When testing the security of PHP/WordPress sites, I am usually first interested in the environment where the site runs and the structure of the application. To simplify the initial audit, I wrote a mini PHP file browser for myself in 2014 (I put it on GitHub in 2016). Since then, there have been only few … Continue reading PHP Mini File Browser Update
13 extra things we do for better WordPress Security
Looking beyond basic tips, here are 13 extra measures based on years of experience to fortify your WordPress security.
WordPress Builders: journey from phpinfo() to RCE
In the context of the recent surge in attention towards a critical Remote Code Execution (RCE) flaw in Brick Builder, I want to shed light on a less-known issue I discovered and reported two years ago. This flaw, which has been quietly addressed in versions around 1.6, affects not only Brick Builder but also other … Continue reading WordPress Builders: journey from phpinfo() to RCE
Hello, Unauthenticated RCE here! What to do?
Last week we witnessed a critical vulnerability in the WordPress visual builder Bricks: https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6. In this article I will describe how the attack happened, add a bit of theory for those who are not so tech-savvy, add procedures for cleaning up the site and tips for preventing future attacks. What happened? Due to the severity … Continue reading Hello, Unauthenticated RCE here! What to do?
WordPress installer attack race
"The Famous WordPress 5-Minute Install" was great. Unfortunately, today it can cause serious security problems. The typical scenario is to upload core files to your host, open the installer, and it is done in a few minutes. During these few minutes is your installer publicly available to everyone. If the attacker is speedy enough, he … Continue reading WordPress installer attack race
WordCamp EU – Q&A
https://www.slideshare.net/vsmitka/wordpress-through-the-bad-guys-glasses How do I know that my PHP or Apache version is vulnerable? You can find vulnerabilities for the particular version on CVE details. You should use the lastest versions of server components, currently: Apache 2.4.39 (major version 2.2 is out of suport now) Nginx 1.16 (stable) or 1.17 (mainline) PHP 7.3.6 or 7.2.19 Also … Continue reading WordCamp EU – Q&A
Global scan – exposed .git repos
At the beginning of July 2018, I decided to do some research on Czech websites to find out how many are not properly configured and allow access to the .git folder within the file versions repository. There were many of these sites in my database from the previous security scans and I was curious about the current state.
Enhance your CentOS security for $1 a month with autoupdates
How to enable security autoupdates properly on CentOS and why are the most tutorials wrong.
Python & Ruby webserver config – the great misunderstanding
Two months ago I ran a huge global scan for unintentionally exposed .git repositories. I was surprised to find many Python and Ruby applications with this issue. The total number wasn't very high - around two thousand, but when I normalized it according to the market share of these programming languages, the situation was worse … Continue reading Python & Ruby webserver config – the great misunderstanding
Open .git scan – the results
I published an artice about my latest security scan aimed to the exposed git repositories. The results: 230 000 000 domains checked (the list was build mainly from theย Rapid 7 OpenData), 390 000 affected sites found, 100 000 alerts send. The most of affected sites use PHP: But after normalization the numbers according to the … Continue reading Open .git scan – the results