New to the community? Start here

Cybersecurity: Anyone can share regarding pen-test on WordPress (Enterprise)?

// WordPress site compromised at Luxury Industry
I observed that there’s major data compromises and breach on Cortina Watch website recently, which the hacker claimed that he accessed the server via Cortina website.

// Pen-Test or Cybersecurity test for WordPress
I’m just wondering, anyone done penetration test on Large WordPress site before and may I have your sharing on:

1. Which vendor/provider that you will recommend for Pen-Test?
2. Besides plugin basic for security (Defender Pro), anything else we can do?
3. As WordPress CMS keep updating, what’s your thought on conducting pen-test or similar test to making sure the latest version is secured, especially each test might be costly and WP update is quite frequent.

Any other feedback/sharing or even questions are welcome.

Thank you for your time.

Tue, 20 Jun 2023 3:19:09
  • Nithin Ramdas
    • Support Wizard

    Hi iamJayChong ,

    Is this their website? cortinawatch.com

    If yes, it seems to be running on WordPress version 5.5.3. The version is outdated and the latest security-patched version for that specific branch is 5.5.12. So chances for the site being vulnerable are very high.

    Maybe they have a custom CMS setup with WP, don’t know. However, I couldn’t find much information about the exact reason for the breach, so cannot come to a conclusion with just the above information. There could be multiple factors like vulnerable codes on their side that might have also caused such issues.

    I haven’t personally used any pentest services to recommend, however, you might find the following helpful:
    https://www.getastra.com/blog/security-audit/wordpress-penetration-testing/

    Regularly updating WordPress core, plugins, and themes to the latest versions to ensure you have the most recent security patches. Using strong, unique passwords for WordPress admin and hosting accounts. Implementing 2FA, limiting the number of users with administrator privileges, WAF for additional protection against common web attacks etc all should be considered in general when it comes to additional security measures.

    However, conducting penetration testing in 6 months or manually would be a good practice in general.

    Kind Regards,
    Nithin

  • Adam
    • Support Gorilla

    Hi iamJayChong

    An interesting fact you can “read between the lines” there in that second article that you shared:

    “The data dump included usernames and passwords

    So that tells us something important: even if it was WordPress that was breached, it must have hade some other 3rd-party or custom solution connected. Assuming it’s a big, serious ecommerce enterprise, I would probably expect some sort of a CRM but it could actually be also some relatively simple custom code doing something in WP. You’d be surprised how many “serious sites” use completely “non-serious” and very “poorly” written code…

    Anyway, my point here is that if they got password from that breach, it means passwords must have been stored somewhere in either open text or at least encrypted in a symmetric (so easy to break) way. WP itself is storing password in one-way encrypted way so it’s not that easy to “decrypt” them.

    Theoretically, it’s possible that they somehow put a “middleman” into login process that was intercepting these passwords as they were used – that’s doable but then, if site would be properly monitored and maintained, there’s little to no chance of getting that much of the user data this way. Some – yes, that many – not likely.

    But then – there is of course a chance that this way they could simply obtain some login and password that turned out to have very broad administration privileges and that would give access to data on site (but due to passwords, rather something else than WP itself – more likely some CRM or other order processing additional/3rd-party software).

    Yet, I dare to say that if the site would be

    – properly updated,
    – secured including

    a) forcing use of strong password,
    b) making sure that user accounts only have permissions for what they really need (note: another common thing – giving everyone who needs to edit content administrator role; it’s super, super common unfortunately and it’s super, super wrong!),
    c) using 2FA,
    d) performing regular scans against malware and actually taking action if anything possibly suspicious is detected (another common issue – “suspicious” code detected but no action immediately taken by admin)

    – and, very importantly, also taking care of quality and security of other additional systems that work alongside the site (like CRMs, other marketing/sales platforms and internal communication etc)

    there’s a good chance either none of that would happen or at least not to that scale.

    —-

    My point in all that is: I’m nearly sure that one way or another it was not WordPress “only” – I’m 99% sure that there was some additional code (poorly written) or integrated service involved and that WordPress itself was not actively and properly maintained.

    There is always a chance that even with uttermost care, something will happen and hackers can (and usually are) “one step ahead” but leak of that scale is also nearly always related to some omissions and malpractices on targeted party. It actually still surprises me how some big companies spent enormously huge funds on all the branding and marketing efforts while completely neglecting meaningful spendings on cyber-security…

    All in all, I’d say:

    – unfortunately (even if I hate to say so), there’s never a 1000% guarantee of complete safety
    – but if it comes to WP itself – there are pretty simple and basic steps (as mentioned throughout this ticket) that would minimize the risk to acceptable level;
    – but on top of that it’s also super-important to take care of infrastructure (even simple things like adding “external” WAF/proxy like CloudFlare, Sucuri or similar; but also making sure all is up to date and tightly secured on server level)
    – and more importantly – looking at it as a “whole” rather than just “site security”, including educating users and employees (come on – password sharing there???…)

    Pen test is of course great thing to do but it doesn’t matter really if those basic things are not taken care of. If they are – then it’s a great thing to do every once in a while (like mentioned – every year or 6 months, depending on the business size and type/amount of important data it stores) can greatly help in detecting any potential security risks.

    That said, I hope you don’t mind my 2 cents on that ;)

    Best regards,
    Adam