Penetration test: How secure is your WordPress website really?

penetration test hacker during penetration test

Share the blog with others

From the Daily Pentest Business

A penetration test uncovers security gaps in a WordPress site, but the security gaps are not directly related to WordPress. We show how secure a WordPress website can really be.


What is a penetration test?

Basics of a pen test

Penetration tests, or pen tests, are simulated cyberattacks carried out by security experts to find vulnerabilities in IT systems. These tests help to identify and eliminate security risks before real attackers can exploit them.


The start of the test

Discovery of the .bash_history file

Our test began with a discovery on the client's WordPress site, where we came across the .bash_history file. This file, which is normally hidden, stores the command history and should not have been accessible. Its presence indicated a security vulnerability.


Analysis of the fund & insight into the backup

The information discovered through the command history enabled us to download a backup file. This contained not only all of the website's data, but also sensitive information such as email accounts.


Cracking the encrypted password

Access to the e-mail account

By decrypting the password stored in the database, we were able to gain access to an important email account. This account was not only used for WordPress notifications, but also for other critical company services such as the ticket system.


Extension of access

Access to other company services

With the access data, we were able to access the customer's Microsoft 365 account, which gave us insight into sent e-mails in the mailbox, notifications with the content of the ticket system update, MS Teams channel and SharePoint folder.


Safety in everyday life

A penetration test is comparable to testing whether the doors and windows of a house are securely locked to keep burglars out. This is how we prevent digital "break-ins" into your IT infrastructure.


Safety recommendations and best practices

Protective measures for your IT security
  • File protection: Sensitive files such as .bash_history must be protected.

  • Backup security: Store backups securely and password-protected.

  • Email management: Consider whether it is necessary to save sent emails and delete them regularly.

  • Dedicated e-mail accounts: Use separate accounts for different services/applications.


Are you ready to review the security of your systems? Contact us for a professional assessment and improve your security measures. Let's secure your digital future together.


Curious to find out more? Contact us now!