How to map the WordPress attack surface?

Before you can start setting up any security measures, you should have a clear understanding where security is even needed. To do that, you’ll first need to start mapping your attack surface.

You need to map all possible points where an attacker could either exploit a vulnerability, misconfiguration or any other security flaw in your systems or in your organisation.

Since mapping an attack surface usually covers every aspect of your organisation, then for the sake of keeping it within a single post, I’ll cover the basics that would apply to a WordPress website being the gold nugget in the center of it.

In reality however, your WordPress site is just one of many points of the attack surface that could be attacked to compromise your organisation. I’m only referring to layers here to help me visualise this, but to clarify I’m not referring to OSI layers.

Physical layer

It can actually take just a single hand movement to halt your entire WordPress site. We can call it an unauthenticated power cord removal. The point is, if someone has physical access to the computer where your website is hosted, all they need to do is turn it off.

Majority of the people don’t even think about this today, because it’s a lot cheaper to host things at the servers owned by large companies such as Google, AWS and Microsoft. It might come as a surprise, but even most of the web hosting providers don’t actually have their own servers.

It’s incredibly expensive to build datacenters and large infrastructure providers invest a lot into the security on physical layer. For this reason data centres are one of the most heavily guarded facilities on earth.

Network layer

If you type your website URL to the browser, then a request is made to a DNS (domain name server), which basically says “Hey, the server of this domain is on this IP address”. The browser will then make a connection to that IP, loading what ever is set up to load on that server.

If someone hijacks your domain and/or the IP behind it, then it’s possible for them to make your website inaccessible or replace it with something malicious. That applies also to the services that control this, such as Cloudflare.

Your attack surface includes all of the services you’ve given access to over this layer. If your Cloudflare or any other DNS provider account gets compromised, then this entire layer is compromised.

Server layer

Behind the IP is a computer that is set up to be a server. There’s a joke about cloud hosting, which says “There’s no cloud, it’s just someone else’s computer”. May sound funny, but it’s actually true (unless you own the hardware).

This is also where things get more complicated. First of all, like all computers, servers run operation systems, which are mostly based on Linux. Then, on this Linux computer, there is different software installed to make this computer a server.

All of this software, such as LAMP stack (which btw means Linux, Apache, MySQL, PHP/Pearl/Python) is also your attack surface. Like every other software, these too can have security vulnerabilities and need to be properly configured, maintained and updated.

This is actually where the popular term “Managed Hosting” comes from. The idea of managed hosting is that a service provider manages this software, making sure it’s all maintained, updated and secure.

PS! For the sake of clarity, I’ve put this into WordPress context where “the server” represents what people get from the hosts (and they don’t always have control over what it includes). In reality, server layer does not exist on OSI model, it’s all application layer.

Application layer

Once you get access to your server, you are now able to run your applications on it. That is everything that runs your website, which is the WordPress core, plugins, themes and any other custom code.

All of the software running on the application layer can also have security vulnerabilities and needs to be properly configured, maintained and updated.

This layer is where the software changes most frequently, is often untested and requires the most frequent maintenance. Oddly enough, few of the “Managed WordPress Hosts” actually manage what needs to be managed the most.

This is also where an access is most often given to others. In e-commerce setups, access can be taken independently (even though low level access), and the developers often share admin access to site owners, who then may share it with freelancers, marketers, and to who ever may need to change content on the website.

Who ever has the admin privileges, can compromise the entire layer. Depending on the configurations and how well the server is maintained, this may also lead to an entire compromised server.

Access management

This is a completely made up “layer”, and is actually overarching every other one. First, think about who and what has access to all the different layers. Most of you probably don’t have access to the physical layer, but if you do, think about who can access the hardware (or the infrastructure that the hardware relies on).

On the network layer, think about who has access to your domain, where is it registered and who controls the DNS that the domain is linked to. If you’ve given your domain access to some services such as Cloudflare, then also keep an eye on who has access to that Cloudflare account.

On the server layer for example, think about who has access to your hosting account. If you’ve given developers access to the server over SFTP/SSH then keep track on those accesses as well. If you’ve granted any third-party services an access to your server then make sure the access to such services is also secured.

On the application layer, it all applies to the accounts on your WordPress site and how these accesses are given out and controlled. It also applies to any third-party services you’ve given access to your WordPress sites.

Also think about how you access those different accounts. If you use an email to log into services, who else has access to that email? If you use on-device 2FA, who else has access to that device, etc.

These are all the different places that hold the “keys to the kingdom”, so mapping all of these access points is incredibly important. This doesn’t only include “who” has the access, but also “what”. Our personal devices store access in a form of authentication cookies, so make sure your devices are also secure and only accessible to you.

Conclusion

Mapping the attack surface essentially requires us to keep track of everything we have. It’s a great exercise and if you go through that process, you might find some surprises.

This is your very first step to improve your overall security posture. Even though there are many more layers to security – the most important ones when it comes to securing a WordPress website is Network layer, Server layer, Application layer and Access management.

In the next episode, we’ll kick off by looking into how to improve the security on the Network layer.

As always, stay safe!