Blog of Daniel Ruf

As ethical hacker I found an easy way to get a list of all public WordPress plugins.

A few weeks ago, I did some small security audits of WordPress plugins and the result is not great.

It only needs some creativity to bypass the security measures of a WordPress plugin, that tries to hide your login URL.

Every day attackers are scanning the internet for vulnerable WordPress websites and we can often see corresponding probing requests on most websites, even if they do not use WordPress.

This is a post mortem report of a hacked WordPress instance with a cryptominer in 2018 which was handled by me.