hey thanks for stopping by :stars:
As promised, the stuff I said I'd put in the archive:
## Docker setup
Follow instructions in Wordfence's Discord channel https://discord.com/channels/1197901373581303849/1199013923173712023/1199041121322537115 (tons of other goodies in there too). You should be able join as a guest if you don't have a discord account.
This gets you a Wordpress server with debugging configured, and a couple other useful plugins installed: Mailcatcher (mail handler) and Adminer (frontend for database)
:warning: If you're not on an x86_64 device, you may need to add a line to the docker-compose.yml file: `platform: linux/x86_64`, nested under `wordpress:`
The instructions recommend using VSCode, but there's nothing stopping you from using a different IDE (I use PHPStorm)
## Bounty programs
### Patchstack vs Wordfence
The reason I recommended Wordfence over Patchstack for beginners was because of how payouts happen.
With [Wordfence](https://www.wordfence.com/threat-intel/bug-bounty-program/), for every in-scope, non-duplicate vulnerability, you will be paid according the bug severity and plugin install count.
To get paid on Patchstack however, you generally need to either stay at the top of a monthly leaderboard ([details](https://patchstack.com/articles/bug-bounty-guidelines-rules/#42-monthly-competition)), or submit a pre-auth / low-priv RCE (requiring no user interaction) in a +5000 install plugin ([details](https://patchstack.com/articles/bug-bounty-guidelines-rules/#5-zeroday-bounties)). In saying that, you may be able to earn more through Patchstack when you're more established (there are also [bonuses](https://patchstack.com/articles/bug-bounty-guidelines-rules/#43-ranking-rewards) for reaching certain milestones).
Both platforms periodically run events which either increase some of the rewards or lower install count requirements.
### Other programs
Some companies also have dedicated bounty programs for their own plugins (e.g. Wordpress has their own [HackerOne program](https://hackerone.com/wordpress) which includes Wordpress core and a few first-party plugins).
And there are other programs which don't specifically mention WordPress in their program overview, but custom themes or plugins on in-scope assets have led to valid vulnerabilities on in-scope assets (e.g. https://hackerone.com/reports/2248328)
## Useful resources
### I'm new to web security
* https://portswigger.net/web-security
* https://www.hacker101.com/
* https://pentesterlab.com/ (code review exercises are all paid, but students get a discount)
* Tons of other stuff online
### I'm new to PHP
I glossed over this, but since WordPress is a framework built on top of PHP, you'll need to learn both features of PHP, and WordPress.
* [Official docs](https://www.php.net/docs.php)
* https://github.com/PHPCSStandards/PHP_CodeSniffer/
* https://websec.fr/ wargames for fun / practice
### I'm new to WordPress
* [Official docs](https://developer.wordpress.org/)
* https://www.wordfence.com/wp-content/uploads/2021/07/Common-WordPress-Vulnerabilities-and-Prevention-Through-Secure-Coding-Best-Practices.pdf
* [Wordfence blog](https://www.wordfence.com/blog/)
* [Wordfence Discord](https://discord.gg/awPVjTNTrn)
* [Patchstack academy](https://patchstack.com/academy)
* [Patchstack articles](https://patchstack.com/articles/)
* [Patchstack Discord](https://discord.com/invite/patchstack-alliance-1024691600619745334)
* https://wpctf.org/guides/
* https://wpdirectory.net/ regex search for plugin code
* https://github.com/WordPress/WordPress-Coding-Standards has some security rules, but you may find they're quite noisy
Sign in with Wallet
Connect another wallet