Oliver Sild
Open-source security & communities
wordpress security

How to map the WordPress attack surface?

Before you can start setting up any security measures, you should have a clear understanding of where security is even needed.

by Oliver Sild

How to map the WordPress attack surface?

Before you can start setting up any security measures, you should have a clear understanding of where security is even needed.

To do that, you’ll first need to start mapping your attack surface.

You need to map all possible points where an attacker could exploit a vulnerability, misconfiguration, or any other security flaw in your systems or organization.

Since mapping an attack surface typically encompasses every aspect of your organisation, I’ll cover the basics that apply to a WordPress website, which serves as the gold nugget at the centre of it.

In reality, however, your WordPress site is just one of many points of the attack surface that could be attacked to compromise your organisation.

I’m only referring to layers here to help me visualise this, but to clarify, I’m not referring to OSI layers.

Physical layer

It can actually take just a single hand movement to halt your entire WordPress site. We can call it an unauthenticated power cord removal.

The point is, if someone has physical access to the computer where your website is hosted, all they need to do is turn it off.

The majority of people don’t even think about this today, because it’s a lot cheaper to host things at the servers owned by large companies such as Google, AWS, and Microsoft.

It might come as a surprise, but even most of the web hosting providers don’t have their own servers.

It’s incredibly expensive to build data centers and large infrastructure providers invest a lot into the security on the physical layer.

For this reason, data centres are one of the most heavily guarded facilities on earth.

Network layer

If you type your website URL into the browser, then a request is made to a DNS (domain name server), which basically says, “Hey, the server of this domain is on this IP address”.

The browser will then make a connection to that IP, loading whatever is set up to load on that server.

If someone hijacks your domain and/or the IP behind it, then they can make your website inaccessible or replace it with something malicious. That applies also to the services that control this, such as Cloudflare.

Your attack surface includes all of the services you’ve given access to over this layer.

If your Cloudflare or any other DNS provider account gets compromised, then this entire layer is compromised.

Server layer

Behind the IP is a computer that is set up to be a server. There’s a joke about cloud hosting, which says, “There’s no cloud, it’s just someone else’s computer”.

It may sound funny, but it’s actually true (unless you own the hardware).

This is also where things get more complicated. First of all, like all computers, servers run operation systems, which are mostly based on Linux. Then, on this Linux computer, there is different software installed to make this computer a server.

All of this software, such as LAMP stack (which btw means Linux, Apache, MySQL, PHP/Pearl/Python) is also your attack surface.

Like every other software, these too can have security vulnerabilities and need to be properly configured, maintained and updated.

This is actually where the popular term “Managed Hosting” comes from. The idea of managed hosting is that a service provider manages this software, making sure it’s all maintained, updated and secure.

PS! For the sake of clarity, I’ve put this into WordPress context where “the server” represents what people get from the hosts (and they don’t always have control over what it includes). In reality, server layer does not exist on OSI model, it’s all application layer.

Application layer

Once you get access to your server, you are now able to run your applications on it.

That is everything that runs your website, which is the WordPress core, plugins, themes, and any other custom code.

All of the software running on the application layer can also have security vulnerabilities and needs to be properly configured, maintained, and updated.

This layer is where the software changes most frequently, is often untested, and requires the most frequent maintenance. Oddly enough, few of the “Managed WordPress Hosts” actually manage what needs to be managed the most.

This is also where access is most often given to others. In e-commerce setups, access can be taken independently (even though low-level access), and the developers often share admin access to site owners, who then may share it with freelancers, marketers, and to whoever may need to change content on the website.

Who ever has the admin privileges can compromise the entire layer. Depending on the configurations and how well the server is maintained, this may also lead to an entire compromised server.

Access management

This is a completely made up “layer” and is actually overarching every other one. First, think about who and what has access to all the different layers.

Most of you probably don’t have access to the physical layer, but if you do, think about who can access the hardware (or the infrastructure that the hardware relies on).

On the network layer, think about who has access to your domain, where it is registered, and who controls the DNS that the domain is linked to.

If you’ve given your domain access to some services, such as Cloudflare, then also keep an eye on who has access to that Cloudflare account.

On the server layer for example, think about who has access to your hosting account. If you’ve given developers access to the server over SFTP/SSH, then keep track of those accesses as well.

If you’ve granted any third-party services access to your server then make sure the access to such services is also secured.

On the application layer, it all applies to the accounts on your WordPress site and how these accesses are given out and controlled.

It also applies to any third-party services you’ve given access to your WordPress sites.

Also think about how you access those different accounts. If you use an email to log into services, who else has access to that email? If you use on-device 2FA, who else has access to that device, etc.

These are all the different places that hold the “keys to the kingdom”, so mapping all of these access points is incredibly important. This doesn’t only include “who” has the access, but also “what”.

Our personal devices store access in the form of authentication cookies, so make sure your devices are also secure and only accessible to you.

Conclusion

Mapping the attack surface essentially requires us to keep track of everything we have. It’s a great exercise, and if you go through that process, you might find some surprises.

This is your very first step to improve your overall security posture. Even though there are many more layers to security, the most important ones when it comes to securing a WordPress website are the Network layer, Server layer, Application layer, and Access management.

As always, stay safe!

Member discussion

Similar topics

How to Use PassKeys for WordPress Authentication

For WordPress users, implementing PassKeys can enhance the security of your site while simplifying the login process.

Getting Started with Multi-Factor Authentication (2FA/MFA)

In this post, I'll cover the different 2FA methods that you should use on all accounts where it’s possible.

How to Deal with Incoming Security Reports

When you receive a security report, what should be the first steps, how should you react, and how quickly should you address the issue?

Are Your WordPress Sites Really Isolated From Each Other?

Let's talk about why site isolation is important and why you should make sure to choose a hosting provider that does this properly.

How to Make the WordPress Development Process Safer

Whenever you build WordPress websites, plugins, or themes, think about the workflow and how correct workflows can help you incorporate security as early as possible.