Website vulnerabilities

  • Resolved Soma Basu

    (@9748076617-1)


    4 years, 4 months ago

    I did a security scan on my WordPress website through Acunetix and found the following vulnerabilities.

    1. WordPress XML-RPC authentication brute force
    2. Clickjacking: X-Frame-Options header missing
    3. Cookies with missing, inconsistent, or contradictory properties
    4. Cookies without HttpOnly flag set
    5. HTTP Strict Transport Security (HSTS) not implemented
    6. Insecure Inline Frame (iframe)

    How can I fix these issues? I’m using the free Wordfence plugin.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @9748076617-1, thanks for reaching out to us over this.

    Specifically with point 1, you can restrict brute force authentication attempts on XML-RPC by checking the “Disable XML-RPC authentication” box in Wordfence > Login Security > Settings. We cannot prevent manual non-authentication hits to the XML-RPC file itself, and to do this you can modify your .htaccess file.

    Commonly, the WordPress app if you have 2FA or ReCAPTCHA enabled and the Jetpack plugin amongst other services do require access to XML-RPC. As a result of this, it is a common route to be tried by attackers.

    If you are happy to completely block access to the file, you can add the code below to your .htaccess file:

    # Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

    With 3rd party site scans, they will often pick up on changes that will have to be made outside of Wordfence and often in the .htaccess file. Hopefully the scan provides some links to examples or documentation on handling the changes. I am happy to point you in the right direction with a couple of the points that we often see though.

    X-Frame-Options (which also addresses iframe security), can be restricted so that your site cannot be included within an iframe on another site. The insecure iframe mentioned may be because the site included in the iframe on your site isn’t loaded over HTTPS. You can rectify this in the code for your page by adding the “S” if the site in question has a security certificate.

    
<IfModule mod_headers.c>
    Header set x-frame-options SAMEORIGIN
</IfModule>

    There may already be other content between these tags, you can just add this header line to the bottom of that section, or replace an existing x-frame-options if there is one in place with a different value to SAMEORIGIN.

    Mozilla have some helpful documentation on HSTS and how it can be implemented at the link below:

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

    The cookies points don’t really provide me with information that can assist me in this context, so I recommend either contacting the 3rd party tool support for further information on how to proceed, or checking the scan again for links to documentation that may be able to assist you further.

    I hope this helps you out.

    Thanks,

    Peter.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @9748076617-1,

    I hope that advice was of value to you. If you have any further questions about Wordfence in future, don’t hesitate to open up a new topic where we’d be glad to help you out.

    Thanks,

    Peter.

    Thread Starter Soma Basu

    (@9748076617-1)

    Thank you for your help.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Website vulnerabilities’ is closed to new replies.