WPScan is a tool created by Ryan Dewhurst that allows scan WordPress for vulnerabilities, I discovered it thanks to the weekly Security by Default links and today I was playing with it a bit.
Among its most interesting options are the listing of plugins, vulnerabilities and users to perform brute force attacks. In the following video I make a real attack on a blog that belongs to me and I mention the countermeasures that can be adopted.
Note: the last version of the program is 1.1, in the video I use the previous one. With an apt-get update && apt-get upgrade you can update repositories and programs. Thanks @ ethicalhack3r
Countermeasures and advice:
Since many will know how to keep the WordPress installation and plugins updated is essential for the security of the site, the video clearly shows that without many complications, vulnerabilities and their corresponding exploits can be detected.
It is possible to hide the WordPress version and you can also avoid the list of plugins with a suitable configuration of the server, in the following links you can find more information about it:
– Hide WordPress version. – List of plugins and Apache secure configuration to avoid it.
On the other hand, perhaps the most striking thing is obtaining the password by brute force, but this attack is easy to mitigate and there are several ways to do it. In addition to having a strong password that is changed periodically, you can install plugins such as Login LockDown or Limit Login Attempts that allow you to block an IP when a certain amount of failed logins is made.
Another very interesting plugin is Google Authenticator which adds a double verification in the login, in this way if they steal your WordPress password if the other data is necessary to access it.
The detection of users can be avoided, and it must also be taken into account that a brute force attack could also be made to FTPSo having strong passwords and some kind of extra protection to detect and block attacks (Firewall + Brute Force Detection) is essential, the following links contain more information, tips and solutions:
– Enumeration of users in WordPress (so they can detect them) – Hide errors in the WordPress login – Restrict access by IP to the login – Block attacks by brute force (Brute Force Detection) .– 21 security plugins and more recommendations for the server.– Avoid the full path disclosure of plugins and themes.– 13 Vital Tips and Hacks to Protect Your WordPress Admin Area.
There are more security aspects that could be mentioned, in these links that I share they are all addressed, so I recommend reading them with ease and anticipation to learn more and keep blogs safer. If you have any questions or need a hand with an installation, you already know that you can leave a comment.
Finally I tell you that there are some applications that can help us detect problems or bad configurations, for WordPress there is a WebsiteDefender plugin that performs a security analysis and periodic controls (recommended). In case you have a VPS or Dedicated server under Linux, I recommend trying CSF (ConfigServer Security & Firewall), it is a firewall that also verifies the configuration and security of the server, best of all, it explains the actions to take to correct the problems.