Introduction to the idea and defense of WordPress program intrusion

The wp program is widely loved by webmasters at home and abroad. Therefore, the security of the wp program has always been good. When it comes to the invasion of the wp blog, there is no experience in cooking, I have read some of these articles, and I am still thinking about some ideas. Please do not try again ~ 1. Collect information to find useful information for domain name holders and administrators, such as common passwords. 2. Use BurpLoader and wpscan to crack the weak password in the background of the target station. Of course, you can also use other methods to crack the password. 3. wpscan is used for comprehensive website detection. wpscan is a specialized tool for WP program Security Detection. If you are interested, click Baidu. 4. taking advantage of 0-day, of course, this is only for the big ox, there is no 0-day shrimp for small dishes like ours, but here I recommend a place to look: below Exploits-db is the idea of mass intrusion (not just for WP sites): 1. scan the server port and try to break through the ports such as 21, 1433, 3306, and 3389. (If there are other ports with WEB sites, it is also a breakthrough point) 2. Start from the side station and section C. For the idea of wp intrusion, it seems that I only think of this. The technology is limited and it has been weak. If you have any ideas, please share them. WP blog background shell method: wp blog background shell, there are many methods, I will tell you here I have summarized several background shell methods, you can also use Baidu. 1. plug-ins are called FileBrowser. You can click plug-ins to install plug-ins, search for plug-ins, and install them. These plug-ins are file management plug-ins, this method seems to have not been announced on the Internet, but this method requires the plug-in directory to be writable, otherwise it will be useless if it cannot be installed. This plug-in is a file management plug-in that you can directly upload any file to the website program, of course, you can also upload asp php aspx and other large horse to get the webshell of the blog directly. 2. Modify the theme code, appearance, and editing. Just select a. php file and insert a sentence or directly modify it to shell code. How to ensure the security of WP: in fact, WP itself is already very secure. Its Common Vulnerabilities are from plug-ins. As long as you install less plug-ins, try to implement the required plug-ins using code, then you can hide the background address or install a firewall or plug-in or modify the background code. Adding verification codes can solve the cracking problem, and then you must be aware of the security, do not use a unified password to avoid password leakage. The server is secure and the WP version is often updated, which rarely causes problems.