This standalone repo is for teaching new developers how to intentionally break a WordPress Site so when they encounter it in the real world, they are prepared to handle it.
The measures of success for this repo are:
- Feel confident you can fix a 500, 404, etc errors on WP
- Less time on the phone with your hosting provider
- Understand why things break and how to prevent things from breaking in the future
- Security Mindful - You don't have to be a security engineer to have good development habits
You are required to install docker and docker composer on your computer. You are HIGHLY recommended to install git. You can also install github gui if you prefer more visual stuff. This will help you track changes to files. I also strongly recommend you install node because this project uses it for testing via mocha, chai and puppeteer.
Once these are properly installed you can download this either as a zip or just clone/fork the repo.
If you are using git/github open up the .gitignore and remove everyline except
readme.html
license.txt
Then make a commit with all the WordPress files. This will allow you to see any changes in the files during the exercise. It will not however help you when changes are made to your database.
Now simply run docker compose up or docker compose up -d to run in the background. If you something running on ports 8000 or 8080 then it will error out.
Once you have everything in you will need to setup/install wordpress on localhost:8000.
Then you will want to test that PhpmyAdmin will run on localhost:8080.
On wordress the username will be wordpress and the password will be wordpress. Select "Confirm use of weak password".
On phpmy admin the username will be wordpress and the password will be wordpress.
Please note, we are intentionally making this site vulnerable to hackers for education purposes. A such, please do not deploy this to a live site under any condition.
When you have setup WP, please navigate to localhost:8000/break1.php. Your site should now be broken. If you used source control like git and made a git commit / push you, you can now check if any if changed. If you are for some reason, not using source control you should be and this is a good reason why.
For now, simply delete wp-config.php. Then run docker-compose down and then docker-compose up. Now your site is back up and running. This is because the file changed something called "connection strings" which is how a site connects to the database.
After you have finished the first step, please navigate to localhost:8000/test/break2.php.
Now try to login to the dashboard via http://localhost:8000/wp-login.php.
As you'll notice you wont be able to login. Lets go check our database via phpmyadmin or `http://localhost:8080.
Now try to reset the password.
Hint: you will want check wp_options table to select the MD5 option.
In Progress...
If you want to see these let me know or I may never work on it
- Migration Exercises
- DB migration
- Content migration
- Article on gotchas with different hosting providers
- WpScan for teaching predeployment vulnerability scans
- Bruteforce Attacks
- DDOS Prevention
- Open to suggestions & PR's
- Automate Testing
- Add (S)FTP to docker container to teach ftp
- Testing Email?
If you haven't used docker, thats ok. Here are some video tutorials by Brad Traversy to help cover the gap.
- Quick Wordpress Setup With Docker
- Docker Playlist
- Exploring The Wordpress REST API & React Integration
- Teach real world troubleshooting of real issues
- Teach basics of WordPress maintiance
- Teach the importance of using version control like git and tests
- Simulates the after effect of a malware attack and poor wordpress maintance.
- Teach you how to develop WordPress
- Teach you the ins & outs of docker and docker-compose, we just use it for a safe place.