In the past blog posts we've been writing about OSINT Tools, and also about how to prevent DNS attacks when you are running your own DNS servers, and today we are focusing on Wordpress Security.
When we talk about security, we talk about services, and a lot of those are public websites.
According to the latest W3Techs report as of July 2018, Wordpress is used by 31% of the existing websites. That's a lot.
Latest Sucuri hacked websites report for the past 2017 also revealed WordPress infections rose from 74% in 2016 Q3 to 83% in 2017 — that's not good at all. It is without any doubt one of the most attacked CMS platforms.
Wordpress is easy to use, has a fast learning curve, and can be installed by almost anybody without any programming or technical skills. But, it can become your worst nightmare if you don't know how to keep it secure.
So, how can you test whether your Wordpress installation is secure? Keep reading.
Most popular Wordpress Vulnerability Scanners
Website owners often tend to install Wordpress, choose a theme, configure the needed plugins, but completely forget about hardening Wordpress, which include keeping your WP core, themes, and plugins updated, among other things.
Is your Wordpress installation really secure against external attacks? How can you find vulnerabilities and weaknesses in your current Wordpress site?
Let's answer these questions by exploring the finest Wordpress vulnerability scanners in order to find and fix any security flaws in your WordPress website today.
WPScan is one of the best vulnerability scanners for Wordpress and works like a charm from the terminal, where you can run remote vulnerability tests against your WP installations.
Using WPScan allows you to analyze the security of your current WordPress website to:
- Detect known vulnerabilities in the WP core, as well as themes and plugins
- Detect if any registered user is using weak passwords
- Check overall WP security configuration
- Run brute force penetration testings
- Wordpress Version enumeration (from generator meta tag)
- Full server headers scanning
- Miscellaneous WordPress checks, such as directory used, theme names, custom dirs, etc.
This WP security tool works by using the wpvulndb.com database to keep the vulnerability database up to date. It also has a very extended documentation for developers to improve the security scanning against Wordpress installations.
Note: WPScan comes pre-installed on the most popular penetration and security-based Linux distributions like Kali Linux, BackBox Linux, Pentoo, and BlackArch.
Let's solve the required dependencies first for the most popular Linux distributions.
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
sudo apt-get install gcc git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev
sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build
Let's clone the WPScan GitHub repo, and then install the app in our test box, use the following commands:
git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler && bundle install --without test
Let's see if it was installed ok. Run this command and it should display the WPScan banner and version:
ruby wpscan.rb --version [research@securitytrails wpscan]# ruby wpscan.rb --version _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.5-dev Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_ _______________________________________________________________ Current version: 2.9.5-dev [research@securitytrails wpscan]#
If you see that, then it was installed OK. Now let's see the most popular arguments you can use:
--update Update the database to the latest version. --url | -u The WordPress URL/domain to scan. --force | -f Forces WPScan to not check if the remote site is running WordPress.
For the full list of arguments, try:
ruby wpscan.rb --help
Running our first WPScan against Wordpress
Now that you have WPScan installed and working, let's begin with the fun stuff.
First things first, let's update the WPScan vulnerability database:
ruby wpscan.rb --update
Now, launch your first scan:
ruby wpscan.rb --url yourwordpress.com
Replace "yourwordpress.com" with the URL of your website.
You should get something like this:
[i] The remote host tried to redirect to: https://wpsecuritytesting.com/ [?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N] >Y [+] URL: https://www.wpsecuritytesting.com/ [+] Started: Fri Jul 13 15:26:24 2018 [+] Interesting header: CONTENT-SECURITY-POLICY: default-src https: data: 'unsafe-inline' 'unsafe-eval' [+] Interesting header: EXPECT-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" [+] Interesting header: LINK: <https://www.wpsecuritytesting.com/wp-json/>; rel="https://api.w.org/" [+] Interesting header: SERVER: cloudflare [+] Interesting header: STRICT-TRANSPORT-SECURITY: max-age=15724800; includeSubdomains; preload [+] Interesting header: X-CONTENT-TYPE-OPTIONS: nosniff [+] Interesting header: X-FRAME-OPTIONS: DENY [+] Interesting header: X-XSS-PROTECTION: 1; mode=block [+] This site has 'Must Use Plugins' (http://codex.wordpress.org/Must_Use_Plugins) [+] XML-RPC Interface available under: https://www.wpsecuritytesting.com/xmlrpc.php [HTTP 405] [+] API exposed: https://www.wpsecuritytesting.com/wp-json/ [HTTP 200] [!] 1 user exposed via API: https://www.wpsecuritytesting.com/wp-json/wp/v2/users +----+----------------+---------------------------------------------------------+ | ID | Name | URL | +----+----------------+---------------------------------------------------------+ | 1 | John Smith | https://www.wpsecuritytesting.com/author/johnsmith/ | +----+----------------+---------------------------------------------------------+ [+] Found an RSS Feed: https://www.wpsecuritytesting.com/feed/ [HTTP 200] [!] Detected 1 user from RSS feed: +----------------+ | Name | +----------------+ | John Smith | +----------------+ [+] Enumerating WordPress version ... [+] WordPress version 4.9.7 (Released on 2018-07-05) identified from meta generator, links opml [+] WordPress theme in use: mts_clear - v1.30 [+] Name: mts_clear - v1.30 | Latest version: 1.29 (up to date) | Last updated: 2018-02-22T00:00:00.000Z | Location: https://www.wpsecuritytesting.com/wp-content/themes/mts_clear/ | Readme: https://www.wpsecuritytesting.com/wp-content/themes/mts_clear/readme.txt | Style URL: https://www.wpsecuritytesting.com/wp-content/themes/mts_clear/style.css | Theme Name: mts_clear | Theme URI: https://www.competethemes.com/mts_clear/ | Description: mts_clear is designed for publishers who want readers. That's why mts_clear is fast, responsive, access... | mts_clear: Compete Themes | mts_clear URI: https://www.competethemes.com [+] Enumerating plugins from passive detection ... | 3 plugins found: [+] Name: easy-social-share-buttons3 | Location: https://www.wpsecuritytesting.com/wp-content/plugins/easy-social-share-buttons3/ [+] Name: fancy-lightbox - v1.0.0 | Latest version: 1.0.0 (up to date) | Last updated: 2016-08-20T23:26:00.000Z | Location: https://www.wpsecuritytesting.com/wp-content/plugins/fancy-lightbox/ | Readme: https://www.wpsecuritytesting.com/wp-content/plugins/fancy-lightbox/readme.txt [+] Name: wp-to-twitter - v3.3.6 | Latest version: 3.3.6 (up to date) | Last updated: 2018-05-21T16:32:00.000Z | Location: https://www.wpsecuritytesting.com/wp-content/plugins/wp-to-twitter/ | Readme: https://www.wpsecuritytesting.com/wp-content/plugins/wp-to-twitter/readme.txt | Changelog: https://www.wpsecuritytesting.com/wp-content/plugins/wp-to-twitter/changelog.txt [+] Finished: Fri Jul 13 15:30:52 2018 [+] Elapsed time: 00:04:28 [+] Requests made: 401 [+] Memory used: 111.953 MB [root@securitytrails wpscan]#
As you see, the scan was able to detect WP usernames, plugin versions, theme name & version, as well as WP core version, and detect if you are running the latest version or not.
Other popular command line arguments you can use are brute force testings using word lists, as you see below:
Brute force on enumerated users using 25 threads - Replace "mylist.lst" with your own word list.
ruby wpscan.rb --url www.example.com --wordlist mylist.lst --threads 25
Same example, but only against the "admin" username:
ruby wpscan.rb --url www.example.com --wordlist mylist.lst --username admin
The number of tests you can run with WPScan is really huge, explore the rest reading the online documentation from the README file on Github, or run the --help option.
Sucuri is one of the leading anti-malware services for Wordpress, they became very popular years ago, and now the service is part of Godaddy.
They offer a free security scan for Wordpress that lets you check your WP installation to detect any kind of issues like malware infections, blacklisting, outdated software or general website errors.
How can you test your site using Sucuri?
- Go to the free test page at sitecheck.sucuri.net
- Enter your website URL.
- Explore the results.
If your site is not vulnerable, you should see something like this output:
3. WP SCANS
WPScans, with "S" at the end is not the same as WPScan. These are two different scanners.
WPScans is another great alternative to scan your WP installation against known vulnerabilities.
It allows you to run a full security analysis against your WP core, theme and plugins, checking against their + 6k vulnerabilities database, and reporting all the findings to you right away.
For registered users, they also allow you to set up automatic scans on a daily or monthly basis in order to keep track of the security status of all your WP websites.
They also offer full advanced reports and solutions so you can not only detect, but know how to fix all security issues found on your WP installation.
How can I test it?
Just browse over wpscans.com to have a quick check and know if your WP is vulnerable or not.
Results will appear as you see below if your site is OK:
Or if it detects any issues, as you see below:
Click the "Show/Hide the full list of Wordpress core vulnerabilities found on your website" link to get the full details about the vulnerabilities found on your WP installation. You should see something like this:
4. Pentest-Tools WP Scanner
Pentest-Tools Wordpress Vulnerability scan is another great alternative tool to analyze the security of all your WordPress installations.
This utility performs multiple remote tests with WPScan in the background to identify
Wordpress security vulnerabilities and weaknesses, simulating a 3rd party attack against your WP based websites.
In their scan, Pentest-Tools include:
- WP core, theme and plugins version scan.
- Show vulnerabilities in this areas as well.
- Plugin enumeration.
- Wordpress users detection.
- Download the results in PDF format.
How can I scan my website?
- Go to Pentest Tools WP test page.
- Buy some credits to run the scan.
- Results should be something like this:
As you see, you will find the full details of each vulnerability, how it can affect your site, and the steps in order to fix it. Without any doubts, a pretty cool GUI interface for WPScan, which is the core scanner behind this tool.
5. FirstSiteGuide WP Scanner
This scanner is one of the best free online security scanners for Wordpress. It performs a big number of security checks to determine if your WP installation is vulnerable or not.
Main checks performed:
- WP version detection.
- Check if readme.html install.php upgrade.php are accessible over HTTP.
- Check your HTTP headers to find out if your server is showing sensitive information.
- Tries to get the full list of Wordpress usernames.
- Check if WP admin is served over HTTPS or HTTP.
- Check if Indexes HTTP directive is on and you allow browsable directories.
- Determine if EditURI link is present in your page headers.
Testing your site is easy:
- Go to the test page.
- Enter your Wordpress URL.
- Analyze the results
As you see, this tool will highlight with red color the weaknesses found on your WP installation. Now all you need to do is to start hardening your Wordpress installation.
Using this tools from time to time will help you to detect and take the right steps to prevent WordPress malware infections, SQL injections, Backdoor installations, Drive-by downloads, and Malicious redirections to external sites.
But remember, your website security doesn't end in your application security layer, there are other ways that malicious attackers will find to break into your website and servers.
Start using SecurityTrails to analyze all the data at DNS zone level, domain names, IP address, as well as the public information you share over your WHOIS records: this will prevent intel reconnaissance and avoid future attacks against your network.
And if you have your own app, you can integrate our Security toolkit. Start by opening an API account today!
Stay tuned for more Wordpress security tips and tricks.