Home / Sound / WPSCAN and quick wordpress security

WPSCAN and quick wordpress security

This is a quick and simple guide utilizing wpscan to scan wordpress and fix some security issues. Very simple and easy to follow.

Readers: Please read WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2 of this series that outlines on how to fix Directory Listing.

WPSCAN and quick wordpress security - Fixing Direcroty Listing - Part 2 - blackMORE OpsA simple WPSCAN done on my site:

# wpscan --url www.blackmoreops.com

Output:

____________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.blackmoreops.com/
| Started on Sun Oct 13 13:39:25 2013
[31m[!][0m The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[31m[!][0m Full Path Disclosure (FPD) in 'http://www.blackmoreops.com/wp-includes/rss-functions.php'
[32m[+][0m XML-RPC Interface available under http://www.blackmoreops.com/xmlrpc.php
[32m[+][0m WordPress version 3.6.1 identified from meta generator
[32m[+][0m The WordPress theme in use is twentyten v1.6
| Name: twentyten v1.6
| Location: http://www.blackmoreops.com/wp-content/themes/twentyten/
[32m[+][0m Enumerating plugins from passive detection ...
3 plugins found :
| Name: add-to-any v1.2.5
| Location: http://www.blackmoreops.com/wp-content/plugins/add-to-any/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/add-to-any/README.txt
| Name: captcha v3.8.4
| Location: http://www.blackmoreops.com/wp-content/plugins/captcha/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/captcha/readme.txt
| Name: google-analyticator v6.4.5
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/readme.txt
[32m[+] Finished at Sun Oct 13 13:39:51 2013[0m
[32m[+] Elapsed time: 00:00:26[0m

Two things that were marked as possible vulnerabilities:

[31m[!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[31m[!] Full Path Disclosure (FPD) in 'http://www.blackmoreops.com/wp-includes/rss-functions.php'

readme.html file should be deleted as it gives away version info. Now there are more ways to find WP version, but usual scans will depend on it to determine version info. Not that it makes much of a difference, why keep something you don’t need?

Full Path Disclosure (FPD) will give away your folder structure and username. We would like to fix that.

readme.html file can be deleted safely. So that fixes that problem.

For FPD, add the following line to your .htaccess file in root folder.

php_flag display_errors off

This would fix the problem.

Now lets see how WPSCAN behaves when we do another scan:

____________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA
WordPress Security Scanner by the WPScan Team
Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________
| URL: http://www.blackmoreops.com/
| Started on Sun Oct 13 13:56:46 2013
[32m[+][0m XML-RPC Interface available under http://www.blackmoreops.com/xmlrpc.php
[32m[+][0m WordPress version 3.6.1 identified from meta generator
[32m[+][0m The WordPress theme in use is twentyten v1.6
| Name: twentyten v1.6
| Location: http://www.blackmoreops.com/wp-content/themes/twentyten/
[32m[+][0m Enumerating plugins from passive detection ...
3 plugins found :
| Name: add-to-any v1.2.5
| Location: http://www.blackmoreops.com/wp-content/plugins/add-to-any/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/add-to-any/README.txt
| Name: captcha v3.8.4
| Location: http://www.blackmoreops.com/wp-content/plugins/captcha/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/captcha/readme.txt
| Name: google-analyticator v6.4.5
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
| Directory listing enabled: Yes
| Readme: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/readme.txt
[32m[+] Finished at Sun Oct 13 13:57:46 2013[0m
[32m[+] Elapsed time: 00:00:59[0m

There you go, both warning fixed.

Saying all that try to follow these 3 steps to make your site more secured:

  1. Update WordPress, Themes & Plugins – One of the most important things you can do is keep your software up to date. Whenever there is a new version of WordPress, or a new version of one of your themes or plugins, update them as soon as possible. This goes for your inactive themes and plugins too. Keep them updated, or if you don’t plan on using them any time soon, delete them so you don’t forget to update them.
  2. Limit Login Attempts – If you have a secure password and admin username, then you should be fairly safe against brute force login attacks. Just in case, however, you can also limit login attempts.
  3. Disable Administrative File Editing – In the unfortunate event that someone gains access to your WordPress Dashboard, you should try and limit the resources they have to do damage. Using the WordPress Editor to modify your theme’s PHP files is an easy way to execute malicious code on your site and effectively let the pentester do whatever they want with your website. These editing capabilities can be disable in your wp-config file using define( ‘DISALLOW_FILE_EDIT’, true );

Readers: Please read WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2 of this series that outlines on how to fix Directory Listing.

Check Also

Correct way of installing VirtualBox Guest Additions in Kali Linux 2016.2/2017 (Kali Rolling)

How to install VirtualBox Guest Additions in Kali Linux (Kali Rolling / Kali Linux 2016.2 / Kali 2017)

Since Kali Linux 2016 came out (also known as Kali Rolling), it seems that Official …

How to add RBL check on Zimbra Server - blackMORE Ops - 2

How to add RBL on Zimbra Server?

A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to stop …

3 comments

  1. what’s your opinion on also deleting all those plugins’ readme.txt files? thanks:)

    • Hi mike,
      Ideally you should delete, but then again, everytime you update a plugin, it creates a new README file. At some point it gets really annoying.
      Does it do any harm? I guess not, except for letting someone else know which version of plugin you’re using. But if you stick with supported plugins, you should not have any issues. Most vulnerabilities are with old version of plugins. (for example: W3TC). The most important part is to lock down you wp-admin as much you can and configure your server properly.
      What this scanner does is provide you a set of standard recommended practices, which may or may not be related to your particular installation. Cheers,
      -BMO

Use WordPress.com, Twitter, Facebook, or Google+ accounts to comment (anonymous comments allowed)

This site uses Akismet to reduce spam. Learn how your comment data is processed.