WPSCAN and quick wordpress security

October 14, 2013 Sound, WordPress, WPScan 2 Comments

This is a quick and simple guide utilizing wpscan to scan wordpress and fix some security issues. Very simple and easy to follow.

Readers: Please read WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2 of this series that outlines on how to fix Directory Listing.

WPSCAN and quick wordpress security - Fixing Direcroty Listing - Part 2 - blackMORE OpsA simple WPSCAN done on my site:

# wpscan --url www.blackmoreops.com

Output:

____________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.blackmoreops.com/
| Started on Sun Oct 13 13:39:25 2013
[31m[!][0m The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[31m[!][0m Full Path Disclosure (FPD) in 'http://www.blackmoreops.com/wp-includes/rss-functions.php'
[32m[+][0m XML-RPC Interface available under http://www.blackmoreops.com/xmlrpc.php
[32m[+][0m WordPress version 3.6.1 identified from meta generator
[32m[+][0m The WordPress theme in use is twentyten v1.6
| Name: twentyten v1.6
| Location: http://www.blackmoreops.com/wp-content/themes/twentyten/
[32m[+][0m Enumerating plugins from passive detection ...
3 plugins found :
| Name: add-to-any v1.2.5
| Location: http://www.blackmoreops.com/wp-content/plugins/add-to-any/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/add-to-any/README.txt
| Name: captcha v3.8.4
| Location: http://www.blackmoreops.com/wp-content/plugins/captcha/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/captcha/readme.txt
| Name: google-analyticator v6.4.5
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/readme.txt
[32m[+] Finished at Sun Oct 13 13:39:51 2013[0m
[32m[+] Elapsed time: 00:00:26[0m

Two things that were marked as possible vulnerabilities:

[31m[!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[31m[!] Full Path Disclosure (FPD) in 'http://www.blackmoreops.com/wp-includes/rss-functions.php'

readme.html file should be deleted as it gives away version info. Now there are more ways to find WP version, but usual scans will depend on it to determine version info. Not that it makes much of a difference, why keep something you don’t need?

Full Path Disclosure (FPD) will give away your folder structure and username. We would like to fix that.

readme.html file can be deleted safely. So that fixes that problem.

For FPD, add the following line to your .htaccess file in root folder.

php_flag display_errors off

This would fix the problem.

Now lets see how WPSCAN behaves when we do another scan:

____________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.blackmoreops.com/
| Started on Sun Oct 13 13:56:46 2013
[32m[+][0m XML-RPC Interface available under http://www.blackmoreops.com/xmlrpc.php
[32m[+][0m WordPress version 3.6.1 identified from meta generator
[32m[+][0m The WordPress theme in use is twentyten v1.6
| Name: twentyten v1.6
| Location: http://www.blackmoreops.com/wp-content/themes/twentyten/
[32m[+][0m Enumerating plugins from passive detection ...
3 plugins found :
| Name: add-to-any v1.2.5
| Location: http://www.blackmoreops.com/wp-content/plugins/add-to-any/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/add-to-any/README.txt
| Name: captcha v3.8.4
| Location: http://www.blackmoreops.com/wp-content/plugins/captcha/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/captcha/readme.txt
| Name: google-analyticator v6.4.5
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/readme.txt
[32m[+] Finished at Sun Oct 13 13:57:46 2013[0m
[32m[+] Elapsed time: 00:00:59[0m

There you go, both warning fixed.

Saying all that try to follow these 3 steps to make your site more secured:

  1. Update WordPress, Themes & Plugins – One of the most important things you can do is keep your software up to date. Whenever there is a new version of WordPress, or a new version of one of your themes or plugins, update them as soon as possible. This goes for your inactive themes and plugins too. Keep them updated, or if you don’t plan on using them any time soon, delete them so you don’t forget to update them.
  2. Limit Login Attempts – If you have a secure password and admin username, then you should be fairly safe against brute force login attacks. Just in case, however, you can also limit login attempts.
  3. Disable Administrative File Editing – In the unfortunate event that someone gains access to your WordPress Dashboard, you should try and limit the resources they have to do damage. Using the WordPress Editor to modify your theme’s PHP files is an easy way to execute malicious code on your site and effectively let the pentester do whatever they want with your website. These editing capabilities can be disable in your wp-config file using define( ‘DISALLOW_FILE_EDIT’, true );

Readers: Please read WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2 of this series that outlines on how to fix Directory Listing.

Check Also

Whispers: A Powerful Static Code Analysis Tool for Credential Detection

“My little birds are everywhere, even in the North, they whisper to me the strangest …

Nyxt The Hacker's Browser Unleashing Power and Flexibility

Nyxt: Hacker’s Dream Browser

In the ever-evolving digital landscape, the demand for specialized tools and platforms has grown exponentially. …

2 comments

  1. mike woythaler
    August 16, 2014 at 4:45 am

    what’s your opinion on also deleting all those plugins’ readme.txt files? thanks:)

    Reply
    • blackMORE Ops
      August 18, 2014 at 9:24 am

      Hi mike,
      Ideally you should delete, but then again, everytime you update a plugin, it creates a new README file. At some point it gets really annoying.
      Does it do any harm? I guess not, except for letting someone else know which version of plugin you’re using. But if you stick with supported plugins, you should not have any issues. Most vulnerabilities are with old version of plugins. (for example: W3TC). The most important part is to lock down you wp-admin as much you can and configure your server properly.
      What this scanner does is provide you a set of standard recommended practices, which may or may not be related to your particular installation. Cheers,
      -BMO

      Reply

Leave your solution or comment to help others.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Designed by blackMORE Ops
© Copyright 2024, All Rights Reserved

Discover more from blackMORE Ops

Subscribe now to keep reading and get access to the full archive.

Continue reading

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.

Facebook