(no title)
BjornW
|
4 years ago
There are multiple attack vectors I can think of, although most can be mitigated using other security measures. I don't want to rely on audits only off course. To give you an example: using the WordPress environment as a stepping stone to gain more access, running client-side software without out permission (stealing data from visitors, our resources e.g. crypto miners), defacement/fake-news, etc.
TekMol|4 years ago
In my experience, if you really want to make your infrastructure more secure, you need to explicitely define what it is you want to avoid.
Taking your first point: You say "using the WordPress environment as a stepping stone to gain more access". What type of stepping stone would this be? How can malicious JS on the WP instance escalate its privileges?