What is fuzzing?
Fuzzing is a technique that sends semi-randomized data to a program in the hopes of uncovering bugs and loopholes in the software. The semi-randomized data comes from what is known as explorable solutions space – which contains different possible solutions that match the type of expected input. For example, if the input form is expecting an integer, the fuzzer might try sending numbers that are outside of the expected range.
How does fuzzing work?
Fuzzers – the software that does the fuzzing, come in different shapes and sizes. Since it needs to send data that can be processed by the target, fuzzers are usually either protocol-based or data type-based.
Depending on the type of attack, fuzzers may try a combination of numbers, characters, metadata, and/or binary sequences.
In WordPress scenarios, a fuzzer can be configured to send multiple HTTP requests to a target website. HTTP requests can be configured in a number of ways with one primary example being trying different URLs in the hope of uncovering a leftover backup file. In such a scenario, requests may look something like this:
http://www.example.com/wp-config.old
http://www.example.com/wp-config.php.old
http://www.example.com/wp-config.bak
http://www.example.com/wp-config.php.back
http://www.example.com/wp-config.txt
http://www.example.com/wp-config.zip
Why is fuzzing dangerous?
Fuzzing can identify misconfigurations and leftover files, which can give attackers the information they need to find a way into your website.
Fuzzing, however, can also be used as a legitimate tool by software testers who are looking for bugs before software is released to the general public. In such scenarios, fuzzing is not dangerous – on the contrary, it minimizes risk.
How to protect your WordPress website from fuzzing
While you cannot protect your WordPress website from fuzzing, you can take steps to minimize an attacker uncovering loopholes through fuzzing. Taking these steps can help you render fuzzing harmless.
1. Remove leftover, unreferenced, and exposed backup files
Fuzzing can uncover files that might have inadvertently been left on your server that you do not want in the hands of an attacker. Finding WordPress backup and unreferenced files is not as difficult as you might think and can save you a lot of trouble down the line. You can even use a fuzzer.
2. Use plugins and themes from reputable developers
Reputable developers thoroughly test their plugins and themes before releasing them to the public – after all, their reputation is on the line. By having software pre-tested, the risk of security bugs and loopholes being present is minimized considerably, leaving your WordPress website all the much safer. Refer to our guide to evaluating and testing WordPress plugins for more information on what you should look out for when choosing a plugin for your website.
3. Harden WordPress
Hardening WordPress security can help you ensure you have a strong last line of defense – after all, no system is entirely perfect. A holistic approach is always going to work best against attacks that might come from different angles, helping you ensure you have all of your bases covered.
