What is the way to hack wordpress websites
- Thread starter christo_
- Start date
How to break and protect WordPress with our own hands
The content of the article
Introduction
Today WordPress is the most popular content management system. Its share is 60.4% of the total number of sites using CMS engines. Of these, according to statistics, 67.3% of sites are based on the latest version of this software. Meanwhile, over the twelve years of the web engine's existence, 242 vulnerabilities of various kinds were discovered in it (excluding the vulnerabilities found in third-party plugins and themes). And the statistics of third-party add-ons looks even sadder. So, the Revisium company analyzed 2350 Russian templates for WordPress, taken from various sources. As a result, they found that more than half (54%) were infected with web shells, backdoors, blackhat seo ("spam") links, and also contained scripts with critical vulnerabilities. So make yourself comfortable, now we'll figure it out how to audit a WordPress site and eliminate the deficiencies found. We will use version 4.1 (Russified).
Site indexing
The first step in any test is usually to collect information about the target. Incorrectly configured site indexing often helps here, which allows unauthorized users to view the contents of individual sections of the site and, for example, get information about installed plugins and themes, as well as access to confidential data or database backups. The easiest way to check which directories are visible from the outside is to use Google. It is enough to run a Google Dorks query like site:example.com intitle:"index of" inurl:/wp-content/. The inurl:following directories can be specified in the operator:
If you can browse /wp-content/plugins/, the next step in collecting information about installed plugins and their versions is greatly simplified. Naturally, you can disable indexing using the file robots.txt. Since by default it is not included in the WordPress installation package, you need to create it yourself and upload it to the root directory of the site. There are robots.txtquite a few manuals for creating and working with a file, so I'll leave this topic for self-preparation. I will give only one of the possible options:
If the files in the folder uploads, there is information of a confidential nature, adding to this line of the list: Disallow: /wp-content/uploads/.
On the other hand, it is robots.txtnot recommended to place links to directories in the file , which were created specifically for storing sensitive information. Otherwise, by doing this, you will make it easier for the attacker, since this is the first place where everyone usually looks in search of "interesting".
Determining the WordPress version
Another important step is identifying the CMS version. Otherwise, how do you find a suitable exploit? There are three quick ways to determine which version of
WordPress you are using on your site:
Look for the WordPress version in the ru_RU.po file
One of the protection options in this case is to restrict access to files readme.htmland ru_RU.pousing .htaccess.
Testing process automation
WordPress security research was not started yesterday, so there are a sufficient number of tools that allow you to automate routine tasks.
Nmap:
Metasploit:
WPScan:
Identifying installed components
Now let's collect information about installed plugins and themes, whether they are activated or not. First of all, such information can be extracted from the source code of an HTML page, for example, by JavaScript links, from comments and resources such as CSS that are loaded onto the page. This is the easiest way to get information about installed components. For example, the lines below indicate the twentyeleven theme being used:
Further, HTTP headers such as X-Powered-Bycan indicate the presence of a plugin (for example, the W3 Total Cache plugin).
Since information about plugins is not always displayed in the source code of an HTML page, you can detect installed components using the WPScan utility (see sidebar). Just do not forget that the enumeration of plugin paths will be recorded in the web server logs.
Having received data about the installed components, you can already start searching for vulnerabilities on your own, or find publicly available exploits on resources such as rapid7 or exploit-db.
Determining usernames
By default, WordPress, each user is assigned a unique identifier, presented in the form of: example.com/?author=1. By going through the numbers, you will determine the names of the site users. The admin account that is created during the WordPress installation is numbered 1, so it is recommended that you delete it as a protective measure.
Brutfors wp-login
Errors in user authentication.
Knowing the username, you can try to guess the password for the administration panel. The WordPress authorization form on the page is wp-login.phpvery informative, especially for an attacker: when entering incorrect data, prompts appear about an incorrect username or password for a specific user. The developers are aware of this feature, but they decided to leave it, since such messages are convenient for users who might have forgotten their username and / or password. The password guessing problem can be solved by using a strong password consisting of twelve or more characters and including upper and lower case letters, numbers and special characters. Or, for example, using the Login LockDown plugin.
Security plugins for WordPress
Fill Shell
After we have cleared the password, nothing prevents us from uploading the shell to the compromised web resource. For these purposes, the Weevely framework is quite suitable, which allows you to generate a shell in an obfuscated form, which makes its detection rather difficult. In order not to arouse suspicion, the resulting code can be inserted into any theme file (for example, in index.php) through the theme editor of the WordPress console.
After that, using the same Weevely, you can connect to the victim's machine and call various commands:
We include .htaccess
To deny access to sensitive information, it is better to use a file .htaccess- this is a configuration file used by Apache Web Server. Let's consider the possibilities of this file from a security point of view. It can be used to: deny access to directories and files, block various SQL injections and malicious scripts. To do this, the standard file .htaccessfor CMS WordPress 4.1 needs to be slightly expanded. To close the list of files and folders, add:
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]will block links containing Base64 encoding. Get rid of links containing the tag <script>:
Prevent scripts trying to set global variables or modify a variable _REQUESTvia a URL:
To counteract SQL injection, we block requests to URLs containing certain keywords:
To ruin the life of common hacker utilities, filter out certain user-agents:
Protecting files
It would also be nice to restrict access to especially important files that store configuration or simply can give an attacker some information. The following candidates can be distinguished:
This is done as follows:
Moreover, the file .htaccesscontaining these lines must be located in the same directory as the protected file. Then we prohibit the listing of users (remember, just above we talked about how easy it is to get a list of users?):
So what else? You can only allow logins from the specified IP addresses. To do this, create a file .htaccessin a folder wp-adminwith the following rules:
The method is not very flexible and is applicable only if you work with a limited number of fixed IP addresses. Otherwise, it is recommended to set a password for the wp-admin folder through the hosting panel (if such functionality is available).
WWW
A set of rules 5G Blacklist and 6G Blacklist beta from Perishable Press, which allows you to deal with prevalent malicious URL-requests for WordPress.
Additional measures
To what was said above, the following recommendations can be added. First, use only the latest versions of WordPress and its components - this will eliminate known vulnerabilities. Secondly, remove unused plugins and themes that can also be exploited. Third, download WordPress themes and plugins from trusted sources, such as developer sites and the official WordPress site. Like a home PC, you need to periodically check your web resource with a web antivirus such as AI-Bolit. If you have access to the web server, set up file and directory permissions. Typically, WordPress sets all the necessary permissions at the installation stage, but if necessary, chmod can be set manually. For directories - chmod 755 for files -chmod 644... Make sure that the rights 777 are assigned only to those objects that need it (sometimes this is necessary for the normal operation of some plugins). If WordPress stops functioning properly, experiment with permissions: first try 755, then 766 and finally 777. For all htaccess files, set chmod 444 (read only). If the site stops working, try experimenting with the values 400, 440, 444, 600, 640, 644.
Move the file wp-config.php. This file contains information about MySQL settings, table prefix, secret keys, etc. Therefore, it must be transferred so that the file is not available from the Internet. If the site is not located in the folder public_html, then move the file wp-config.phpto a folder on a higher level, and WordPress will automatically find it in this root directory (applicable if the hosting has only one site on this CMS).
To make it more difficult to fill the shell, disable the ability to edit the theme through the WordPress dashboard. To do this, insert the following line in the file wp-config.php: define('DISALLOW_FILE_EDIT', true);.
Another weak point is the file install.php(what's in the folder wp-admin). Therefore, it is better to delete, block or change it. Complete one of the options:
Error Establishing Database Connection
We are currently experiencing database issues. Please check back shortly. Thank you.
In addition to notifying site visitors, this script performs the following actions:
The fact is that in earlier versions of WordPress (<= 2.7.1), in case of MySQL failures (for example, during a DDoS attack), the CMS makes it possible to reinstall. It can also happen when one of the WordPress tables fails / gets corrupted. In particular, an attack is possible when a table is damaged wp_options(in WordPress 2.6.2) or wp_users(in WordPress 2.0.3 and 2.0.11). That is, in different versions of WP, different tables are the main ones when checking in the installer - it can be either a table wp_optionsor wp_users.
Finally, disable registration of new users if it is not necessary. If, nevertheless, registration is provided on the site, make sure that new users after registration receive the minimum privileges.
Useful links
Conclusion
WordPress is a fairly large and complex product, with its own pros and cons. Unfortunately, in the default configuration, its security is under a big question, since even an ordinary scriptdis, in the presence of direct hands and the Internet, will be able to break through the protection. Therefore, I highly recommend checking your resource in the same way as we did in the article. And if you find flaws, fix them in order to reduce the chances of an attacker to compromise the resource to a minimum.
The content of the article
- Testing process automation
- Security plugins for WordPress
- WWW
- Useful links
Introduction
Today WordPress is the most popular content management system. Its share is 60.4% of the total number of sites using CMS engines. Of these, according to statistics, 67.3% of sites are based on the latest version of this software. Meanwhile, over the twelve years of the web engine's existence, 242 vulnerabilities of various kinds were discovered in it (excluding the vulnerabilities found in third-party plugins and themes). And the statistics of third-party add-ons looks even sadder. So, the Revisium company analyzed 2350 Russian templates for WordPress, taken from various sources. As a result, they found that more than half (54%) were infected with web shells, backdoors, blackhat seo ("spam") links, and also contained scripts with critical vulnerabilities. So make yourself comfortable, now we'll figure it out how to audit a WordPress site and eliminate the deficiencies found. We will use version 4.1 (Russified).
Site indexing
The first step in any test is usually to collect information about the target. Incorrectly configured site indexing often helps here, which allows unauthorized users to view the contents of individual sections of the site and, for example, get information about installed plugins and themes, as well as access to confidential data or database backups. The easiest way to check which directories are visible from the outside is to use Google. It is enough to run a Google Dorks query like site:example.com intitle:"index of" inurl:/wp-content/. The inurl:following directories can be specified in the operator:
Code:
/wp-content/
/wp-content/languages/plugins
/wp-content/languages/themes
/wp-content/plugins/
/wp-content/themes/
/wp-content/uploads/If you can browse /wp-content/plugins/, the next step in collecting information about installed plugins and their versions is greatly simplified. Naturally, you can disable indexing using the file robots.txt. Since by default it is not included in the WordPress installation package, you need to create it yourself and upload it to the root directory of the site. There are robots.txtquite a few manuals for creating and working with a file, so I'll leave this topic for self-preparation. I will give only one of the possible options:
Code:
User-Agent: *
Disallow: /cgi-bin
Disallow: /wp-login.php
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/
Disallow: /?author=*
Allow: /If the files in the folder uploads, there is information of a confidential nature, adding to this line of the list: Disallow: /wp-content/uploads/.
On the other hand, it is robots.txtnot recommended to place links to directories in the file , which were created specifically for storing sensitive information. Otherwise, by doing this, you will make it easier for the attacker, since this is the first place where everyone usually looks in search of "interesting".
Determining the WordPress version
Another important step is identifying the CMS version. Otherwise, how do you find a suitable exploit? There are three quick ways to determine which version of
WordPress you are using on your site:
- Find in the source code of the page. It is listed in the meta tag generator or in tags <link>:
- Find in the file readme.html, which is included in the installation package and located in the root of the site. The file can have other type names as well readme-ja.html.
- Find in the file ru_RU.po, which is included in the installation package and located at /wp-content/languages/:
Code:"Project-Id-Version: WordPress 4.1.1\n"
Look for the WordPress version in the ru_RU.po file
One of the protection options in this case is to restrict access to files readme.htmland ru_RU.pousing .htaccess.
Testing process automation
WordPress security research was not started yesterday, so there are a sufficient number of tools that allow you to automate routine tasks.
Nmap:
- version and theme detection using http-wordpress-info script
Code:nmap -sV --script http-wordpress-info - password selection by dictionaries
Code:nmap -p80 --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwords.txt' example.com
Metasploit:
- module for determining the version auxiliary/scanner/http/wordpress_scanner:;
- module for defining username auxiliary/scanner/http/wordpress_login_enum.
WPScan:
- listing the installed plugins: wpscan --url www.exmple.com --enumerate p;
- enumeration of the installed themes wpscan --url www.exmple.com --enumerate t:;
- transfer set timthumbs: wpscan --url www.example.com --enumerate tt;
- defining username wpscan --url www.example.com --enumerate u:;
- password guessing dictionary for user admin: wpscan --url www.example.com --wordlist wordlist.txt --username admin;
- selection of the password using the username ligament / password with the number of streams of 50: wpscan --url www.example.com --wordlist wordlist.txt --threads 50.
Identifying installed components
Now let's collect information about installed plugins and themes, whether they are activated or not. First of all, such information can be extracted from the source code of an HTML page, for example, by JavaScript links, from comments and resources such as CSS that are loaded onto the page. This is the easiest way to get information about installed components. For example, the lines below indicate the twentyeleven theme being used:
Code:
<script src="http://example.com/wp-content/themes/twentyeleven/js/html5.js" type="text/javascript"></script>Further, HTTP headers such as X-Powered-Bycan indicate the presence of a plugin (for example, the W3 Total Cache plugin).
Since information about plugins is not always displayed in the source code of an HTML page, you can detect installed components using the WPScan utility (see sidebar). Just do not forget that the enumeration of plugin paths will be recorded in the web server logs.
Having received data about the installed components, you can already start searching for vulnerabilities on your own, or find publicly available exploits on resources such as rapid7 or exploit-db.
Determining usernames
By default, WordPress, each user is assigned a unique identifier, presented in the form of: example.com/?author=1. By going through the numbers, you will determine the names of the site users. The admin account that is created during the WordPress installation is numbered 1, so it is recommended that you delete it as a protective measure.
Brutfors wp-login
Errors in user authentication.
Knowing the username, you can try to guess the password for the administration panel. The WordPress authorization form on the page is wp-login.phpvery informative, especially for an attacker: when entering incorrect data, prompts appear about an incorrect username or password for a specific user. The developers are aware of this feature, but they decided to leave it, since such messages are convenient for users who might have forgotten their username and / or password. The password guessing problem can be solved by using a strong password consisting of twelve or more characters and including upper and lower case letters, numbers and special characters. Or, for example, using the Login LockDown plugin.
Security plugins for WordPress
- Login LockDown - limits the number of unsuccessful authorization attempts;
- Revisium WordPress Theme Checker - searches for typical malicious fragments in WordPress themes;
- Security juices - monitors and detects malicious code;
- iThemes Security (former Better WP Security) - multifunctional WordPress security plugin;
- BackUpWordPress - backs up files and databases;
- Google Captcha (reCAPTCHA) - installs captcha during registration, authorization, password recovery and in the form of comments.
Fill Shell
After we have cleared the password, nothing prevents us from uploading the shell to the compromised web resource. For these purposes, the Weevely framework is quite suitable, which allows you to generate a shell in an obfuscated form, which makes its detection rather difficult. In order not to arouse suspicion, the resulting code can be inserted into any theme file (for example, in index.php) through the theme editor of the WordPress console.
After that, using the same Weevely, you can connect to the victim's machine and call various commands:
Code:
python weevely.py http://test/index.php Pa$$w0rd
[+] weevely 3.1.0
[+] Target:test
[+] Session: _weevely/sessions/test/index_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> :helpWe include .htaccess
To deny access to sensitive information, it is better to use a file .htaccess- this is a configuration file used by Apache Web Server. Let's consider the possibilities of this file from a security point of view. It can be used to: deny access to directories and files, block various SQL injections and malicious scripts. To do this, the standard file .htaccessfor CMS WordPress 4.1 needs to be slightly expanded. To close the list of files and folders, add:
Code:
Options +FollowSymLinks -IndexesRewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]will block links containing Base64 encoding. Get rid of links containing the tag <script>:
Code:
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]Prevent scripts trying to set global variables or modify a variable _REQUESTvia a URL:
Code:
RewriteCond %{QUERY_STRING} GLOBALS (=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST (=|\[|\%[0-9A-Z]{0,2})To counteract SQL injection, we block requests to URLs containing certain keywords:
Code:
RewriteCond %{query_string} concat.*\( [NC,OR]
RewriteCond %{query_string} union.*select.*\( [NC,OR]
RewriteCond %{query_string} union.*all.*select [NC]
RewriteRule ^(.*)$ index.php [F,L]To ruin the life of common hacker utilities, filter out certain user-agents:
Code:
SetEnvIf user-agent «Indy Library» stayout=1
SetEnvIf user-agent «libwww-perl» stayout=1
SetEnvIf user-agent «Wget» stayout=1
deny from env=stayoutProtecting files
It would also be nice to restrict access to especially important files that store configuration or simply can give an attacker some information. The following candidates can be distinguished:
- wp-config.php, contains the database name, username, password and table prefix;
- .htaccess;
- readme.htmland ru_RU.pothat contain the WordPress version;
- install.php...
This is done as follows:
Code:
Order Allow,Deny
Deny from allMoreover, the file .htaccesscontaining these lines must be located in the same directory as the protected file. Then we prohibit the listing of users (remember, just above we talked about how easy it is to get a list of users?):
Code:
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]So what else? You can only allow logins from the specified IP addresses. To do this, create a file .htaccessin a folder wp-adminwith the following rules:
Code:
AuthUserFile /dev/null
AuthGroupFile / dev / null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
allow from 178.178.178.178 # home computer IP
allow from 248.248.248.248 # IP working computerThe method is not very flexible and is applicable only if you work with a limited number of fixed IP addresses. Otherwise, it is recommended to set a password for the wp-admin folder through the hosting panel (if such functionality is available).
WWW
A set of rules 5G Blacklist and 6G Blacklist beta from Perishable Press, which allows you to deal with prevalent malicious URL-requests for WordPress.
Additional measures
To what was said above, the following recommendations can be added. First, use only the latest versions of WordPress and its components - this will eliminate known vulnerabilities. Secondly, remove unused plugins and themes that can also be exploited. Third, download WordPress themes and plugins from trusted sources, such as developer sites and the official WordPress site. Like a home PC, you need to periodically check your web resource with a web antivirus such as AI-Bolit. If you have access to the web server, set up file and directory permissions. Typically, WordPress sets all the necessary permissions at the installation stage, but if necessary, chmod can be set manually. For directories - chmod 755 for files -chmod 644... Make sure that the rights 777 are assigned only to those objects that need it (sometimes this is necessary for the normal operation of some plugins). If WordPress stops functioning properly, experiment with permissions: first try 755, then 766 and finally 777. For all htaccess files, set chmod 444 (read only). If the site stops working, try experimenting with the values 400, 440, 444, 600, 640, 644.
Move the file wp-config.php. This file contains information about MySQL settings, table prefix, secret keys, etc. Therefore, it must be transferred so that the file is not available from the Internet. If the site is not located in the folder public_html, then move the file wp-config.phpto a folder on a higher level, and WordPress will automatically find it in this root directory (applicable if the hosting has only one site on this CMS).
To make it more difficult to fill the shell, disable the ability to edit the theme through the WordPress dashboard. To do this, insert the following line in the file wp-config.php: define('DISALLOW_FILE_EDIT', true);.
Another weak point is the file install.php(what's in the folder wp-admin). Therefore, it is better to delete, block or change it. Complete one of the options:
- Just delete this file - once installed, it is no longer needed.
- Deny access to the file with .htaccess.
- Rename the original file install.php(for example install.php.old) and create a new file install.phpwith the following content:
Code:<!--?php header("HTTP/1.1 503 Service Temporarily Unavailable"); ?--> <!--?php header("Status 503 Service Temporarily Unavailable"); ?--> <!--?php header("Retry-After 3600"); // 60 minutes ?--> <!--?php mail("[email protected]", "Database Error", "There is a problem with teh database!"); ?-->
Error Establishing Database Connection
We are currently experiencing database issues. Please check back shortly. Thank you.
In addition to notifying site visitors, this script performs the following actions:
- sends the client and search engines a status code 503 ("Service is temporarily unavailable");
- Specifies the amount of time after which clients and search engines can return to the site (configurable);
- notifies by e-mail about the problem with the database for appropriate action.
The fact is that in earlier versions of WordPress (<= 2.7.1), in case of MySQL failures (for example, during a DDoS attack), the CMS makes it possible to reinstall. It can also happen when one of the WordPress tables fails / gets corrupted. In particular, an attack is possible when a table is damaged wp_options(in WordPress 2.6.2) or wp_users(in WordPress 2.0.3 and 2.0.11). That is, in different versions of WP, different tables are the main ones when checking in the installer - it can be either a table wp_optionsor wp_users.
Finally, disable registration of new users if it is not necessary. If, nevertheless, registration is provided on the site, make sure that new users after registration receive the minimum privileges.
Useful links
- Hardening WordPress
- Ten Steps to Protect Your WordPress Blog
- Every second Russian template for WordPress is infected or vulnerable
- Presentation on Hacking WordPress Sites
Conclusion
WordPress is a fairly large and complex product, with its own pros and cons. Unfortunately, in the default configuration, its security is under a big question, since even an ordinary scriptdis, in the presence of direct hands and the Internet, will be able to break through the protection. Therefore, I highly recommend checking your resource in the same way as we did in the article. And if you find flaws, fix them in order to reduce the chances of an attacker to compromise the resource to a minimum.
