There’s a very negative perception of WordPress in the security world but I’m not going to touch that topic today. What I will address is why I am running WordPress on my personal blog about security. Some folks in the information security community might find that to be ironic however there are very specific and tactical reasons for it.
I’ll outline my thoughts below..
Policy tuning: I use this site for dialing in WordPress policy for WAF deployments. Since WordPress has 59% of the CMS market share as of Q4 2017, it makes sense to invest in building these policies since the platform isn’t going to disappear anytime soon. There’s a lot you can do to protect WordPress if you build your policies correctly.
Threat Analytics: I’m able to discover the most popular attack methods threat actors are using on WordPress installations. The majority of attacks I saw in 2017 were targeted towards the xmlrpc.php and wp-login.php scripts. That’s no surprise to be honest since these attacks are low hanging fruit. These attacks are simple in nature such as xmlrpc DDoS attempts or brute force login attempts to wp-admin. I have seen a rise in theme specific attacks and attempts to hit existing malicious payloads on hosts that are already compromised.
Geo Map Analysis: Watching the trends of where WordPress attacks originate is quite interesting. I’ve seen a recent uptick in activity originating from the United States, European Union, and South America. My belief is that the usual suspects originating from IP space with known bad reputations are using VPNs, proxies, and compromised hosts from regions with a better IP reputation to slip past the perimeter of IP based reputation filters and IDS/IPS systems. The traditional methods of geoblocking are becoming less effective and dynamic IP reputation filtering is the way to go.
Security Hardening: The best way to help clients secure WordPress is to learn the platform inside and out. Whether it’s hardening PHP, the web server, setting proper permissions on the PHP scripts, auditing activities, obfuscating fingerprints, or enabling FIM, there are several ways you can lessen the risk posed by WordPress. The ultimate goal is to use a defense in depth strategy that drives up the skill level of the threat actor involved.