Recently I was doing a CTF challenge on hackmyvm which involved getting access to a freshly patched WordPress site. It was interesting as even though my own site is based on WordPress, I had left it untouched with the idea that the latest patch is good enough, and not understanding of the risks around plug-ins. Learning to secure WordPress with the wpscan command will be an introduction to you just how open to attack a badly configured WordPress site can be. Even if you are running recent versions of the WordPress software doesn’t mean your site is safe!
For this set up I am using Kali Linux which is based on Debian. For the WordPress side I am using WordPress on docker. You can read about how I set that up on my Docker Lab blog post. However you can use any modern version of Linux with Docker, docker-compose and the wpscan tool installed.
- 192.168.10.5 – This is my Black Arch Linux enumeration system.
Install and Start Docker
sudo apt install docker sudo systemctl enable --now docker
Docker should be running. You can confirm with the command,
sudo pip install docker-compose
DVWP is a Damn Vulnerable WordPress Docker image that can be downloaded for testing our commands. It can be grabbed by downloading and running it from github. Take a look at my github page on how to install it.
For the rest of this blog post I will presume you have WordPress installed at “http://127.0.0.1:8008”
The wpscan tool is not opensource, it operates under a commercial licence and also has free to use licence. It’s this free version that we can use it should be enough for most of us. There even is a plugin you can download and install onto your WordPress site. The free usage will be enough for most small website. It has been around since about 2014 and maintains a database of WordPress vulnerabilities. This is super valuable to any Web Admin that wants to run a WordPress site and helps to prevent the running of any insecure versions of WordPress or its many insecure plug-ins.
One of the things that needed to get the most value is the “api token”. This can be gotten by heading on over to the wpscan site and registering. It’s recommended you use the “api token” as the tool will scan the wpscan database for the most recent vulnerabilities and display all the output. Without the “api token” the output from wpscan is limited.
wpscan can be installed using
sudo apt install wpscan
Best way to enumerate WordPress is with wpscan. There are other alternatives like Metasploit, or hydra but I found that as wpscan is only focused on WordPress then it has to room to do a better job than the other tools that don’t have the same focus.
The wpscan command needs an api for a lot of things but user enumeration is not one of them. By running the below command you can enumerate all the users on your WordPress install.
wpscan --url http://127.0.0.1:8008 -e u 1-4
Lets break down this command.
|–url http://127.0.01:8008||WordPress Url|
|-e u 1-4||Emulate users, if there are more than 4 then increase the number.|
So with wpscan we have discovered 3 users.
Lets see if we can get the passwords.
The wpscan command also offers an option to brute force the password. Also this command does not need the “api token”. However, this will only work if you have a password list that contains the actual password that used. So, any self respecting System Administrator would never let this happen.
To brute force a discovered WordPress user, you can simply extend the previous command by referencing a password file with the option “–passwords”.
wpscan --url http://127.0.0.1:8008 -e u 1-4 --passwords /opt/fasttrack.txt
It didn’t take long to enumerate usernames and passwords. Its important to set secure passwords and not let users select something that easily found with a brute force.
WordPress has a world of plugins. However, WordPress itself is mostly secure, but its the plugins that let it down. For example there are plenty of plugins that have stored XSS vulnerabilities that can cause a whole world of issues. Let see how we can scan some of those down.
wpscan Plugin Scan
By default wpscan scans for vulnerable plugin. Also it does not display its findings without supplying a “api token”.
So there you have it, it lists out the plug-ins and any vulnerability attached to it. It even gives a link where you can get more information.
If you are interested in what a Stored XSS can do, take a look at my next post on the topic.
WordPress is a fabulous tool and the most popular content manager in the world. And so it should be. The wpscan command is a powerful add-on that does one thing and does it really well. Scans for vulnerabilities on WordPress sites. So use it today against your site to insure your site is solid. With no old unpatched plugin-in or bad passwords.
Hope you got value from this “Secure WordPress with wpscan” blog post, please leave any comments below.