How to get started with Wordpress Security?
Everyone loves security testing, but find it hard to start or ponder over a question “Where should I start?”. Many experts may portray it as very difficult for you to even start or practice, but I come with a good news to you where I speak about the security tests you can start doing right-away (after you finish reading this). Be informed that, this is specific to Wordpress security testing and also one with the security researcher/ethical hacker mindset can apply the techniques to other web platforms with some modification in the test or no modification at all.
What is Wordpress (if you did not know)? In simple words, Wordpress is a content management system which is used by 74,652,825 people around the globe (Source — statistics from the year 2014), and today the number has increased even more with its popularity. Companies and individuals use Wordpress to create a website across travel, hotel, company website, bug management system and what not. So, you can try to compare them with Drupal, Joomla or Typo3 CMS.
Well, you got some hang of Wordpress now. Lets get to the creamy layer of Wordpress security now.
Up-to-date wordpress means (possibly) better security: Wordpress being open-source is awesome. While there is awesomeness and popularity, there are many black-hat hackers who try their hacking skills on Wordpress platforms for various reasons. And if you wondered about kind of vulnerabilities various versions of Wordpress has, you should look into the exploit database search with the keyword as “Wordpress”. Hoping that you looked into the exploit database, now you know the scary side of it.
However, by keeping the Wordpress platform up-to-date with new versions, one can make the security better as Wordpress team always works on some aspects of security of Wordpress in terms of strengthening it.
In short, make sure you are using updated wordpress version on any date.
Now, as a security tester you can find a bug in terms of finding the wordpress version used by a company or any website or a blog through following ways.
Consider http://example.com/ is running a Wordpress platform and a company website is built on top of this.
Tip 1: Try http://example.com/readme.html and also http://example.com/license.txt If the files are not deleted from the webserver, then you will surely find this file showing you the version. And it looks like as follows:
And once you find the version number, compare it with the current new version which is released by wordpress. If you find it lesser than the current version, then directly report it in the bug tracker. Voila!
Tip 2: Let’s say, readme.html or license.txt files are removed by the developers (I like such developers) before publishing wordpress on their server, the other way to scout for the wordpress version is by going to the wordpress source code on client-side.
Do a right click on your web browser and go to view-source. Search for, <meta name=”generator”
A snapshot of the version number in the view-source looks like,
The fix: You need to get rid of the meta tag from the source and also remove the readme.html and license.txt files from webserver.
Finding the usernames that exist on the wordpress platform. When a company creates a blog or a website, they have created various usernames that may include administrators, subscribers, authors, moderators etcetera. And one of the way to know the username is by looking into the blog post meta data or details where the author name is revealed. Sometimes, the username is displayed as author name until the “Display Name” is chosen as “Nickname” to be shown on the blog post so that hackers do not get access to the username (which could also be an administrator role).
That’s one way to find. Nevertheless, let’s say that we cannot get access to the real username because the developer fixed that by showing Nickname in the blog post details. It could be disappointment, but hackers don’t stop there. And the next test could be finding the usernames on the platform in the following ways,
Try using /?author=1…N (where N can be any number like 1, 100, 3, 4 and any sequential number). Wordpress has a buggy way of revealing this data as you can call “author” parameter with the id’s associated to them automatically in the database. So, let’s say my blog is hosted on http://example.com/ and I want to know all the usernames that exist on the platform.
I will use http://example.com/?author=1 or else http://example.com/blog/?author=1 (if the wordpress installation is not root, but /blog directory or any other directory you could identify by browsing).
Once, you use the URL and press “Enter” key, you will either see the username displayed in the URL (you will see a re-direction to the username if there is an author with a specific id which could be 1 or 2 or 3…N) or else you can see 404 not found (and this means there is no author associated with that id in the database. But, don’t give up. Automate the id value and find the valid usernames. I personally use BurpSuite for this).
On a successful find of the username, you will see the URL as follows (if the attack worked). (I typed tuppad.com/blog/?author=1 and then I found the username as “admin”).
What’s is this a security bug? In the security world, we call this as “Enumeration attacks”. Once the hacker has found the username, they go to the wp-login.php or /wp-admin form and use the identified valid username and try brute-forcing the password by guessing or by using automated tools or custom scripts.
Lock your directories and let the access be forbidden to malicious users
If you have been a developer or a tester who has looked into the webserver settings, you may have come across something called “Directory listing” or “Locking directory browsing” (Naming conventions may change based on control panels that you may be using).
In simple words, let me explain!
Let’s say a hotel which is built using wordpress is uploading all their invoices and important documents (confidential) using their administrator privileges after logging into admin panel of wordpress. Whenever they upload, they are thinking that they are not displaying the uploaded file link anywhere on the website, but just uploading it on their server. By default, all the uploads done from wordpress admin panel are uploaded on to /wp-content/uploads/ directory.
Now, the test that you can perform is by trying to access /wp-content/uploads and see whether you are showing the directory structure or there was 404 (not found) or 403 (forbidden access). Personally, in my experience, I have come across more companies turning directory listing off on their web server.
Snapshot of how directory listing vulnerability looks like:
Change the default database table prefix to something else. As it’s open-source, everyone (including hackers) else may know the default table structure.
Every table prefix in wordpress is wp_ and this must be changed so that the hackers don’t compromise the sensitive data by using OWASP Top 1 attack SQL injection. Make the prefix a bit complex and non-guessable.
How to do it?
If you are installing a fresh copy, then you have an option while installing it from control panel of your hosting provider. Let’s say, you forgot or you got to know about this kind of attack now and you want to change the table prefixes. Don’t you worry, there are 2 ways to do it. The first way is to login to your sql database and then apply the changes for the database. The second way is what I follow and I recommend, and that is using “Wordfence” plug-in and installing it in the existing wordpress installation. And the plug-in provides a way to just replace wp_ to something else that you intend to replace with. (It doesn’t even take more than 1 minute to do this change).
Ah, one more important thing here. If you use the first way mentioned above, then also see if your wp-config.php file has the prefix value updated. Or else, your blog or website built on wordpress may not be functional as it fails to make a database connection.
2Factor Authentication and .htaccess can add more layers to your wordpress security
Wordpress displays the login form when someone adds /wp-admin or /wp-login.php in their URL after entering a domain name. For example: http://example.com/wp-admin This shows up the login form for the admin. Now, hackers may try to plant an attack which could be brute-force (they may combine brute-force attack with username enumeration attack which is mentioned above in this post).
To stop this, developers can use CAPTCHA (Preferably, reCAPTCHA by Google) or Google Authenticator or even .htaccess. Or else you can combine reCAPTCHA and also .htaccess to provide better security.
With .htaccess, one has to authenticate if they wish to open the login form (that is, /wp-admin or /wp-login.php). If someone (possibly, a black-hat hacker) enter incorrect credentials, the login form for admin or any other user roles will not be displayed (however, even brute-force can be applied at .htaccess level as well. But, this helps to demotivate malicious users to proceed to the login form as they feel it’s too much challenging or difficult compared to just brute-forcing login form and then BOOM).
Also, a tip could be to have whitelist of IP addresses or IP address range which can access the administrator login form. All other IP addresses that doesn’t exist in the range or which are not exact will be forbidden from accessing the login form. Beautiful, isn’t it?
Wrapping it up
Now, you know some ideas or techniques of testing Wordpress for security. This can be a start. You can combine other attacks like OWASP Top 10 on Wordpress as well as you continue your journey to be a security tester or ethical hacker.
Please comment with your feedback if you need more writings like this. And also, provide feedback which can help me and others who read. And do not forget to share the love with the world by sharing this on social media.