Wordpress Pentest

We examine your WordPress installation for vulnerabilities - focusing on all in-house developments, be it the theme or plugins.

WordPress is the top dog among CMSs - worldwide! The interest of cyber criminals is correspondingly high. A quick WordPress security audit can quickly help to close security gaps and minimize the attack surface.

WordPress Penetration testing

Why should you check a WordPress application for vulnerabilities?

Honestly - you don't have to like WordPress. But you have to accept that it is the most widely used content management system in the world. And there are good reasons for this. WordPress is easy to use, even beginners can get it installed on any web host and it is just as easy to expand. The number of free plugins and themes is huge. WordPress is also being used more and more frequently in the enterprise sector - whether to implement online stores with the help of WooCommerce or to set up an internal knowledge database. In these cases in particular, custom themes and plugins are often programmed - and this is where most security vulnerabilities are found from a pentest provider perspective. WordPress has its pitfalls and weaknesses - not every developer reads the WordPress codex and so security vulnerabilities always creep in. The good thing is that these can be found and fixed in a relatively short space of time. In a normal WordPress pentest, the core system "WordPress" is actually NEVER tested - this is relatively secure and there have been no critical security vulnerabilities for a long time.

WordPress Pentest together with WordPress Hardening

In addition to a classic penetration test, DSecured also offers WordPress hardening. The focus here is on the entire system, including the web server - we look at what can be optimized and what measures can be taken to prevent an attacker from taking over the system. Even the simplest measures are often very worthwhile. The htaccess in the admin area or the installation and setting (!) of WordPress security plugins should be mentioned here.

How much does a WordPress pentest cost?

80% of our WordPress customers don't really have much that needs to be checked. Most of the time we have a combination of a more or less complex theme (or child theme) in front of us, which is an in-house development. On top of that, there are some custom plugins to look at. As a rule, the invoice amount is between €1000 and €2000. For larger projects it can also be 5000€. The price is also heavily dependent on how complex the reporting is to be. In most cases, a complete pentest report is not necessary, in which case you can save 10-20%. In general: Ask us - we will be happy to make you an offer.

Damian Strobel

"Just as easy as it is to build a website with WordPress, it is just as easy to introduce security vulnerabilities. Caution is advised!"

Damian Strobel - Founder of DSecured

Improve the security of your WordPress application with a penetration test from DSecured.

Is a WordPress pentest worth it?

To be honest, we would say that in 80% of cases, a full penetration test is not worthwhile. Many WordPress sites are based on standard components that are relatively secure. A quick hardening is completely sufficient here. If you also pay attention to updates and backups, you are relatively safe. It becomes more interesting if you run an online store (WooCommerce) and may have programmed various parts of the site yourself.

If you are not sure, ask yourself:

  • What happens if my WordPress suddenly stops working? Will I lose money?
  • What do I do if my site is defaced? What will my customers think?
  • What do I do if I'm being blackmailed because someone has stolen user information from the WordPress database?

Did you answer "yes" to one of the questions? Then it's worth taking a look from an IT security expert!

Penetration tests for WordPress developers and WordPress agencies

We offer a special service for WordPress developers and WordPress agencies. We check relevant parts - usually themes or plugins - that you develop or have developed for your customers. This allows us, and therefore you, to ensure that your customers do not receive code with security vulnerabilities. This is all about speed - we avoid long kick-off meetings and complex reports. We look at the code, search for and report security vulnerabilities to the responsible developer in the shortest possible way.

Is a WordPress pentest worth it?

What security vulnerabilities are found during a WordPress pentest?

A WP pentest is basically nothing more than a normal web application pentest - the focus is on a PHP application. Accordingly, you will see the classic PHP security vulnerabilities such as local file inclusions, SQL injections, authorization bypasses and XSS. With WordPress in particular, the incorrect use of Ajax requests is frequently seen - access rights are often not checked. Deserialization problems are also quite common.

However, it is also a fact that the quality of many - not all - WordPress plugins and themes leaves a lot to be desired. The number of security vulnerabilities in plugins and themes is alarmingly high - there are even special portals that only list security vulnerabilities in WordPress plugins. As a result, we discover during a WordPress pentest/hardening that the site has already been hacked and PHP shells can be found everywhere. We help to remove them.

Vulnerabilities in WordPress are often found in plugins and themes. A pentest can help to identify them!

Some companies we have been able to help

Grab
PayPal
BMW
Goldman Sachs
Starbucks
ATT
TikTok
Hilton

Further questions and answers on the topic
"WordPress penetration testing"

How long does a typical WordPress penetration testing process take at DSecured?

Typically, our WordPress penetration testing runs anywhere from a few days to a couple of weeks. The duration heavily depends on the complexity of the website and specific client requirements. Our team ensures thorough testing without compromising on depth or detail.

What should I expect in the final report from a WordPress penetration testing by DSecured?

You can expect a detailed & comprehensive document comprising a management summary, technical specifics, and crafted action recommendations. Our reports are designed to be understood clearly & provide actionable insights without any false positives.

How does my team prepare for a WordPress penetration test?

With WordPress, the parts that are to be tested should be available as source code. We are also happy to have a corresponding demo system on which we can let off steam.

After completion of a security evaluation, what kind of support can I expect from DSecured?

Following the evaluation, our team provides detailed guidance on remedying detected vulnerabilities and, upon request, can assist in the implementation of these security measures. Clients also receive continuous support for any subsequent questions or additional security assistance.

How often should I have a security check carried out for my WordPress site?

Depending on how important the data in your installation is. At least once a year, but better if there are major cha

Contact DSecured

Get a WordPress pentest offer