Posts Tagged

Wordpress security

Zero Day Twig PHP template engine

Twig is a modern template engine for PHP, its flexible, fast, and secure template engine for PHP.If you have any exposure to other text-based template languages, such as Smarty, Django, or Jinja, you should feel right at home with Twig. It’s both designer and developer friendly by sticking to PHP’s principles and adding functionality useful for templating environments.

ExploitDB link:

https://www.exploit-db.com/exploits/44102

Well, Twig {Latest version} is affected to Server-Side Template Injection and {{Command execution}}.

Exploit:

Twig <=2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string”, depends on the vulnerable application, which takes deferent params by GET or POST.

1.POC:

Example: by injecting this in a search param http://localhost/search?search_key={{4*4}} >        Output: 16

2. POC:

http://localhost/search?search_key={{4*4}}

http://localhost/search?search_key={{ls}}

OUTPUT: list of files/directories etc….

See the screenshot bellow how its executing the command and printing out the results, this could be also {{ rm * }} which will delete the entire application 🙂

WordPress security

The most popular and widely used blogging platform is WordPress .

It supports websites ranging from a simple blog to a full-featured business website.

Nearly twenty-six percent of all websites globally use WordPress. As a result of this, hackers and spammers interest in breaking the security of WP-operated sites has risen.

This post will offer you some of the best WordPress security plugins that can help reduce the risk of your website being hacked. These security plugins offer several options to make your WordPress blog secure from known vulnerabilities. It contains plugins for access control, login security, spam protection, content theft protection, backup tools, file integrity monitoring, email protection, firewall and much more.

Here is a list of some of the top security plugins that can be used to keep your WordPress site secured:

MalCare WordPress Security Plugin

MalCare is one of the most comprehensive WordPress plugins we have come across. It is developed from grounds up after analyzing over 240,000 websites over the last 2+ years. It uses the collective intelligence from its network of sites to keep your website protected against malware, hackers and the rest. MalCare ensures that your business is always protected and available to your visitors. Notable features include:

  • Powerful Scanner.
  • One-Click Automated Cleaner.
  • Intelligent Firewall.
  • Site Management.
  • Site Hardening.
  • White-Labeling.
  • Client Reporting.
  • Support that customers swear by.

MalCare offers one minute set up but a lifetime of peace.

 

WORDFENCE

WordFence is one of the most popular WordPress security plugins. It covers login security, IP blocking, security scanning, and WordPress firewall and monitoring.

WordFence starts by checking if the site is already infected. It does a deep server scan of the site’s source code and compares it to the Official WordPress repository for core, themes and plugins.

The plugin is great for beginners and pro users alike.

You can also try the premium version of this plugin If you want to secure your website with some more features, which includes country blocking, two-step authentication, scheduled scanning and more.

ITHEMES SECURITY

iThemes Security is a WordPress security plugin that claims to provide more than 30 ways to secure and protect your WordPress website from attacks

It strengthens user credentials by fixing common vulnerabilities and automated attacks. The plugin is available in both free and premium versions.

iThemes includes all of the following:

  • Two-factor authentication
  • Brute force protection
  • Monitoring core files for any changes
  • Locking out users for multiple incorrect credential attempts
  • Forcing the use of secure passwords for specific user roles and file permissions
  • Logging user actions
  • Ticketed support (for pro users)

 

SUCURI SECURITY

Sucuri offers a free plugin that is available in the WordPress repository.

This plugin offers various security features like:

  • Malware scanning
  • Security activity auditing
  • Blacklist monitoring
  • Effective security hardening
  • File integrity monitoring
  • Website firewall.

It is a security suite meant to complement your existing security posture.

The Sucuri plugin tracks all activities on your site.

This includes when users log in or when changes are made to your site. This way, if there is a breach in security, you’ll be able to review the activity logs and find out what happened.

ALL IN ONE WPSECURITY & FIREWALL

“All In One WP Security & Firewall” is also among the most popular WordPress security plugins.

For those who are not familiar with advanced security settings, it has a user-friendly interface. This plugin protects your website by checking vulnerabilities and implementing the latest techniques and security measures.

A useful feature of “All in One WP Security & Firewall” is a meter on your dashboard that gives your site a score of how secure it is. By adding additional security options, you can increase your score.

It also has a security scanner that keeps track of files and notifies you about each change in your WordPress system. It can also detect malicious code in your WordPress website.

BULLETPROOF SECURITY

BulletProof Security is another popular plugin that helps to secure your WordPress website is. This plugin provides a single click security solution. It secures your website against RFI, XSS, CRLF, SQL injection, and code injection hackings.

Here are a few features that are part of a long list:

  • An easy single-click setup
    • A record of the number of login attempts
    • File monitoring and quarantining of uploaded files
    • Email alerts for a variety of user actions
    • Alerts when suspected malicious activity affects your site

It also has a pro version that offers some advanced features to improve the security of your website.

 

As a quick advice, with an increasing number of hacking attacks, it is necessary to have security in your WordPress website. The security plugins mentioned above will help you with that. For users who don’t code a lot, plugins are the best ways to secure your blog. Most of them are free, safe and easily usable.

Hope this information has given you a valuable insight on how to protect your website with the available tools and plugins.