Wordpress Security By Tuhin Bose

Who am I?

Conclusion & QNA Conclusion & QNA What is Wordpress? What is Wordpress? Why Wordpress? Why Wordpress? Hacking Wordpress Hacking Wordpress AGENDA Security Measures Security Measures

What is Wordpress?

Free and Open Source CMS Use to create a beautiful website Written in PHP and paired with a MySQL or MariaDB database. Simple, Flexible, User Management, Easy to setup and upgrade

Why Wordpress?

As of 2021, there are about 1.3 billion total websites on the web. More than 455 million sites use WordPress. Bunch of themes and plugins. Lack of awareness. Vulnerable by default. 1. 2. 3. 4.

Hacking Wordpress

Detection Wappalyzer

Default Credentials Administrator Editor: Publish and manages his and others posts. Author: Publish and manage his own posts. Contributor: Write and manage his posts but cannot publish them. Subscriber: Browse posts and edit their profile. User Permissions: 1. 2. 3. 4. 5.

Default Credentials Login page: /wp-login.php Try default credentials: admin:admin admin:password guest:guest ...

xmlrpc.php Location: /xmlrpc.php XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Let's say you want to post to your website from your mobile device. You could use the remote access feature enabled by xmlrpc.php to do just that. We'll try to achieve SSRF and Bruteforce.

xmlrpc.php List methods: system.listMethods We're interested in pingback.ping & wp.getUsersBlogs

xmlrpc.php SSRF using pingback.ping: pingback.ping http://xyz.burp.net:80 http://target.com/

xmlrpc.php Brute Force using wp.getUsersBlogs: wp.getUsersBlogs admin pass

Denial of Service (DoS) /wp-cron.php When this file is accessed, a heavy MySQL query is performed, so it could be used by attackers to cause a DoS. By default, the wp-cron.php is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).

Denial of Service (DoS) /wp-cron.php Detection: Blank page with 200 OK response. Exploitation: Open your terminal and enter the following command: i. wget https://raw.githubusercontent.com/Quitten/doser.py/master/doser.py ii. python3 doser.py -t 999 -g 'https://target.com/wp-cron.php'

Denial of Service (DoS) /wp-cron.php Detection: Blank page with 200 OK response. Exploitation: Open your terminal and enter the following command: i. wget https://raw.githubusercontent.com/Quitten/doser.py/master/doser.py ii. python3 doser.py -t 999 -g 'https://target.com/wp-cron.php'

Denial of Service (DoS) CVE-2018-6389 WordPress allows users to load multiple JS files and CSS files through load-scripts.php files at once. For example, https://example.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery- ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor files automatically and return the contents of the file. However, the number and size of files are not restricted in the process of loading JS files, attackers can use this function to deplete server resources and launch denial of service attacks. For example, if you use the below payload then it'll cause 4.11 Mb of data to be transferred b/w the server and the user. So if the attacker sends 10,000 requests then it would result in transferring 41100 Mb (42Gb) from the server to the user which would cause a Denial of Service attack to the server.

Denial of Service (DoS) Payload: https://pastebin.com/hATmX1pk Exploitation: Use doser.py

Automation WPScan/CMSmap CMSmap: CMSmap is a Python open source CMS scanner that automates the method of detecting security flaws of the foremost popular CMSs. The main purpose of this tool is to integrate common vulnerabilities for different types of CMSs into a single tool. cmsmap https://example.com

Automation WPScan/CMSmap WPScan: WPScan is a WordPress security scanner written for security professionals and blog maintainers to test the security of their WordPress websites.

Automation WPScan - Getting API Token

Automation Basic Scan: wpscan --url https://target.com/ Detect All Themes: wpscan --url https://target.com/ -e at Detect All Plugins: wpscan --url https://target.com/ -e ap Detect Vulnerable Themes: wpscan --url https://target.com/ -e vt --api-token Detect Vulnerable Plugins: wpscan --url https://target.com/ -e vp --api-token

Time for Practical stuffs

Security Measures

Disable xmlrpc manually or using some plugin. Disable wp-cron by updating wp-config.php: define('DISABLE_WP_CRON', true); Protect from CVE-2018-6389 by modifying .htaccess: 1. 2. and configure a regular system cronjob. 1. Order allow, deny Deny from all 4. Update wordpress core, themes and plugins time to time. 5. Hide the detault login page/allow from few ip addresses. 6. Use reCAPTCHA on sensitive actions. 7. Always take a backup of your site. 8. Use a strong password and enable 2fa on every accounts. Security Measures

Twitter: @tuhin1729_ | Medium: @tuhin1729 | Instagram: @tuhin1729 Thank You! Thank You! Thank You!