WP Auditory: What are some possible problems found on WordPress websites?

What is it?

Files such as wp-config.php, .env, or backups (.zip, .sql) are publicly accessible.

Why might this happen?

Server configurations that do not block direct access to these files.
Risk of hacker attack: Leakage of database credentials, secret keys, and source code, allowing complete takeover of the site (intrusion, data theft).

Why correct it?

Without a patch, an attacker can download these files and compromise the entire system, leading to data loss, defacement, or ransomware. It’s a basic and common vulnerability exploited by automated bots.

What is it?

The server displays the contents of folders (e.g., /wp-content/uploads/) when there is no index file.

Why might this happen?

Default server configuration without blocking (Options +Indexes in Apache).

Risk of hacker attack:

Enumeration of sensitive files, backups, or hidden configurations, facilitating targeted attacks.

Why correct it?

It reveals the site’s structure, allowing hackers to find weaknesses to exploit (e.g., shell uploads via exposed directories). It’s an open door for reconnaissance.

What is it?

The .git folder (containing code history) is publicly accessible.

Why might this happen?

Incorrect deployment or lack of server lockout.
Risk of hacker attack: Complete download of source code, including hardcoded passwords, API keys, and old commits.

Why correct it?

It exposes all the website’s code, allowing reverse engineering and custom exploits. This can lead to leaks of sensitive data or backdoors.

What is it?

There is a lack of protection against the site being loaded in an iframe from another domain.

Why might this happen?

Security headers not configured on the server.
Risk of hacker attack: Clickjacking (overlaying iframes to steal clicks, such as logins or payments).

Why correct it?

It protects users from advanced phishing where the real website is used to deceive actions. It’s a basic measure against UI redressing.

What is it?

It does not force the browser to use only HTTPS for future connections.

Why might this happen?

Header not added on the HTTPS server.
Risk of hacker attack: Downgrade attacks (forcing HTTP to intercept traffic on public Wi-Fi networks).

Why correct it?

It ensures that traffic remains encrypted, preventing man-in-the-middle (MITM) attacks and the theft of sensitive data such as passwords.

What is it?

It does not prevent the browser from guessing the file type (MIME sniffing).

Why might this happen?

Header not configured.
Risk of hacker attack: XSS attacks via uploaded files that are misinterpreted (e.g., image as a script).

Why correct it?

It prevents the exploitation of malicious uploads, reducing the risk of code injection into browsers.

What is it?

It does not control the sending of source information (referrers) to other websites.

Why might this happen?

Default header not defined.
Risk of hacker attack: Leakage of sensitive URLs (e.g., containing tokens) to third parties.

Why correct it?

It protects privacy and prevents tracking or exploitation of leaked internal links.

What is it?

It does not define rules for loading resources (scripts, styles), or allow ‘unsafe-inline’ elements.

Why might this happen?

Header not implemented or misconfigured.

Risk of hacker attack:

High exposure to XSS (malicious script injection).

Why correct it?

It drastically reduces injection attacks, protecting users from data theft via malicious JavaScript.

What is it?

The header server reveals the server name/version (e.g., Apache/2.4).

Why might this happen?

Default server configuration.

Risk of hacker attack:

It facilitates known exploits for specific versions.

Why correct it?

It reduces fingerprinting, making it more difficult for hackers to choose targeted attacks.

What is it?

The server allows methods such as TRACE or PUT in addition to GET/POST.

Why might this happen?

Default configuration with no restrictions.

Risk of hacker attack:

Leak of headers (TRACE) or malicious upload (PUT).

Why correct it?

It avoids the overuse of unnecessary methods, reducing the attack surface.

What is it?

Meta tags or query strings reveal the WordPress version.

Why might this happen?

Standard WP functionality.

Risk of hacker attack:

Attacks targeting known vulnerabilities in that version.

Why correct it?

It makes reconnaissance more difficult, giving time to update the WP without becoming an immediate target.

What is it?

REST API exposes unauthenticated users.

Why might this happen?

WP REST API is enabled by default.

Risk of hacker attack:

Brute-force attacks on real logins (e.g., admin).

Why correct it?

Protects against automated credential attacks, reducing the risk of intrusion.

What is it?

The endpoint xmlrpc.php allows remote calls.

Why might this happen?

Enabled by default in WordPress.

Risk of hacker attack:

Massive brute-force and DDoS via pingback.

Why correct it?

It closes a common gateway for amplified attacks, improving performance and security.

What is it?

Accessible standard WP files, revealing version.

Why might this happen?

Not removed or blocked after installation.

Risk of hacker attack:

It facilitates the identification of vulnerable versions.

Why correct it?

It reduces fingerprinting on WP, making it more difficult for automatic scanners.

What is it?

Traffic sent without encryption.

Why might this happen?

SSL certificate not installed or configured.

Risk of hacker attack:

Interception of data (passwords, cookies) via MITM.

Why correct it?

It protects data in transit, improves SEO, and prevents browser warnings.

What is it?

Users can access via HTTP without redirection.

Why might this happen?

Missing rewrite rule.

Risk of hacker attack:

Downgrade to insecure HTTP.

Why correct it?

It guarantees encryption at all times, preventing MITM attacks on public networks.

What is it?

URL parameters redirect to arbitrary external websites.

Why might this happen?

Weak validation in redirect codes.

Risk of hacker attack:

Phishing or token theft via malicious redirects.

Why correct it?

It prevents the site from being used as a vector for scams or credential attacks.

What is it?

The server responds to the TRACE, echoing headers.

Why might this happen?

Default configuration without disabling.

Risk of hacker attack:

Cookie leak via XST (Cross-Site Tracing).

Why correct it?

Closes loophole for protected data theft (HttpOnly cookies).

What is it?

Allows broad cross-origin access with credentials.

Why might this happen?

CORS headers are incorrectly configured.

Risk of hacker attack:

Data theft via JavaScript from other websites.

Why correct it?

Protects APIs and sensitive data from unauthorized reading.

What is it?

No SPF or no -all (hard fail).

Why might this happen?

DNS not configured for emails.

Risk of hacker attack:

Email spoofing (phishing emails pretending to be from your own domain).

Why correct it?

Prevents domain abuse for spam/phishing, improving deliverability and LGPD compliance.

What is it?

Without DMARC or with p=none/quarantine (does not reject).

Why might this happen?

Lack of advanced DNS configuration.

Risk of hacker attack:

Fake emails sent pretending to be from you.

Why correct it?

Blocks spoofing, protecting reputation and users from fraud.

What is it?

No digital signature for emails.

Why might this happen?

Email provider not configured.

Risk of hacker attack:

Emails altered in transit without detection.

Why correct it?

It ensures the integrity of emails, reducing spam and spoofing.

What is it?

Files or directories with excessive permissions (e.g., 777, 666).

Why might this happen?

Manual deployment, misconfigured shared hosting.

Risk of hacker attack:

Allows unauthorized writing → backdoor or webshell upload.

Why correct it?

Incorrect permissions make it easier for the code to be maliciously modified.

What is it?

Publicly accessible administrative area without an additional layer.

Risk of hacker attack:

Targeted brute force.

Why correct it?

Even with a strong password, it reduces automated attacks.

What is it?

It does not control features such as camera, microphone, or geolocation.

Risk of hacker attack:

Abuse of modern browser APIs.

What is it?

Cookies without Secure, HttpOnly and SameSite.

Risk of hacker attack:

Session hijacking via XSS or MITM.

What to check:

/wp-json/

Customized routes

Plugins exposing insecure endpoints

Risk of hacker attack:

Exposure of sensitive data via custom endpoints.

What is it?

wp-cron.php is accessible externally.

Risk of hacker attack:

Abuse to overload the server.

What is it?

The server executes .php files inside /uploads.

Risk of hacker attack:

Remote webshell.

In addition to checking files in the root directory, you can also test:

/backup/

/old/

/dev/

/test/

Bots search for these folders.

What is it?

Subdomain pointing to a non-existent service (e.g., the former Heroku).

Risk of hacker attack:

The striker registers the service and takes over the subdomain.

What is it?

DNS servers are not protected against spoofing.

Risk of hacker attack:

Domain hijack.

What is it?

The server accepts unlimited requests.

Risk of hacker attack:

Brute force and mild DDoS attacks.

What is it?

Logged-in pages are being stored in the public cache.

Risk of hacker attack:

Session leak.

What is it?

The phpinfo.php file is accessible.

Risk of hacker attack:

Full exposure of the server configuration.

What is it?

The server accepts TLS 1.0 or 1.1.

Risk of hacker attack:

Downgrade attacks and weak encryption.

What is it?

Insecure ciphers enabled.

Risk of hacker attack:

Decryption attacks.

What is it?

Certificate with less than 15 days remaining.

Risk of hacker attack:

The site crashed unexpectedly.

What is it?

HTTPS page loading HTTP resources.

Risk of hacker attack:

MITM via insecure assets.

What is it?

The site has a user with the login name “admin”, which is the default WordPress username in older installations.

Risk of hacker attack:

It facilitates brute force attacks and credential stuffing, since the attacker already knows half of the credentials (the login). Automated bots try thousands of combinations starting from the “admin” user.

Why correct it?

It significantly reduces automated attacks. When login is predictable, simply cracking the password is enough. Changing the user removes a common vector exploited by mass scanners.

What is it?

Users with weak passwords (e.g., 123456, admin123, name+year).

Risk of hacker attack:

Dictionary attacks and credential stuffing can gain access quickly, especially when combined with previous data breaches.

Why correct it?

Even with firewalls and security measures, weak passwords are the primary vector for WordPress intrusions. Most hacked sites suffer from weak credentials—not from advanced technical flaws.

What is it?

Plugin installed without update for more than 2 years or removed from the official repository.

Risk of hacker attack:

Known vulnerabilities can be exploited publicly. Automated exploits often target discontinued plugins.

Why correct it?

Abandoned plugins do not receive security patches. Maintaining such a plugin is like leaving a permanently open door for future intrusions.

What is it?

Themes installed, but not active.

Risk of hacker attack:

Even when deactivated, files remain accessible on the server. Vulnerabilities in the theme can be exploited directly via URL.

Why correct it?

Reduces the attack surface. If not in use, it should not remain in the production environment.

What is it?

Debug mode enabled in a public environment.

Risk of hacker attack:

Displaying error messages with:

• Absolute paths

• SQL Queries

• Internal structure of the system

• Plugin information

Why correct it?

It facilitates reverse engineering and targeted exploitation. Insider information helps the attacker to accurately map vulnerabilities.

What is it?

PHP errors reveal the full server path.

Risk of hacker attack:

It helps in building custom payloads, exploring LFI (Local File Inclusion), and other advanced techniques.

Why correct it?

It reduces fingerprinting and prevents attackers from obtaining internal information about the environment.

What is it?

Tables use the standard prefix wp_.

Risk of hacker attack:

It facilitates automated SQL Injection scripts that assume default table names.

Why correct it?

It doesn’t prevent SQLi, but it makes massive automated attacks that rely on predictable structures more difficult.

What is it?

Bank user with permissions such as GRANT ALL or full administrative access.

Risk of hacker attack:

If SQL Injection is present, the attacker can:

Create new users

Clear database

Perform destructive operations

Why correct it?

Applying the principle of least privilege limits the impact of a potential failure.

What is it?

Door 3306 open for external access.

Risk of hacker attack:

Brute force attempts directly targeting MySQL or exploiting service vulnerabilities.

Why correct it?

The database should only accept connections locally or via a restricted IP address.

What is it?

Absence of a filtering layer between the visitor and the server.

Risk of hacker attack:

Attacks such as:

• SQL Injection

• XSS

• Automated exploits

• Mild DDoS

Why correct it?

WAF blocks attacks before they reach WordPress, drastically reducing risk and server load.

What is it?

The system accepts unlimited login attempts.

Risk of hacker attack:

Massive brute force attack until the correct password is found.

Why correct it?

Limiting attempts prevents automated attacks from testing thousands of combinations.

What is it?

Login depends solely on the password.

Risk of hacker attack:

If the password is leaked, access is immediate.

Why correct it?

2FA adds an extra layer, blocking intrusions even with a compromised password.

What is it?

URL parameters are displayed without sanitization.

Risk of hacker attack:

Execution of malicious scripts in the victim’s browser, which may steal cookies or redirect to phishing sites.

Why correct it?

Protects users against session hijacking and content manipulation.

What is it?

User inputs not validated before querying the database.

Risk of hacker attack:

Extracting or modifying data from the database.

Why correct it?

SQL Injection is one of the most critical vulnerabilities according to OWASP, and can completely compromise a website.

What is it?

The server’s real IP address is easily discovered.

Risk of hacker attack:

Bypassing CDN firewalls and direct attacks on the server.

Why correct it?

Hiding your IP address protects against direct attacks and DDoS attacks.

What is it?

cPanel, Plesk, or a publicly accessible panel.

Risk of hacker attack:

Administrative brute force.

Why correct it?

The panel is a critical port — it must have a restricted IP address or mandatory 2FA.

What is it?

Port 22 open without rate limit or fail2ban.

Risk of hacker attack:

Brute force attack on SSH credentials.

Why correct it?

Compromised SSH means complete control of the server.

What is it?

No system to detect file changes.

Risk of hacker attack:

Backdoors can remain hidden for months.

Why correct it?

It allows for the rapid detection of intrusions.

What is it?

Manual backups or no backups at all.

Risk of hacker attack:

Ransomware or technical failure can cause total loss.

Why correct it?

Backup is the last line of defense.

What is it?

Logs not stored or analyzed.

Risk of hacker attack:

Attacks go unnoticed.

Why correct it?

Logs enable auditing, investigation, and compliance with the LGPD (Brazilian General Data Protection Law).

What is it?

External scripts loaded without hash verification.

Risk of hacker attack:

If the CDN is compromised, a malicious script is executed.

Why correct it?

SRI guarantees the integrity of the uploaded resource.

What is it?

Modern context isolation headers.

Risk of hacker attack:

Possibility of advanced cross-origin attacks.

Why correct it?

Improves insulation and safety in modern applications.

What is it?

External links opened with target=”_blank” without protection.

Risk of hacker attack:

External page may alter original tab.

Why correct it?

Protects users against indirect phishing.

What is it?

HSTS is active, but not included in the global preload list.

Risk of hacker attack:

Initial access may occur via HTTP.

Why correct it?

It guarantees HTTPS even before the first connection.

What is it?

Headers allow public caching of sensitive content.

Risk of hacker attack:

Private data can be stored improperly.

Why correct it?

Prevents data leaks via proxy/cache.

What is it?

AJAX or REST endpoints exposed without authentication.

Risk of hacker attack:

Extraction of data or execution of improper actions.

Why correct it?

Every API should require proper authentication and validation.