WordPress powers a lot of websites on the Internet. So it’s no surprise that seasoned attackers and “script-kiddies” like to target WordPress websites. Whether you’re a webmaster, or a security professional, when tasked with assessing the security posture of a WordPress website, it tends to help to be aware of common security pitfalls attackers typically take advantage of. It is also important to use the right penetration testing tools.
In this article, I’ll be covering a number of common security holes, malpractices and useful information an attacker may be able to abuse in many WordPress installations. I’ll also highlight a number of tools you can should use to help you automate the WordPress penetration test.
Heads up — Only perform security penetration testing on systems that belong to you, or you have been granted permission to. Understand the limits of the access you have been granted and stay within those limits.
Common WordPress security issues & malpractices
Outdated versions of WordPress code
Running old versions of WordPress core containing security vulnerabilities is arguably one of the most common security holes relating to WordPress. While newer versions of WordPress make it easy to upgrade to the latest version, it’s not uncommon for older WordPress sites to be lagging behind.
Running an old version of WordPress on the Internet is a ticking time bomb. Many old versions of WordPress contain security vulnerabilities. Many of these security issues are commonly exploited en-masse by attackers.
When auditing a WordPress website for security vulnerabilities, this is typically one of the very first things you’d want to check. Fortunately for attackers, by default, WordPress adds an HTML meta tag containing the version of WordPress being used.
<meta name=”generator” content=”WordPress 4.8.11″ />
Knowing a WordPress installation is running an old version could give an attacker the opportunity to take advantage of a known vulnerability. Use the CVE security vulnerability database to search for known security issues in WordPress core.
Outdated versions of WordPress themes and plugins
The WordPress core is very secure. Millions of users, and malicious hackers alike test and thoroughly review the code. This means that most of the time, security issues are spotted and fixed before they are abused by attackers. However, it is not immune to security vulnerabilities. Unfortunately, this does not apply to the thousands of WordPress plugins and themes.
Anyone can submit a theme or plugin and make it available for any WordPress administrator to download and use. Of course, this does not mean that every WordPress plugin is poorly coded and full of vulnerabilities — far from it. However, known vulnerabilities expose a massive attack surface to WordPress which you should be aware of when conducting a WordPress penetration test.
The quickest and arguably, most comprehensive tool to use for fingerprinting vulnerable WordPress plugins and themes is to use WPScan. WPScan is an open source black-box WordPress security scanner frequently used to scan WordPress websites for known vulnerabilities within the core, plugins and themes.
When using WPScan during a pentest, ensure you sign-up for and configure it to use a WPScan Vulnerability Database API key. The WPScan Vulnerability Database is a database maintained by the authors of WPScan with the latest known vulnerabilities and their respective versions.
For more about WPScan and how to run different kinds of scans, refer to getting started with WPScan.
Old versions of PHP and web servers
WordPress is a PHP web application and therefore, all PHP security best practices apply to WordPress too. During a WordPress penetration test, this is one of the very first things to look for. WordPress installations running old versions of PHP or web server software (e.g. Nginx, Apache HTTP Server, IIS…) may expose the website to all sorts of different attacks.
Is is very easy to figure out what web server and PHP version a WordPress website is using. In many cases all an attacker needs to do is to simply pay close attention at the HTTP response headers returned from the website. You can send a request yourself with curl:
$ curl -s -D – http://18.104.22.168/ -o /dev/null | grep -i “Server\|X-Powered-By”
Look for the Server and X-Powered-By HTTP headers in the response:
Server: Apache/2.4.29 (Ubuntu)
Depending on the version and the configuration of the website, an attacker may be able to use known vulnerabilities (e.g. https://www.cvedetails.com/vendor/74/PHP.html) to gain additional information about a target. Such information can help escalate an attack, or even execute commands directly on the web server.
WordPress username enumeration
Unless a system administrator has taken steps to prevent it, by default, WordPress is vulnerable to user enumeration attacks. WordPress user enumeration attacks, look for subtle differences in how WordPress responds to particular requests. Depending on the response, the attacker can determine whether a user exists or not, allowing an attacker to potentially use this information as part of a larger attack.
The following is a screenshot of WPScan performing a WordPress username enumeration attack.
Web server misconfigurations
Directory listing and other web server misconfigurations
Aside from outdated software, one must always assess any potential web server misconfigurations. A misconfigured web server might leave the WordPress website vulnerable to exploitation. This can happen even if the web server is running the latest software. Here are some typical web server misconfigurations:
Enabled directory listing
Directory listing is a very common misconfiguration. Apache web servers have this enabled by default, and that does not help. Directory listing simply lists files and directories on a web server in a graphical interface when there is no index file.
While this in itself is not particularly harmful it provides an attacker the possibility to browse the contents of your web server directory. This might allow him to see all the files on your website, most of which should not be publicly accessible but are, such as backups, passwords and configuration files.
Backup files are another all too common web server misconfiguration. Typically these occur when system administrators manually edit files on production systems.
A common example of backup files exposing potentially sensitive information could be backup copies of PHP files. Sometimes PHP files contain important configuration data — such as the WordPress’ wp-config.php file.
Take the following scenario — a WordPress administrator needs to make changes to the wp-config.php. Instead of following best practice and keeping a copy of the file somewhere other than the web server, they make a copy of the live wp-config.php, naming the backup wp-config.php.bak. Let’s now assume the sysadmin forgot to remove this file, which happens more often than we think.
An attacker can now read the file by simply requesting http://www.example.com/wp-config.php.bak. The attacker can read the file because its extension is not .php anymore. So the PHP engine ignores it and the web server serves it as a text file. Now the attacker knows the WordPress database credentials, the secret tokens and any other sensitive configuration information you have saved in that file.
Similar to backup files, temporary files in the wrong location may expose potentially sensitive data. Taking wp-config.php as an example once again. If a system administrator had to edit this file using with a text editor, and for some reason the program did not exit cleanly, there’s a good chance the editor would leave temporary files. For example the popular command line editor Vim stores backup files with the extension of *.ext~ file together with a *.ext.swp file. The swp files are used as a lock file. They also contains all the undo/redo history, and other internal information Vim needs.
Therefore in the event of a crash, Vim leaves behind a wp-config.php.ext~ file which may be accessible in plain text like backup files because it doesn’t end with a *.php file extension. Temporary files of this sort are not exclusive to Vim — Emacs (another popular command line text editor) also saves similar temporary files, and countless other tools do too.
Heads up — use a file integrity monitoring plugin for your website to get alerted of all file changes, including temporary and backup files. If you are not familiar with this technology, read our introduction to file integrity monitoring for WordPress.
By far, one of the most grievous misconfigurations a system administrator may make is to leave their WordPress MySQL database server open to the Internet. Why this may sound crazy, it happens probably more than you think. Below is a screenshot from Shodan, a search engine for Internet connected devices.
Of course, just because MySQL is exposed over the Internet does not mean that someone can connect to it and access the WordPress database. However, especially if used in combination with other attacks, such as a leaked password via a backup of wp-config.php, or guessing a weak password, it could lead to a disaster scenario.
Once in control of a WordPress database, it’s game over for a WordPress installation. All an attacker needs to do is to reset an administrator password. Then they pretty much take full control of your WordPress website, and potentially even the server it’s running on by purposefully installing malicious plugins.
Running unnecessary services
Another common web server misconfiguration problem is the default configuration. Many administrators run the default config and do not disable the services they do not need. In most cases, default installations have a lot unnecessary services running, most of which, if not secured expose the web server to attacks.
Pentesting tools for WordPress penetration testers & security professionals
Penetration testers use a variety of tools to automate their work and techniques. Automation helps to reduce the time it takes to perform a security assessment / penetration test.
The tools one uses varies greatly. It depends on personal preference and the problem at hand. However, a good place to start is to have a variety of tools at your disposal, pre-installed.
Kali Linux, formerly known as BackTrack, is the go-to open source penetration testing Linux distribution. Kali Linux comes bundled with a whole host of pre-installed and pre-configured tools. It’s useful both to novice users looking to get started quickly, as well as experienced penetration testers. Kali Linux is available for free and can run on a virtual machine.
This free scanner is one of the most foundational and versatile scanners in any pentester’s arsenal. Nmap is primarily a port scanner. However, it can be extended to do all sorts of different kinds of scanning via its NSE scripting language.
WPScan (covered earlier in this article) is an open source WordPress security scanner. It scans for known WordPress vulnerabilities — both within the WordPress core, as well as within WordPress plugins and themes.
WPScan can perform a series of black box tests. That is, without access to the source code. As a result, WPScan is great for finding low-hanging WordPress vulnerabilities quickly and accurately.
OWASP Zed Attack Proxy (ZAP) is a free, open-source web application penetration testing tool. The Open Web Application Security Project (OWASP) maintains this tools. OWASP ZAP is designed specifically for testing web applications for a wide variety of vulnerabilities such as Cross-site Scripting (XSS) and SQL Injection (SQLi). ZAP, at its core is a proxy. It sits between the pentester’s browser and the website to intercept and inspect the requests sent between the two.
In addition to acting as a proxy, ZAP can also automatically test for a variety of vulnerabilities, and it can also fuzz a variety of inputs. Fuzzing is a security testing technique in which invalid or unexpected input is supplied to an application with the intention of uncovering security vulnerabilities.
Penetration testing for WordPress – assessing the security posture of your website
WordPress security is not a one-time fix. It is a continuous process based on four principles: Harden > Monitor > Test > Improve. With penetration testing you address the test principle. I.e. you check the security posture of your website. Then you can take the necessary measures to improve the setup based on your findings.
Therefore frequent WordPress website penetration testing should be part of your security program. You judge how frequent you should do penetration tests. If you do frequent changes to your website, then you should do frequent tests. However, a quarterly penetration test does the trick if your website rarely gets an update.