Tuesday, 20 May 2014

WPSCAN and quick wordpress security

Posted by krishna
This is a quick and simple guide utilizing wpscan to scan wordpress and fix some security issues. Very simple and easy to follow.
Readers: Please read WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2 of this series that outlines on how to fix Directory Listing.
A simple WPSCAN done on my site:
# wpscan --url www.blackmoreops.com

Output:
____________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.blackmoreops.com/
| Started on Sun Oct 13 13:39:25 2013
[31m[!][0m The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[31m[!][0m Full Path Disclosure (FPD) in 'http://www.blackmoreops.com/wp-includes/rss-functions.php'
[32m[+][0m XML-RPC Interface available under http://www.blackmoreops.com/xmlrpc.php
[32m[+][0m WordPress version 3.6.1 identified from meta generator
[32m[+][0m The WordPress theme in use is twentyten v1.6
| Name: twentyten v1.6
| Location: http://www.blackmoreops.com/wp-content/themes/twentyten/
[32m[+][0m Enumerating plugins from passive detection ...
3 plugins found :
| Name: add-to-any v1.2.5
| Location: http://www.blackmoreops.com/wp-content/plugins/add-to-any/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/add-to-any/README.txt
| Name: captcha v3.8.4
| Location: http://www.blackmoreops.com/wp-content/plugins/captcha/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/captcha/readme.txt
| Name: google-analyticator v6.4.5
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/readme.txt
[32m[+] Finished at Sun Oct 13 13:39:51 2013[0m
[32m[+] Elapsed time: 00:00:26[0m
Two things that were marked as possible vulnerabilities:
[31m[!] [0m The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[31m[!] [0m Full Path Disclosure (FPD) in 'http://www.blackmoreops.com/wp-includes/rss-functions.php'
readme.html file should be deleted as it gives away version info. Now there are more ways to find WP version, but usual scans will depend on it to determine version info. Not that it makes much of a difference, why keep something you don't need?
Full Path Disclosure (FPD) will give away your folder structure and username. We would like to fix that.
readme.html file can be deleted safely. So that fixes that problem.
For FPD, add the following line to your .htaccess file in root folder.
php_flag display_errors off
This would fix the problem.
Now lets see how WPSCAN behaves when we do another scan:
____________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.blackmoreops.com/
| Started on Sun Oct 13 13:56:46 2013
[32m[+][0m XML-RPC Interface available under http://www.blackmoreops.com/xmlrpc.php
[32m[+][0m WordPress version 3.6.1 identified from meta generator
[32m[+][0m The WordPress theme in use is twentyten v1.6
| Name: twentyten v1.6
| Location: http://www.blackmoreops.com/wp-content/themes/twentyten/
[32m[+][0m Enumerating plugins from passive detection ...
3 plugins found :
| Name: add-to-any v1.2.5
| Location: http://www.blackmoreops.com/wp-content/plugins/add-to-any/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/add-to-any/README.txt
| Name: captcha v3.8.4
| Location: http://www.blackmoreops.com/wp-content/plugins/captcha/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/captcha/readme.txt
| Name: google-analyticator v6.4.5
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/readme.txt
[32m[+] Finished at Sun Oct 13 13:57:46 2013[0m
[32m[+] Elapsed time: 00:00:59[0m
There you go, both warning fixed.
Saying all that try to follow these 3 steps to make your site more secured:
  1. Update WordPress, Themes & Plugins – One of the most important things you can do is keep your software up to date. Whenever there is a new version of WordPress, or a new version of one of your themes or plugins, update them as soon as possible. This goes for your inactive themes and plugins too. Keep them updated, or if you don’t plan on using them any time soon, delete them so you don’t forget to update them.
  2. Limit Login Attempts – If you have a secure password and admin username, then you should be fairly safe against brute force login attacks. Just in case, however, you can also limit login attempts.
  3. Disable Administrative File Editing – In the unfortunate event that someone gains access to your WordPress Dashboard, you should try and limit the resources they have to do damage. Using the WordPress Editor to modify your theme’s PHP files is an easy way to execute malicious code on your site and effectively let the hacker do whatever they want with your website. These editing capabilities can be disable in your wp-config file using define( ‘DISALLOW_FILE_EDIT’, true );
Readers: Please read WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2 of this series that outlines on how to fix Directory Listing.

0 comments:

Post a Comment