Cyber-Exploitation Chain and How To Protect Your Word-Press Web-Site

Cyber-Exploitation Chain is a term defined by the Lockheed-Martin Corporation scientists to describe the chain of techniques required for intrusion into the system’s networks. However, these techniques also work when we are talking about the intrusion into the web-page, in this case, web-pages created in Word-Press. Most of the principles applied by Cyber-Criminals is to make intrusion system’s networks are basically the same as making the intrusion into the web-sites.

There are seven techniques, to begin with, Cyber-Exploitation Chain. However, their count could vary depending on the magnitude of intrusion. These techniques are more applicable to the system’s networks, but we can adopt these techniques even when we talk about web-page security. Let’s look up at those Cyber-Exploitation Chain techniques and later we will analyze them from the perspective of Word-Press security.

First of all Cyber-Criminal selects a target and after hours of research, they then attempt to discover vulnerabilities present in targets network. Now the next task to perform is to create remote access Infections such as a virus or worm to exploit one or more vulnerabilities of the network. Once the infection is ready, then it’s time to transmit that infection into the target’s network via e-mail attachments, web-pages or USB drives. Once the virus is in the network, then it will trigger the infected code to exploit vulnerabilities and take control. Now it’s time to create various access points that can be used to transmit other viruses, if necessary for father exploitation. Running infected code and creating access points will eventually provide access to the target’s network including the keyboard. The core objective here is destruction, encryption, and exfiltration of server archives.

Now let’s analyze the techniques that Cyber-Exploitation Chain employs to make an intrusion against WordPress web-pages and see what WordPress security measures can help us to make the web-site more resistant.

Reconnaissance plays a massive role in the whole sequence of Cyber-Exploitation Chain. Usually, it is the most time-consuming technique and could determine the success of the intrusion. Here I should clarify one essential thing, a Cyber-Criminal could choose a target due to his own preferences, or he could select it because he knows for sure that it is vulnerable. And here we have to remember Google Dorking and other techniques used by Cyber-Criminals to find vulnerable web-sites.

So how do we have to protect the Word-Press website from reconnaissance that could lead to infiltration? Well, we need to control the information that is sensitive in the perspective of the website security. For example:

PHP version of your web server, if you’re running an insecure version of PHP that could be a problem.
Keep your users with administration capabilities unidentifiable, you should use other users with fewer capabilities to generate content.
WordPress backup files stored on your web server, especially if there is a back-up file of those archives.
WordPress version, especially if your web-site is powered by old version of WordPress and you can’t update it to the latest version (highly modified/legacy).
Poor archive structure and issues related to the configuration can result in unrestricted directory browsing.
Server information.

The main idea is to make information about your web-site, server, directory structure, program versions, and users less accessible. Don’t forget that Cyber-Criminal can gather sensitive information even with the Google search system. There are specialized search engines that allow searching web-pages that include particular code lines. Periodic web-site inspections associated with leakage of sensitive information is an ideal preventive measure.

However, you can’t hide everything. That’s why it’s highly recommended to keep WordPress, its plugins and themes up to date. A Cyber-Criminal can do the reconnaissance based on the particular program, he can look for vulnerable plugins and design themes on any public archives of vulnerable WordPress program versions and then look up for websites equipped with this program.

There is a dozen of various ways using which the Cyber-Criminals can deliver their infected code to your web server. Starting from the simplest and most hazardous like FTP connection using stolen FTP credentials. That’s why your system’s security may impact the safety of your web-page. Besides FTP, a Cyber-Criminal can use other infected payload delivery techniques.

Even a contact form with the ability to attach a file to a message can be extremely hazardous if the upload of files with specific extensions is not restricted. Also, a Cyber-Criminal can use Cross-Site Scripting (XSS), Remote File Inclusion, Local File Inclusion (LFI), Double Extension Injection Technique, Null byte Injection, and other techniques.

In order to ensure the success of the intrusion, a Cyber-Criminal will create a custom code that he will try to inject into your website. It might be a separate file or piece of source code that he will try to insert into the particular PHP or HTML file on your web server.In such cases, a unique code is used to prevent security systems from identifying that code. These systems often rely on the dictionaries of virus signatures earlier found on other infected web-pages. The only way to make it hard to identify is to make it unique. In most cases, this type of infection is used to create access to server files or archives. Security hardening must be directed towards the identification of virus signatures and the control of checksums of files and directories.

To make your WordPress website resistant to any of the mentioned virus delivery techniques, one has to keep all the programs including the webserver program up to date and they need to actively inspect all forms against XSS and other similar vulnerabilities. Also, we need to restrict file extensions that could be used as executable files (for example PHP) and restrict the direct access to files uploaded by contact and other forms of your web-site.

So keep in mind that Cyber-Criminal will definitely exploit any possible vulnerability. If he did a great job of reconnaissance homework, and you forgot to protect against possible intrusions, there is a good chance that he will be able to install an infected program.

Constant monitoring of your web-page can help you identify suspicious activity at an early stage. You need to monitor the search results related to your web-pages. This may reveal unwanted content like pharma-spam or Cyber-Criminal’s signatures left on your web-site. It can be also useful in designing preventive purposes for your website. Hence, it is extremely important that you check the log files of the server periodically and pay close attention to the unknown IP addresses that directly access particular PHP or HTML files on your web server. Because as soon as the Cyber-Criminals were able to inject and access the infected payload he probably has full access to your web-page’s files and complete control of your website. Now he can access the WordPress archives (all credentials available on wp-config.php file), he can alter any file and inject more infected code.

Highly increased use of server resources and/or slow web-page. Resources of your web server can be used to intrude on other web-sites, send spam, and other suspicious activities.
There is a very noticeable decrease in web-site visitors. Use Google Analytics to monitor your web-page If there are suspicious redirects on your web-page, you will notice anomalies in Analytics reports.
Is Your web-page’s (domain name) blacklisted? This may be due to several reasons, such as the distribution of a virus, spam emails, the use of web-page resources to intrude another web-
The emergence of unwanted ads, pop-ups, and content on your website.
High CPU load while browsing your web-page. This could be a crypto mining script injected by Cyber-Criminals.

Most intrusions techniques require a similar sequence. Cyber-Exploitation Chain is an excellent example of techniques employed by Cyber-Criminal to successfully execute the intrusion. Being aware of the potentially weak sides of a web-site’s security can help you plan additional protection. Any method you use to prevent one or other type of intrusion or sensitive archive leakage enhances the overall security status of your web-site.

Also, constant monitoring and preventive checks are necessary to accurately assess the current security status of your Word-Press web-site. Especially if you want PCI compliance for WooCommerce based online store. Your network’s security does not depend on what type of security tool you have purchased. But, it totally depends on various factors, which includes your daily online behavior, habits and security knowledge.