Penetration test: How secure is your WordPress website really?
Share the blog with others
From the Daily Pentest Business
A penetration test uncovers security gaps in a WordPress site, but the security gaps are not directly related to WordPress. We show how secure a WordPress website can really be.
What is a penetration test?
Basics of a pen test
Penetration tests, or pen tests, are simulated cyberattacks carried out by security experts to find vulnerabilities in IT systems. These tests help to identify and eliminate security risks before real attackers can exploit them.
The start of the test
Discovery of the .bash_history file
Our test began with a discovery on the client's WordPress site, where we came across the .bash_history file. This file, which is normally hidden, stores the command history and should not have been accessible. Its presence indicated a security vulnerability.
Analysis of the fund & insight into the backup
The information discovered through the command history enabled us to download a backup file. This contained not only all of the website's data, but also sensitive information such as email accounts.
Cracking the encrypted password
Access to the e-mail account
By decrypting the password stored in the database, we were able to gain access to an important email account. This account was not only used for WordPress notifications, but also for other critical company services such as the ticket system.
Extension of access
Access to other company services
With the access data, we were able to access the customer's Microsoft 365 account, which gave us insight into sent e-mails in the mailbox, notifications with the content of the ticket system update, MS Teams channel and SharePoint folder.
Safety in everyday life
A penetration test is comparable to testing whether the doors and windows of a house are securely locked to keep burglars out. This is how we prevent digital "break-ins" into your IT infrastructure.
Safety recommendations and best practices
Protective measures for your IT security
File protection: Sensitive files such as .bash_history must be protected.
Backup security: Store backups securely and password-protected.
Email management: Consider whether it is necessary to save sent emails and delete them regularly.
Dedicated e-mail accounts: Use separate accounts for different services/applications.
Are you ready to review the security of your systems? Contact us for a professional assessment and improve your security measures. Let's secure your digital future together.