There's no question that WordPress core software has among the best safety infrastructures. However, like most of its alternatives, WordPress is not entirely safe. Statistics suggest that over 30,000 new WordPress sites are hit by malicious actors daily.
One of the reasons WordPress is so vulnerable to attacks is its ever-growing popularity. As of 2021, this content management system (CMS) is estimated to power 39.5% of the world's websites. Considering over 1.3 billion active websites globally, WordPress commands a market share of well over 500 million sites.
Another major problem is the sheer number of premium and free plugins and themes available for WordPress sites. While these tools add customization and functionality, most authors and developers are not security experts and don't think about security as much. This has the unfortunate side effect of making WordPress a juicy target for hackers. It's estimated that 52% of successful WordPress attacks are related to plugins.
End Users' Fault
It is important to note that WordPress websites are not targeted mainly because of vulnerabilities in the core software. Instead, the problem often emanates from security issues caused by poor management by site owners.
Website security is a complex (sometimes confusing) area for most WordPress users. But the fact is that most attacks are entirely from easily avoidable issues like failing to password-protect the admin area, using weak passwords and failing to update WordPress, themes and plugins regularly.
Testing Your WordPress Website Security
The process of making your WordPress website secure starts by doing an intensive security audit. As a fact, because WordPress security is an ever-changing landscape, testing WordPress website security needs to be a regular practice.
Using WPScan to Scan for Vulnerabilities
WPScan is an open-source tool used to test WordPress sites for known vulnerabilities in the core and most plugins and themes. WPScan mimics a real hacker as a black-box security scanner by attempting to penetrate the site without accessing the dashboard or source code.
This one-in-all WordPress Scanning tool checks for common vulnerabilities against wpvulndb.com. The latter is a WordPress vulnerability database with 23,000 plus known core-, plugin- and theme vulnerabilities. If WPScan can identify vulnerabilities on the site, that's a clear pointer that the site is ripe for attack.
Among other things, WPScan;
- Identifies the WordPress version to ensure you're not running a vulnerable type
- Checks whether the installed plugins and themes are up-to-date and scour them for common vulnerabilities
- Finds database dumps
- Detects exposed error logs
- Checks usernames and passwords using brute force
- Identifies wp-config files
- Enumerates media files
How to Scan a WordPress Website using WPScan
Using WPScan to test for vulnerabilities is pretty straightforward.
Start by installing or updating WPScan. WPScan is already installed in the full version of Kali Linux. Otherwise, you can install it by executing this command:
gem install wpscan
To update a pre-installed WPScan tool, type this command:
gem update wpscan
Using the WPScan starts with a basic scan of the site with the following command:
wpscan --url yourwebsite.com
Checking vulnerabilities in installed themes and plugins. Use the command below to detect problems in your plugins. Note that you need to register on the website to use the WPScan Vulnerability Database API.
wpscan --url yourwebsite.com -e vp --api-token YOUR_TOKEN
Brute-forcing user passwords using WPScan. Execute the syntax below:
wpscan --url https://<url> -passwords <path-of-password-file>
Using IAST to Test Security
Interactive Application Security Test (IAST) by snyk.io is the most recent web application security testing tool. This approach is often perceived as a replacement for conventional Automatic Security Testing tools like DAST and SAST. But in essence, IAST combines the best elements of DAST and SAST while eliminating common limitations.
IAST are tools that analyze code for security issues as the web application is run by a human or automated tester. These tools gather vital real-time information about what the app does and execution flow. IAST tools detect vulnerabilities just by browsing the app. Thus, they eliminate the need to install plugins or conduct penetration testing activities.
One of the main benefits that IAST offers to application developers is accuracy. Advanced IAST tools have an impressively low false-negative rate and low false-positive rate. This means they can detect as many actual risks as possible while not flagging unexploitable risks as exploitable. In contrast, SAST tools often come up with many false positives, which can be as high as 60% in some cases.
Steps to Conducting an IAST Effectively
- Deploy DevOps to integrate IAST into the CI/CD environment.
- Select your IAST tool.
- Set up the scanning infrastructure and deploy the IAST tool.
- Customize the tool by refining it to your organization's needs. This includes creating dashboards to track scan results.
- Add applications for scanning, starting with high-risk ones.
- Analyze scan results to remove false positives and remediate vulnerabilities.
- Go through the results as a team and train the development and security departments to incorporate the findings when developing and deploying applications.
Testing WordPress Site for Sensitive Information Leakage
For 2021, the OWASP Top Ten classifies information leakage (now referred to as cryptographic failures) as the second most common web application risk. Information leakage is when the site reveals sensitive data like:
- Credentials including SMTP credentials, backup files or zips and passwords to protected posts.
- Personal Identifiable Information such as name, usernames and email addresses
- System Information, for instance, software versions, security logs, database tables and PHP configuration.
Most cases of WordPress information leakage have been linked to the vast amount of plugins available for this CMS. But the main problem is rooted in WordPress' file permission scheme, which requires the wp-content/ folder to allow plugins to write permissions. The issue with this privilege is that some plugins may start creating log files with sensitive information without the admin's knowledge.
When testing for information leakage on WordPress, it's crucial to check and see whether there are any backup files with the default name hanging around. For instance, the backup file for the wp-config.php may be something like wp-config.php.bak. Identifying such a file and its full content helps prevent sensitive information from getting into the wrong hands.