HackMD
hey thanks for stopping by
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
As promised, the stuff I said I'd put in the archive:
Docker setup
Follow instructions in Wordfence's Discord channel https://discord.com/channels/1197901373581303849/1199013923173712023/1199041121322537115 (tons of other goodies in there too). You should be able join as a guest if you don't have a discord account.
This gets you a Wordpress server with debugging configured, and a couple other useful plugins installed: Mailcatcher (mail handler) and Adminer (frontend for database)
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
platform: linux/x86_64, nested under wordpress:The instructions recommend using VSCode, but there's nothing stopping you from using a different IDE (I use PHPStorm)
Bounty programs
Patchstack vs Wordfence
The reason I recommended Wordfence over Patchstack for beginners was because of how payouts happen.
With Wordfence, for every in-scope, non-duplicate vulnerability, you will be paid according the bug severity and plugin install count.
To get paid on Patchstack however, you generally need to either stay at the top of a monthly leaderboard (details), or submit a pre-auth / low-priv RCE (requiring no user interaction) in a +5000 install plugin (details). In saying that, you may be able to earn more through Patchstack when you're more established (there are also bonuses for reaching certain milestones).
Both platforms periodically run events which either increase some of the rewards or lower install count requirements.
Other programs
Some companies also have dedicated bounty programs for their own plugins (e.g. Wordpress has their own HackerOne program which includes Wordpress core and a few first-party plugins).
And there are other programs which don't specifically mention WordPress in their program overview, but custom themes or plugins on in-scope assets have led to valid vulnerabilities on in-scope assets (e.g. https://hackerone.com/reports/2248328)
Useful resources
I'm new to web security
- https://portswigger.net/web-security
- https://www.hacker101.com/
- https://pentesterlab.com/ (code review exercises are all paid, but students get a discount)
- Tons of other stuff online
I'm new to PHP
I glossed over this, but since WordPress is a framework built on top of PHP, you'll need to learn both features of PHP, and WordPress.
- Official docs
- https://github.com/PHPCSStandards/PHP_CodeSniffer/
- https://websec.fr/ wargames for fun / practice
I'm new to WordPress
- Official docs
- https://www.wordfence.com/wp-content/uploads/2021/07/Common-WordPress-Vulnerabilities-and-Prevention-Through-Secure-Coding-Best-Practices.pdf
- Wordfence blog
- Wordfence Discord
- Patchstack academy
- Patchstack articles
- Patchstack Discord
- https://wpctf.org/guides/
- https://wpdirectory.net/ regex search for plugin code
- https://github.com/WordPress/WordPress-Coding-Standards has some security rules, but you may find they're quite noisy
