These days, Cyber attacks have become a regular phenomenon, featuring almost every week in the headlines. At times, it’s just some crazy fan printing pages from vulnerable printers around the globe to vote for his icon, other times it could be a group of hackers targeting popular CMSes with malware. Even a script kiddie can exploit common vulnerabilities in your site and damage critical infrastructure using loads of tools available online for free. Especially users of open source CMS like WordPress are amongst the soft targets. With the rise in cyber attacks, WordPress security audit has become more important than ever.
Lu Wei, former director of Cyberspace Administration of China, said-
The Internet is a worldwide platform for sharing information. It is a community of common interests. No country is immune to such global challenges as cybercrime, hacking, and invasion of privacy.
WordPress Pentesting: Getting Ready
In order to start testing your WordPress site for vulnerabilities, you need to set up the environment first. So, when it comes to WordPress security audit or any other kind of pentest, Kali Linux is considered the holy grail. The reason being that Kali provides a huge amount of hacking tools for free.
Therefore, first, we need to install Kali Linux on a system to pentest our WordPress site. Multiple approaches can be followed for this as Kali can be installed on a virtual box, a PC, or even an Android phone! However, for this article, we shall be using the virtual box. It is noteworthy here that in a real attack scenario, using Virtual Box to obtain reverse shell can become tricky due to multiple port forwarding involved.
Installing Kali Linux for WordPress Security Audit
- Step1: Download and install the latest version of Virtual box or any other emulator of your choice.
- Step2: Now download and install the latest version of Kali Linux on Virtual Box for WordPress penetration testing.
- Step3: Post-installation doesn’t forget to install certain “guest addition” tools with the help of this article.
- Step4: If you still face any troubles with installing Kali on a VM, use the Kali VM image.
Now once, we have installed Kali, it is time to go for WordPress penetration testing. However, before conducting a security audit of a WordPress site, it is necessary to seek the permission of the related authority.
Related blog – Detailed Sample Penetration Testing Report
Seeking Consent for WordPress Penetration Testing
Before actively attacking a target, it is important that you take permission and get a contract signed from the respective WordPress site owner. In case you fail to do so, legal complications may arise. You might even have to face jail time depending on the country and the cyber laws where the target is located. Moreover, the tools of Kali come with a warning that they should be run only after getting approval from the target or for educational purposes only. Once all this is done, make sure to draft a good agreement with the help of a cybersecurity lawyer. Further, there are certain proactive steps that can be taken to avoid complications:
- It is common wisdom to use virtual machines as much as possible for WordPress security audits to avoid complications.
- In case you host a WordPress site on a third-party server, you may need the consent of the hosting provider before conducting a WordPress security audit on your own site!
- Trying to find vulnerabilities beyond your authorized resources may lead to a felony. Avoid accidentally testing unauthorized resources like routers owned by a different company.
Get the ultimate WordPress security checklist with 300+ test parameters
The Three Steps of WordPress Penetration Testing
WordPress Penetration Testing: Mapping
The first step towards WordPress penetration testing while using the “Black Box” approach is gathering as much information about the target as possible. This is known as Mapping or Reconnaissance. This can be done through a variety of tools. Let us take a look at some of them.
NMAP a.k.a ‘Network Mapper’ offers a wide variety of flexibility while mapping a target for WordPress security audit. Not only can NMAP scan ports and fingerprint backend technologies, but it can also evade firewalls to scan stealthily, use NSE scripts for automatic vulnerability discovery and so much more!
To access this tool, simply open the command line terminal on your Kali Linux and type:
Doing so would open the help interface of this tool containing all the key features. Now let us take a look at a live target. In the image given below, Nmap scans the domain scanme.nmap.org which is provided by the Nmap site to test this tool.
Related article: How to Fix WordPress Account Suspension by Host?
The ‘-A’ option of Nmap means enabling OS detection, version detection, script scanning, and traceroute. Thereafter, the -T option helps Nmap to fine-grain the timing controls. The number 4 means an aggressive scan. Finally, Nmap has provided us with the following info:
- Open ports along with the services running on them i.e. port 80 are open with Apache 2.0.52 running.
- The operating system running on the target machine that is Linux 2.6.0-2.6.11. Along with the uptime of the server.
Thereafter, Nmap has also consecutively scanned our internal machine named ‘d0ze’ with Local IP 192.168.12.3. This scan has also revealed the Open ports along with their services and OS. Not only this, but Nmap has also enumerated the MAC address of this local machine. This is just the tip of the iceberg as Nmap can perform a wider variety of tasks. Apart from Nmap, some other popular tools for mapping site for WordPress security audit are:
If beginners find trouble using Nmap, a GUI alternative of Nmap known as Zenmap can be used for automation.
Another good tool available on Github for black-box mapping is Recondog. Its description calls it a “Reconnaissance Swiss Army Knife”. It uses a mixture of OSINT and Mapping for WordPress security audits.
Open Source Intelligence (OSINT)
Moreover, other info about the target to conduct a WordPress security audit can be gathered from the public domain. Information like:
- Number of Subdomains available.
- Ownership info and emails of employees(for social engineering attacks).
The resources that can be used for gathering OSNIT are:
- recon-ng (Kali Linux tool)
- theharvester (Kali Linux tool)
- Shodan search engine
- Dark Web Sites:
- http://xmh57jrzrnw6insl.onion/ (Torch a.k.a. The Tor Search)
WPintel Chrome Plugin
You can use a WordPress Vulnerability scanner plugin like WPintel to scan your WordPress site for vulnerabilities, version, themes, plugins, and even enumerate users.
Need a complete WordPress security audit?. Drop us a message on the chat widget, and we’d be happy to help you fix it. Help me with my WordPress Penetration Testing now.
WordPress Penetration Testing: Discovery
Post mapping all the technologies, it is now time for finding active vulnerabilities to conduct a WordPress security audit. The discovery part focuses on system-specific vulnerability discovery. In our case, the target uses WordPress so, we shall see all the tools that can be used for WordPress vulnerability discovery. Apart from WordPress, if the target is using other CMS or other systems, even then some specific tools can be used for finding vulnerabilities.
Related article: WordPress Backdoor Hack: Symptoms, Finding & Fixing
WP scan a free tool that can be used to conduct a WordPress security audit. Designed with WordPress security in mind, this tool is a great choice for black-box testing of your WordPress site. This tool keeps a vulnerability database of WordPress and keeps updating it from time to time. Not only core WordPress but, this tool can scan for vulnerabilities in WordPress plugins and themes too.
As shown in the image above, this tool first updates the vulnerability database before performing discovery on the target.
Related Guide – The Ultimate WordPress hack removal guide
To use this tool. Open the terminal in your Kali Linux and type:
wpscan --url www.example.com
This simple command will scan the target for vulnerabilities. This is just one example, for more help, on your terminal type: ‘wpscan -h’. This tool can also be used for:
- WordPress login brute force.
- User Enumeration on WordPress.
- Enumerating WordPress themes and Plugins.
- Finding default WordPress directories.
Nikto is a great open-source vulnerability scanner to conduct a WordPress security audit. It can scan multiple kinds of servers and is very comprehensive. However, the downside of Nikto is that it takes too much time and makes too much noise. Therefore, Nikto is easily detectable of a WAF or IDS. Moreover, Nikto also generates many false positives that need to be vetted manually for WordPress penetration testing. For more options type “
Burp Suite is a great collection of tools that can significantly ease the process of WordPress security audits. It can act as a proxy between the browser and the server. Therefore, all the HTTP requests can be manipulated in real-time to find various kinds of vulnerabilities. Apart from this, the Burp suite also provides various automatic tools for paid users only. The free edition of the Burp suite is good for manual testing.
Fuzzing is the last resort in WordPress security audit when nothing seems to work. It basically sends a large number of random characters to the parameters of your WordPress site. This can uncover even some zero-day flaws!. Although, fuzzing creates large noise which can be picked by IDS. Some lightweight fuzzing tools are:
Related Guide – WordPress Malware Removal
For SQL injection: For comprehensive fuzzing of WordPress to find SQLi vulnerabilities, Sqlmap is probably the best tool. Not only fuzzing but Sqlmap can also be used for the successful exploitation of an SQLi attack. Sqlamp can be used to enumerate databases on a vulnerable URL by the following command in Kali Linux:
sqlmap -u "target URL" --dbs
For XSS: XSSer can not only find but actively exploit XSS vulnerabilities. For more help type: ‘
xsser -h‘. And, for GUI, type: ‘
For Command Injection: Commix a.k.a. COMMand Injection eXploiter can detect and exploit various types of command injections during a WordPress security audit. For more help, in Kali Linux type:
Other tools provided by Kali Linux for fuzzing during WordPress security audit are:
WordPress Penetration Testing: Exploitation
Post mapping and discovery, it is now time to identify exploitation points during a penetration testing. Trying the exploits can help us weed out the false positives. Though there are numerous frameworks for exploitation but for this article we shall only discuss one and its features.
Metasploit is an exploitation framework which can be used to exploit web apps, such as CMSes like WordPress. Developed and maintained by Rapid 7, Metasploit hosts a variety of exploits for different operating systems. First, update Metasploit before using it by running the ‘msfupdate’ command in Kali Linux. Now, run Metasploit using the ‘msfconsole’ command. Some key parameters that need to be set in this tool are:
- search: This feature can be used to search for WordPress related exploits
- use exploit: Using this feature, a particular exploit related to WordPress can be uploaded i.e. use exploit/unix/webapp/wp_wpshop_ecommerce_file_upload
- show options: This command list the parameters that need to be set thereafter.
- set RHOST: This parameter needs the IP of the machine you wish to exploit.
- TARGETURI: This parameter lists the file path of the target.
- set exploit: This command finally runs the exploit. Alternatively, the ‘run’ command can also be used for this.
WordPress Penetration Testing By Team Astra
Using multiple tools for WordPress penetration testing can be both confusing and tedious. Moreover, one cannot completely rely on automation. The solution to this dilemma is Astra. Astra provides a balanced mix of manual and automatic testing of your WordPress site. Moreover, Astra conducts both white box and black box WordPress security audits. Astra has a great community of ethical hackers who ensure that no more security loopholes remain in your site.