Uncovering WordPress Vulnerabilities with EaseBy Charles Costa
As a developer or design professional, one of the biggest benefits of building your sites on WordPress is that in most cases you are building your code on a proven platform which has been fortified over time. Unfortunately when it comes to security, there’s no such thing as a fully hack-proof system. Fortunately though when it comes to securing both yours and your clients systems, there are a few WordPress vulnerability scanners which can help you spot errors before they get out of hand.
It is important to note that while this guide is primarily intended for WordPress.org users, the techniques can still be applied to WordPress.com users. For those unfamiliar with the differences between the two offerings, Sitepoint has a guide to clarify the differences. WordPress.com users will have less power when using the tools, but they technically will still work.
Although trusting generic online scanners is questionable at best, a new breed of Open Source security tools allow developers and other tech savvy professionals to test their code against exploits with ease. While these tools have a bit of a learning curve, learning the basics of penetration testing tools can help keep you ahead of most digital threats.
WordPress Specific Tools
WP Scan is an Open Source tool for Linux and Mac OSX which is a Swiss Army Knife for attacking virtually any WordPress install. Key features include the ability to pull user names from the WordPress database, scan the plugins which are being used by a specified website, and also see which themes are installed on a server. WP Scan also integrates with known vulnerability databases so that the software can filter results to only show code which is susceptible to attack.
Although WP Scan is a powerful tool, the installation process can be difficult if you don’t already have Ruby installed on your system. This applies greatly to CentOS systems – the default Linux distro of many hosts – due to the operating system not having all the required libraries. Fortunately by using Ubuntu or MacOSX you can greatly simplify the process. If you are a complete Linux novice, WP Scan comes pre-installed on multiple security centric Linux distributions, a listing can be found on the project website.
Plecost is an Open Source WordPress fingerprinting tool which can analyze the plugins installed on a specified WordPress system along with the common WordPress vulnerabilities and exposures (CVE) codes if applicable. Since Plecost is a Python script, installing it is as simple as adding the files to your server and then following the instructions on the project website.
Although this tool is limited to only showing vulnerabilities in installed plugins, the CVE code integration makes Plecost a notable tool because it provides the users with instant feedback as to how to exploit outdated software on the server.
Since Plecost is a collection of Python scripts, installation is fairly simple, and you can run the utility on Windows, Mac OSX and Linux/Unix systems as long as they have Python installed and configured.
General Vulnerability Tools
While this guide is primarily focused around your WordPress installs, as WordPress is only a single component of your server, knowing how to use general purpose penetration testing tools is also vital to protecting your system from hackers.
Nikto is a general purpose vulnerability scanner which scans for outdated software, configuration files, hidden directories and much more. By default, Nikto is intended for testing your own servers as the tool runs rapidly and would likely trigger red flags with many intrusion detection systems. If needed, an extension is available to make it stealthier, however for basic tests of your own servers, this likely isn’t necessary.
Aside from just gathering information, Nikto also can brute force authentication sections of the targeted website, allowing you to ensure your website users are following security best practices. Since the tool can run on any system which supports Perl, it works on virtually any Linux and Unix system along with MacOSX. Nikto also can be configured to run on Windows, however, those systems need to have ActiveState Perl or Strawberry Perl installed.
Wikto is a tool primarily intended for Windows environments, which stands out from most of the tools on this list because of its ease of use. While the program is for Windows systems, it still includes powerful features such as: fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
The killer feature of this tool is centralized Google Hacking integration. While this is technically nothing more than using Google searches to uncover sensitive information, Wikto simplifies the process by allowing you to import databases of known queries into the program. From there you can automatically run queries against sites and view the results with minimal effort on your end.
Staying On Top of Security Best Practices
Although security is a vast and complex field, you can protect your websites from tools such as the vulnerability scanners mentioned in this guide by following trends from the SANS Institute and by following the advice from the WordPress Codex.