WordPress – wp-admin exposed

Description

The admin login page (/wp-admin/) is accessible from any IP address.

Bussines Impact

An attacker could exploit this finding to perform BruteForce attacks on users or to create a similar phishing page in order to get admin \ user login credentials.

Recommendation

Restrict access to the login page (/wp-admin/) section via IP addresses.

you can set that kind of configuration in your .htaccess without any affectation, this is a sample code you can start using to play around:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelisted IP addresses
allow from xx.xx.xx.xxx
allow from xx.xx.xx.xxx
</LIMIT>

More Details

Hackers and bots trying to attack a WordPress site’s login page often look in its default location
instead of hosting the login page on /wp-login.php, install it in a directory folder with a random name.

Reference

SQLI to RCE

How to preform SQLI TO RCE? One of the most interesting and important things about any site is the database. So, it’s important to protect

Read More »

Man-In-The-Middle Attacks

Do you know these people who just push themselves into conversations?That’s Man-In-The-Middle Attacks. And from a wider angle, Man-In-The-Middle Attacks, or MITM, are built around

Read More »