Hi everyone,
I recently had a security assessment (pentest) conducted on one of my WordPress website. Overall, the website performed well and was able to withstand most common attacks without any major vulnerabilities. However, there are some low-risk vulnerabilities that need to be addressed. Main problem, I am not a developer, I am a designer and my programing knowledge is very limited. I am not confident making these changes and not sure how to actually do them.
I will explain each vulnerability and provide the recommendations given to me for fixing them in case someone here can help me figure out this.:
**1 – Vulnerable version of Bootstrap:** A vulnerable version (3.3.6) of Bootstrap was detected in the following location: domain/wp-includes/js/dist/vendor/regenerator-runtime.min.js. This is a WordPress core file, and upon comparing it with a clean WordPress installation, I found that it has not been modified in any way.
**Recommendation**: To fix this, update the Bootstrap version to the latest one.
How can this be done? I can not even detect this version of bootstrap.
**2 – Cross-site framing vulnerability:** The website allows itself to be captured in an iframe, which can pose a security risk.
**Recommendation**: To mitigate this, the following measures should be taken:
\-Implement a content security policy (CSP) header with the “frame-ancestors” option to control framing on modern browsers. This setting takes precedence over X-Frame-Options. Here’s an example of the CSP configuration:
“Content-Security-Policy: frame-ancestors none; #prevent framing of the application completely
Content-Security-Policy: frame-ancestors <source>; # one URL
Content-Security-Policy: frame-ancestors <source> <source>;”
Ensure that the website returns a response header named “X-Frame-Options” with the value “DENY” to prevent framing altogether.
Implement frame-busting code within all hosted applications to prevent framing attempts.
Don’t understand what needs to be changed and at which location. Can you help?
**3 – Missing “Content-Security-Policy” header:** The “Content-Security-Policy” header is not set, which can affect the proper operation of the website.
Recommendations: It is essential to configure the server to send this header in outgoing responses. Here are some examples of valid configurations:
Content-Security-Policy: default-src ‘self’
Content-Security-Policy: default-src ‘self’ \*.trusted.com
Content-Security-Policy: default-src ‘self’; img-src \*; userscripts.example.com
Content-Security-Policy: frame-ancestors ‘none’
To enable CSP, configure your web server to include the “Content-Security-Policy” HTTP header.
**4 – Missing “X-Content-Type-Options” header:** The absence of this header can lead to MIME-sniffing attacks.
**Recommendation**: To address this, configure the server to send the “X-Content-Type-Options” header with the value “nosniff” in all outgoing responses. This header prevents the browser from MIME-sniffing the response.
**5 -Lack of support for Subresource** Integrity (SRI) checks: SRI ensures the integrity of scripts and links loaded from external sources.
**Recommendations**: To implement SRI, follow these steps:
Add Subresource Integrity to every script/link that originates from a source outside your domain.
Generate SRI hashes using OpenSSL. For example: “cat FILENAME.js | openssl dgst -sha384 -binary | openssl enc -base64 -A”
Consider failover mechanisms if integrity cannot be verified. Host a copy of the script within the domain and use Content Security Policy (CSP) to mandate the presence of SRI information for specific file types.
**6 – Disclosure of web server information via HTTP headers:** It is advisable to configure the web server’s headers to prevent the disclosure of detailed information about the underlying technologies. This can be done by modifying the server’s configuration to restrict the information exposed.
Thanks a lot for your help. These seem to me more related to wordpress itsefl that the website itself. I am not even sure if this could be done without affecting the functionality of the website, or if it could be done by just adding a few line of code somewhere.
WordPress system info is below.
Any advice would be much appreciated.
Thanks.
\### wp-core ###
​
version: 6.2.2
site\_language: en\_US
user\_language: en\_US
timezone: +00:00
permalink: /%postname%/
https\_status: true
multisite: false
user\_registration: 0
blog\_public: 0
default\_comment\_status: open
environment\_type: production
user\_count: 1
dotorg\_communication: true
​
​
​
\### wp-dropins (1) ###
​
advanced-cache.php: true
​
\### wp-active-theme ###
​
name: Twenty Twenty-Three (twentytwentythree)
version: 1.1
author: the WordPress team
author\_website: [https://wordpress.org])
parent\_theme: none
theme\_features: core-block-patterns, post-thumbnails, responsive-embeds, editor-styles, html5, automatic-feed-links, block-templates, widgets-block-editor
theme\_path: xxxx/wp-content/themes/twentytwentythree
auto\_update: Disabled
​
\### wp-themes-inactive (2) ###
​
Twenty Twenty-One: version: 1.8, author: the WordPress team, Auto-updates disabled
Twenty Twenty-Two: version: 1.4, author: the WordPress team, Auto-updates disabled
​
\### wp-plugins-active (10) ###
​
All In One WP Security: version: 5.1.9, author: All In One WP Security & Firewall Team, Auto-updates disabled
Duplicate Page: version: 4.5.2, author: mndpsingh287, Auto-updates disabled
Elementor: version: 3.14.1, author: [Elementor.com]), Auto-updates disabled
Elementor Pro: version: 3.14.1, author: [Elementor.com]), Auto-updates disabled
Safe SVG: version: 2.1.1, author: 10up, Auto-updates disabled
Simple Custom CSS and JS: version: 3.44, author: [SilkyPress.com]), Auto-updates disabled
Sky Addons for Elementor: version: 2.1.2, author: Techfyd, Auto-updates disabled
Super Simple Site Offline: version: 2.2, author: Rik Janssen, Auto-updates disabled
Weglot Translate: version: 4.0.2, author: Weglot Translate team, Auto-updates disabled
WP Rocket: version: 3.13, author: WP Media, Auto-updates disabled
​
​
​
\### wp-media ###
​
image\_editor: WP\_Image\_Editor\_Imagick
imagick\_module\_version: 1808
imagemagick\_version: ImageMagick 7.1.0-62 Q16-HDRI x86\_64 20885 [https://imagemagick.org])
imagick\_version: 3.7.0
file\_uploads: File uploads is turned off
post\_max\_size: 256M
upload\_max\_filesize: 256M
max\_effective\_size: 256 MB
max\_file\_uploads: 20
imagick\_limits:
imagick::RESOURCETYPE\_AREA: 127 GB
imagick::RESOURCETYPE\_DISK: 9.2233720368548E+18
imagick::RESOURCETYPE\_FILE: 12288
imagick::RESOURCETYPE\_MAP: 63 GB
imagick::RESOURCETYPE\_MEMORY: 32 GB
imagick::RESOURCETYPE\_THREAD: 1
imagick::RESOURCETYPE\_TIME: 9.2233720368548E+18
imagemagick\_file\_formats: 3FR, 3G2, 3GP, AAI, AI, APNG, ART, ARW, ASHLAR, AVI, AVIF, AVS, BAYER, BAYERA, BGR, BGRA, BGRO, BIE, BMP, BMP2, BMP3, BRF, CAL, CALS, CANVAS, CAPTION, CIN, CIP, CLIP, CMYK, CMYKA, CR2, CR3, CRW, CUBE, CUR, CUT, DATA, DCM, DCR, DCRAW, DCX, DDS, DFONT, DNG, DOT, DPX, DXT1, DXT5, EPDF, EPI, EPS, EPS2, EPS3, EPSF, EPSI, EPT, EPT2, EPT3, ERF, EXR, FARBFELD, FAX, FF, FITS, FL32, FLV, FRACTAL, FTS, FTXT, G3, G4, GIF, GIF87, GRADIENT, GRAY, GRAYA, GROUP4, GV, HALD, HDR, HEIC, HEIF, HISTOGRAM, HRZ, HTM, HTML, ICB, ICO, ICON, IIQ, INFO, INLINE, IPL, ISOBRL, ISOBRL6, J2C, J2K, JBG, JBIG, JNG, JNX, JP2, JPC, JPE, JPEG, JPG, JPM, JPS, JPT, JSON, K25, KDC, KERNEL, LABEL, M2V, M4V, MAC, MAP, MASK, MAT, MATTE, MEF, MIFF, MKV, MNG, MONO, MOV, MP4, MPC, MPEG, MPG, MRW, MSL, MSVG, MTV, MVG, NEF, NRW, NULL, ORA, ORF, OTB, OTF, PAL, PALM, PAM, PANGO, PATTERN, PBM, PCD, PCDS, PCL, PCT, PCX, PDB, PDF, PDFA, PEF, PES, PFA, PFB, PFM, PGM, PGX, PHM, PICON, PICT, PIX, PJPEG, PLASMA, PNG, PNG00, PNG24, PNG32, PNG48, PNG64, PNG8, PNM, POCKETMOD, PPM, PS, PS2, PS3, PSB, PSD, PTIF, PWP, QOI, RADIAL-GRADIENT, RAF, RAS, RAW, RGB, RGB565, RGBA, RGBO, RGF, RLA, RLE, RMF, RSVG, RW2, SCR, SCT, SFW, SGI, SHTML, SIX, SIXEL, SPARSE-COLOR, SR2, SRF, STEGANO, STRIMG, SUN, SVG, SVGZ, TEXT, TGA, THUMBNAIL, TIFF, TIFF64, TILE, TIM, TM2, TTC, TTF, TXT, UBRL, UBRL6, UIL, UYVY, VDA, VICAR, VID, VIFF, VIPS, VST, WBMP, WEBM, WEBP, WMF, WMV, WMZ, WPG, X, X3F, XBM, XC, XCF, XPM, XPS, XV, XWD, YAML, YCbCr, YCbCrA, YUV
gd\_version: 2.3.3
gd\_formats: GIF, JPEG, PNG, WebP, BMP, AVIF, XPM
ghostscript\_version: 9.27
​
\### wp-server ###
​
server\_architecture: Linux 4.18.0-477.13.1.lve.el8.x86\_64 x86\_64
httpd\_software: Apache
php\_version: 8.1.18 64bit
php\_sapi: litespeed
max\_input\_variables: 2500
time\_limit: 30
memory\_limit: 256M
max\_input\_time: 60
upload\_max\_filesize: 256M
php\_post\_max\_size: 256M
curl\_version: 7.87.0 OpenSSL/1.1.1p
suhosin: false
imagick\_availability: true
pretty\_permalinks: true
htaccess\_extra\_rules: true
​
\### wp-database ###
​
extension: mysqli
server\_version: 10.6.14-MariaDB-cll-lve
client\_version: mysqlnd 8.1.18
max\_allowed\_packet: 268435456
max\_connections: 151
​
\### wp-constants ###
​
WP\_HOME: undefined
WP\_SITEURL: undefined
WP\_CONTENT\_DIR: xxxxxx/xxxxxxxxxxxx.xxxxxx.com/wp-content
WP\_PLUGIN\_DIR: xxxxxx/xxxxxxxxxxxx.xxxxxx.com/wp-content/plugins
WP\_MEMORY\_LIMIT: 40M
WP\_MAX\_MEMORY\_LIMIT: 256M
WP\_DEBUG: false
WP\_DEBUG\_DISPLAY: true
WP\_DEBUG\_LOG: false
SCRIPT\_DEBUG: false
WP\_CACHE: true
CONCATENATE\_SCRIPTS: undefined
COMPRESS\_SCRIPTS: undefined
COMPRESS\_CSS: undefined
WP\_ENVIRONMENT\_TYPE: Undefined
DB\_CHARSET: utf8mb4
DB\_COLLATE: undefined
​
\### wp-filesystem ###
​
wordpress: writable
wp-content: writable
uploads: writable
plugins: writable
themes: writable
[ad_2]