Surface related to server management interfacing, but cloud services are more than just exposing a SSHd port.
  • A VPS with SSHd & CMS like Wordpress, represents a typical small system with the sum of means to deliver attacks, aka Attack Surface. If the machine only has 1 SSH service, then it is unlikely be that useful or realistic. So this is for completeness that you also get introduced to Application Security or AppSec.
  • Forcing a CMS or simple web-portal to be used with VPN like ZeroTier will not make sense from a usability perspective, but does it mean everyone should access Wordpress admin page? If no, then how (find implementation guides) to avoid that?

What are the problems?

From https://ithemes.com/wordpress-security-issues/ , we know WP has its issues. From the list of issues stated in that article, propose how would having a ZeroTier VPN improve in terms of security & effort?
Example the site said (1) Weak Passwords, what would one do to configure besides the plug-in, to mitigate? Do that for the top 5 WP security issues listed.
You may also state that VPN may not be applicable for certain risks/issues & explain why.

How to deal with them?

Brute Force Attacks

WordPress brute force attacks refer to the trial-and-error method of entering multiple username and password combinations over and over until a successful combination is discovered. The following are ways to mitigate brute-force attacks:
Limit admin login access to IP addresses using ZeroTier
Change the default login URL
Password-protect WordPress admin directory
Limit login attempts

File Inclusion Exploits

File inclusion exploits occur when vulnerable code is used to load remote files that allow attackers to gain access to your website. This attack is possible because some scripts allow “include” or “require” attributes. There are two types of exploits:
Local File Inclusion
Remote File Inclusion
The following are ways to mitigate file inclusion attacks:
  • Validation & sanitization of user input

Is VPN able to mitigate this issue?

No, I do not think that VPN is able to mitigate file inclusion attacks as it is unable to control the injection/manipulation of codes. One could limit website access but every user will need to be in the VPN. Not scalable approach as too many users connected to the VPN will increase server load, which leads to slow connection.

SQL Injections

WordPress website uses a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and to all of your website data.
With an SQL injection, an attacker may be able to create a new admin-level user account which can then be used to login and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites.
The following are ways to mitigate SQL injections:
  • Validation & sanitization of user input
Change database table prefix
Edit htaccess file

Is VPN able to mitigate this issue?

For similar reasons to file inclusion exploits, I do not think that VPN is able to mitigate SQL injections as it is unable to control the use of malicious SQL statements. One could limit database access but every user will need to be in the VPN.

Cross-Site Scripting (XSS)

Cross-site scripting is when an attacker is able to execute malicious script code in the website visitor's browser. The basic mechanism of Cross-Site Scripting works like this: an attacker finds a way to get a victim to load web pages with insecure JavaScript scripts. These scripts load without the knowledge of the visitor and are then used to steal data from their browsers. An example of a Cross-Site Scripting attack would be a hijacked form that appears to reside on your website. If a user inputs data into that form, that data would be stolen.
Three types of XSS:
  • Reflected (non-persistent) - The carrier of the attack vector is the current client HTTP request. The server returns a response containing the attack vector. In essence, the server reflects the attack.
  • Stored (persistent) - The attack vector is located on the server side.
  • DOM-based XSS (Document Object Model) - The attack vector is on the client side. Exploitation is possible primarily due to flaws in data processing inside JavaScript code.
The following are ways to mitigate cross-site scripting:
  • Validation and sanitization of user input
Escape data
Install Prevent XSS Vulnerability plugin

Is VPN able to mitigate this issue?

For similar reasons to SQL injections, I do not think that VPN is able to mitigate XSS as it is unable to control the execution of malicious scripts. One could limit website access but every user will need to be in the VPN.

Malware

Malware, short for malicious software, is code that is used to gain unauthorized access to a website to gather sensitive data.
The four most common WordPress malware infections are:
Backdoors
Drive-by downloads
Pharma hacks
Malicious redirects
The following are ways to mitigate malware in the website:
  • Prevent admin access using VPN i.e. whitelisted addresses and 2FA
Disable PHP execution
*Solutions to mitigate brute-force attacks can be applied here as well.

References

https://owasp.org/www-project-top-ten/
The intention of making you go through this is to let you appreciate some key differences between App vs Infra security. The latter is what you'd been through with the SSH limiting. It is largely for system administrative & need not be exposed to public. App on the other hand is challenging to be very clear cut, at best the WP-Admin should be shut out to general public.