Hackers love to scan WordPress. With millions of outdated installations, picking on WordPress is like bullying the little guy at school. It’s easy and for some – fun to do.
Even if you keep your site updated, you may be surprised about how much information you can extract from a WordPress site.
Gathering information is a key step in any sophisticated attack. Earlier this year, the person that hacked a major security contractor for government’s published a DYI guide to hacking. Many of the steps describe using various tools to gain information about the target.
Sun Tzu says “know thy enemy.”
Gathering information is a key step in any advanced WordPress security attack. Earlier this year, the person that hacked a major security contractor published how they did it. Surprisingly, the attack was not too complex. They used good skills and freely available tools to scan their target. As we have seen with our Managed WordPress Hosting service, attackers are always trying new ways to break into your site.
These tools included simple, freely available scanning tools, Google searches and just looking at the page’s HTML code.
After reading this hacking how-to, I wondered.
What if I turn these tools on a simple WordPress blog?
You may be surprised what your site reveals.
Here’s the results of a simple scan of a WordPress site.
WPScan is a WordPress specific security scanner. The scanner can
- Identify Plugins Installed
- Identify Themes Installed
- Enumerate User IDS
- Brute Force Passwords
So what happens if you turn this tool on your typical small business web site.
__ _______ _____ / / __ / ____| / / /| |__) | (___ ___ __ _ _ __ / / / | ___/ ___ / __|/ _` | '_ / / | | ____) | (__| (_| | | | | / / |_| |_____/ ___|__,_|_| |_| &nbsp; WordPress Security Scanner by the WPScan Team Version v2.4.1 Sponsored by the RandomStorm Open Source Initiative @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ &nbsp; [+] URL: http://www.domain.com/ [+] Started: Tue Sep 16 13:40:36 2014 &nbsp; [+] robots.txt available under: 'http://www.domain.com/robots.txt' [+] Interesting entry from robots.txt: /wp-admin/ [+] Interesting entry from robots.txt: /wp-includes/ [!] The WordPress 'http://www.domain.com/readme.html' file exists [+] Interesting header: LINK: <http://www.domain.com/>; rel=shortlink [+] Interesting header: SERVER: Apache [+] Interesting header: X-POWERED-BY: PleskLin [+] XML-RPC Interface available under: http://www.domain.com/xmlrpc.php &nbsp; [+] WordPress version 4.0 identified from meta generator &nbsp; [+] Enumerating installed plugins (only vulnerable ones) ... &nbsp; Time: 00:00:51 <======================================================================================> (824 / 824) 100.00% Time: 00:00:51 &nbsp; [+] We found 4 plugins: &nbsp; [+] Name: contact-form-7 - v3.9.3 | Location: http://www.domain.com/wp-content/plugins/contact-form-7/ | Readme: http://www.domain.com/wp-content/plugins/contact-form-7/readme.txt &nbsp; [!] Title: Contact Form 7 & Old WP Versions - Crafted File Extension Upload Remote Code Execution Reference: http://packetstormsecurity.com/files/125018/ Reference: http://seclists.org/fulldisclosure/2014/Feb/0 Reference: http://osvdb.org/102776 &nbsp; [+] Name: feed | Location: http://www.domain.com/wp-content/plugins/feed/ &nbsp; [!] Title: Feed - news_dt.php nid Parameter SQL Injection Reference: http://packetstormsecurity.com/files/122260/ Reference: http://osvdb.org/94804 &nbsp; [+] Name: wordpress-seo - v1.6 | Location: http://www.domain.com/wp-content/plugins/wordpress-seo/ | Readme: http://www.domain.com/wp-content/plugins/wordpress-seo/readme.txt | Changelog: http://www.domain.com/wp-content/plugins/wordpress-seo/changelog.txt &nbsp; [!] Title: WordPress SEO 1.14.15 - index.php s Parameter Reflected XSS Reference: http://packetstormsecurity.com/files/123028/ Reference: http://osvdb.org/97885 &nbsp; [!] Title: WordPress SEO 1.4.6 - Reset Settings Feature Access Restriction Bypass Reference: http://secunia.com/advisories/52949 Reference: http://osvdb.org/92147 &nbsp; [+] Name: wptouch - v3.3.4 | Location: http://www.domain.com/wp-content/plugins/wptouch/ | Readme: http://www.domain.com/wp-content/plugins/wptouch/readme.txt &nbsp; [!] Title: WPtouch 3.x - Insecure Nonce Generation Reference: http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wptouch.html Reference: http://www.rapid7.com/db/modules/exploit/unix/webapp/wp_wptouch_file_upload [i] Fixed in: 3.4.3 &nbsp; [+] Enumerating installed themes (only vulnerable ones) ... &nbsp; Time: 00:00:18 <======================================================================================> (295 / 295) 100.00% Time: 00:00:18 &nbsp; [+] No themes found &nbsp; [+] Enumerating timthumb files ... &nbsp; Time: 00:02:32 <====================================================================================> (2532 / 2532) 100.00% Time: 00:02:32 &nbsp; [+] No timthumb files found &nbsp; [+] Enumerating usernames ... [+] Identified the following 5 user/s: +----+----------+------------------+ | Id | Login | Name | +----+----------+------------------+ | 1 | admin | admin | | 2 | user1 | user1| +----+----------+------------------+ &nbsp; [+] Finished: Tue Sep 16 13:44:43 2014 [+] Memory used: 12 MB [+] Elapsed time: 00:04:06
For this site, WPScan found four plugins. Also listed is the current version and past exploit information about the plugin.
Why would you care about past exploit?
WPScan also reveals user names. These can be used to start a brute force attack to try to gain direct access to the WP admin area.
Recently, attackers have been using XML-RPC based brute force attacks. These attacks are not blocked by many brute force plugins and require fewer resources than the traditional wp-login.php attacks.
The scan took just four minutes. With a botnet, I could scan 100’s of sites in a few hours. With results in hand, I could either find or write a tool to quickly exploit plugins or brute force the most valuable targets.
[ois skin=”Wordpress Optimization”]
While attackers often use command line tools to protect their privacy, Builtwith.com is a great information gathering tool.
A key step in any attack is to map out your target. Common questions may include:
- What CMS?
- What OS?
- What web server software?
- What third party tools?
Builtwith.com and other tools make this easy.
Just punch in any web site address and you can find out the web server, hosting provider, CMS and more. By using DNS records, third party email services can be found.
Sometimes advanced attacks on web sites may start or end elsewhere.
What if an attacker compromises your WordPress blog via a plugin, but through a tool such at Builtwith they know you use Google Apps for email.
They can then start targeting your Google App accounts with data obtained from compromising your blog.
By mapping out the target, attackers can use data from a breach in one service to access another. This is why you should use unique passwords for every site or service you use.
Like WPScan, Nikto can find interesting and potentially exploitable items.
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 188.8.131.52 + Target Hostname: www.domain.com + Target Port: 80 + Start Time: 2014-09-16 13:59:17 (GMT0) --------------------------------------------------------------------------- + Server: Apache + Retrieved x-powered-by header: PleskLin + IP address found in the 'x-mod-pagespeed' header. The IP is "184.108.40.206". + The anti-clickjacking X-Frame-Options header is not present. + Uncommon header 'link' found, with contents: <http://www.domain.com/>; rel=shortlink + Uncommon header 'x-mod-pagespeed' found, with contents: 220.127.116.11-4056 + Server leaks inodes via ETags, header found with file /robots.txt, inode: 1933349, size: 62, mtime: Wed Jun 11 12:45:15 2014 + File/dir '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302) + "robots.txt" contains 2 entries which should be manually viewed. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. + Uncommon header 'x-robots-tag' found, with contents: noindex + OSVDB-3092: /updates/: This might be interesting... + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3092: /xmlrpc.php: xmlrpc.php was found. + OSVDB-3233: /icons/README: Apache default file found. + /readme.html: This WordPress file reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /wordpress/: A WordPress installation was found. + Cookie wordpress_test_cookie created without the httponly flag + /wp-login.php: WordPress login found + 7576 requests: 1 error(s) and 20 item(s) reported on remote host + End Time: 2014-09-16 14:09:11 (GMT0) (594 seconds)
In this report, we find that the server has the WP readme.html file still installed. This quickly tells you what version of WP is in use. Using this data, you could then check to see if there are any known exploits in that version.
This also reveals information about various HTTP headers. For example, mod_pagespeed is active. Does it have any exploits?
By scanning WordPress, attackers can easily learn a lot about how your site is built, the hosting environment and third-party services. Armed with this information, they can begin looking for known exploits.
Secunia and similar databases keep track of the various WP security exploits. While you can use them to check the security history of a plugin or find current exploits, attackers can access this information as well.
In some cases, CVE records will reference proof-of-concept exploits. Attackers can use this information to attempt to exploit your WordPress site. With WPScan, it automatically attempts to identify the latest CVE information for any given plugin or theme — providing handy access to this information.
When an attacker finds an exploit in WordPress, one of their first goals is to escalate their access.
Recently, the popular WP Touch plugin was discovered to have an arbitrary file upload vulnerability. This exploit allows an attacker to upload a file of their choice.
In absence of other security tools, such as Sucuri’s web application firewall, an attacker could upload a PHP Shell Script. Functionally, these PHP shells are nearly the same as an SSH shell. You can change permissions, read files, upload files and more. The tools are very robust.
Another important point about escalated access:
Local exploits become remote exploits when your WordPress site is insecure.
This is why you need to keep any control panels and your OS updated. With a PHP shell kit, an attacker could upload a local OS exploit and execute it. Depending on the type of exploit, they could gain even gain root access.
WP User Security
Your WordPress user’s email and passwords.
Attackers can simply export your user’s email and passwords directly from the database. While the passwords are encrypted, simple ones can easily be cracked with password guessing tools.
Many users don’t use unique passwords for different sites. As a result, the attacker has your email address and password. They can then use this information to try to gain access to your email, social media accounts or other popular sites.
As they expand their access, you can become a victim of identify theft, they can use your accounts to spam, host illegal files or more.
Failing to use security in-depth is how a simple WordPress plugin security issue can become a cyber security nightmare.
Advanced Persistent Threats
In the cyber security world, experts like to distinguish between automated attacks and advanced persistent threats (APT). APT are very hard to defend against. With APT, there’s a person at the other end actively trying to find ways into your site or server. Even the smallest clue from their mapping efforts may lead them to a security hole.
Fortunately, for WP users, most people do not face such advanced threats. In fact, in nearly every WP hacking incident we investigate, the attack is done by automated bots that constantly probe for specific exploits.
Blocking these attacks is as simple as keeping your software updated and using good WP security practices.
Keep your WP install and all plugins, themes and add-ons updated at all times. Tools like ManageWP can help with this if you have multiple WP sites.
If you want to be proactive, you can scan your own websites for issues.
The tools we use run on Linux but there are other security scanners available. If you want to start testing your own sites, consider using Kali Linux. Kali is a Linux distribution that you can boot from a USB stick or CD. Nikto, WPScan and many other cyber security tools are built into an easy to use GUI.
If you are a WP security expert or have questions about WP security, let us know. We are always looking for tips and tricks to help improve WP security.