I rerun ZAP and wpscan online password attack against a presumably less defended target, and realize that sometimes just talking to people is the best trouble shooting methodology
Before leaving ZAP and trying out new tools, I do a scan of this blog, emalstm.tech.
My hypothesis is that ZAP will find more flags on this WordPress. The only protective measure I’ve implemented on this site is secure ssh connection, disallowing root login and putting up a firewall including fail2ban.
Continue reading “Exploiting my own WordPress part 4 – Attack surface”