- Student had experience a specific type of Attack Surface related to server management interfacing, but cloud services are more than just exposing a SSHd port.
- A VPS with SSHd & CMS like Wordpress, represents a typical small system with the sum of means to deliver attacks, aka Attack Surface. If the machine only has 1 SSH service, then it is unlikely be that useful or realistic. So this is for completeness that you also get introduced to Application Security or AppSec.
- Forcing a CMS or simple web-portal to be used with VPN like ZeroTier will not make sense from a usability perspective, but does it mean everyone should access Wordpress admin page? If no, then how (find implementation guides) to avoid that?
From https://ithemes.com/wordpress-security-issues/ , we know WP has its issues. From the list of issues stated in that article, propose how would having a ZeroTier VPN improve in terms of security & effort?
Example the site said (1) Weak Passwords, what would one do to configure besides the plug-in, to mitigate? Do that for the top 5 WP security issues listed.
You may also state that VPN may not be applicable for certain risks/issues & explain why.
WordPress brute force attacks refer to the trial-and-error method of entering multiple username and password combinations over and over until a successful combination is discovered. The following are ways to mitigate brute-force attacks:Limit admin login access to IP addresses using ZeroTierChange the default login URL Password-protect WordPress admin directoryLimit login attempts
File inclusion exploits occur when vulnerable code is used to load remote files that allow attackers to gain access to your website. This attack is possible because some scripts allow “include” or “require” attributes. There are two types of exploits:Local File InclusionRemote File Inclusion
The following are ways to mitigate file inclusion attacks:
- Validation & sanitization of user input
No, I do not think that VPN is able to mitigate file inclusion attacks as it is unable to control the injection/manipulation of codes. One could limit website access but every user will need to be in the VPN. Not scalable approach as too many users connected to the VPN will increase server load, which leads to slow connection.
WordPress website uses a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and to all of your website data.
With an SQL injection, an attacker may be able to create a new admin-level user account which can then be used to login and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites.
The following are ways to mitigate SQL injections:
- Validation & sanitization of user input
For similar reasons to file inclusion exploits, I do not think that VPN is able to mitigate SQL injections as it is unable to control the use of malicious SQL statements. One could limit database access but every user will need to be in the VPN.
Three types of XSS:
- Reflected (non-persistent) - The carrier of the attack vector is the current client HTTP request. The server returns a response containing the attack vector. In essence, the server reflects the attack.
- Stored (persistent) - The attack vector is located on the server side.
The following are ways to mitigate cross-site scripting:
- Validation and sanitization of user input
For similar reasons to SQL injections, I do not think that VPN is able to mitigate XSS as it is unable to control the execution of malicious scripts. One could limit website access but every user will need to be in the VPN.
Malware, short for malicious software, is code that is used to gain unauthorized access to a website to gather sensitive data.
The four most common WordPress malware infections are:BackdoorsDrive-by downloadsPharma hacksMalicious redirects
The following are ways to mitigate malware in the website:
- Prevent admin access using VPN i.e. whitelisted addresses and 2FA
*Solutions to mitigate brute-force attacks can be applied here as well.
The intention of making you go through this is to let you appreciate some key differences between App vs Infra security. The latter is what you'd been through with the SSH limiting. It is largely for system administrative & need not be exposed to public. App on the other hand is challenging to be very clear cut, at best the WP-Admin should be shut out to general public.