In recent times, there has been a vast surge in WordPress usage; this increase obviously requires an improvement in the security issues. So there is a PenTest or Penetration test or occasionally pentest, which help to check the Vulnerabilities in your WordPress Powered WebSite. Although it is a very lengthy process but in simple words, A penetration test is a simulation of a malicious attack (often called a hacker: a Security expert) on a network, system, application or website, used to discover existing vulnerabilities and weaknesses before crackers find and exploit them. In other words, a penetration test is an independent security evaluation of your Website, Network, and System infrastructure.
In “How to do Penetration Test for your WordPress Powered Website Part 1” we have explained how to set up the platform for doing pen test and in this part, we will give you a brief explanation about “How to do Penetration Test for your WordPress Powered Website”.
The main goal of the conducted attack is to simulate a malicious response which can engage to identify the vulnerabilities in the password protected page. As well as to determined the harmful impact due to security breaches on the integrity of website system, and to check the confidentiality for customer’s data and information on the system. We have used the OWASP (Open Web Application Security Project) methodology and follow the recommendations on the behalf of NIST SP 800-115 (NIST, 2008)
During the attack we have discovered that the target system contains the latest version of WordPress installed on a web server, for scanning we have used WPscan tool which produces the report showing that there are Multiple CSRF Vulnerabilities so we can attack a target to change post title, manage the Administrators/users accounts along with emails, can redirect site to another URL, possible to change posts, can customize the theme, insert our own header image.
Before using Armitage and doing exploitation by using Multiple CSRF Vulnerabilities, we have run a WPScan to enumerate the plugin lists and user list. WPScan is a security scanner which is written in Ruby and it’s licensed comes under GPLv3 (Dewhurst, 2011). This black box scanner helped us to find weaknesses in the installed system and have done the following enumeration through Security scanner:
WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations . Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.
- Username enumeration (from ?author)
- Weak password cracking (multithreaded)
- Version enumeration (from generator meta tag)
- Vulnerability enumeration (based on version)
- Plugin enumeration (todo)
- Plugin vulnerability enumeration (based on version) (todo)
- Other miscellaneous checks
Exploitation on Local Server
- Have done the all user list enumeration as follow:
Ruby ./wpscan.rb –url http://192.168.0.10/ — enumerate u
- For Plugin enumeration run the following command:
Ruby ./wpscan.rb –url http://192.168.0.10/ — enumerate p
After running these enumerations we have got admin username as “admin” and installed plugins list. We have made a file which contains Password list and runs the brute force attack using Password Dictionary, as save a password containing the file in a folder /pentest/web/wpscan and run the following command to do brute force attack on password protected pages:
Ruby ./wpscan.rb –url http://192.168.0.10/ –wordlist pass.txt –username admin
If someone gets a hold admin accounts, then you are at risk of identity theft and hijacking of your WordPress Powered website. Anyone who breaks into your account could steal your private content, post spam, steal your WordPress account or use it to gather email addresses to send spam to others.
We have got the administration level access through this attack, means we have a full control over the WordPress installed Website. After this test, we have done HTTP-DoS attack for exploitation and used Armitage as well to identify further vulnerabilities to protect the server from attackers.
Penetration Test through Armitage
After connecting to the Armitage in a BackTrack run this command to add host machines as one is Server and other is Windows XP Client machine for attack:
msf > db_nmap –sT –Pn –T5 –o –open 192.168.0.10
msf > db_nmap –sT –Pn –T5 –o –open 192.168.0.112
After connecting to the host, run the scan and services to know which port is open and which one is filtered.
Countermeasures and recommendations:
- Always update the WordPress installation to the latest version
- Protect the wp-config.php file and add the following piece of code in .htaccess File:
Change access right to wp-config.php file as:
# protect wp config.php
deny from all </files>
- Disabled the php.ini function which is not required
- To protect from the Brute force attack; reduces or limit the login attempts through plugins like Limit Login Attempts. (
- Make a strong password
- Always update to date installed Plugins
- Do not use database with root user name and make strong password
- Make log file for errors and take proper action to prevent this happened in future.
The result of this penetration test shows that the Password Protect website is high on risk from attackers which can damage the company website and by exploiting the web server can get the operation control to have financial or other benefits.
At the end of this test, we can conclude that there are security breaches which can harmful for the integrity of Company’s assets, the data confidentiality is at high risk. We have done the penetration test successfully and came to know that the attackers can determine the vulnerabilities to create damaging events. The attacker can have control over the whole system, so there is a need to take proper security counter-measures as mentioned above.
Web application security testing
Askapache password protect
Password protect plugin for WordPress
WordPress Security Plugins
WordPress Safer Admin Plugin
Restrict Content Pro – PayPal Pro and Express
After installing WordPress on Server machine, Victim box is ready for attack and you can do a penetration test for WordPress powered site. Follow WPArena on Twitter and Facebook fan’s page for further security updates.