How to Perform WordPress Vulnerability Assessment & Penetration Testing – Tools, Checklist, & Sample Report

 

WordPress Penetration Testing: Getting Ready

In order to start testing your WordPress site for vulnerabilities, you need to set up the environment first. So, when it comes to WordPress security audit or any other kind of penetration test, Kali Linux is considered the holy grail. The reason being that Kali provides a huge amount of hacking tools for free.

Therefore, first, we need to install Kali Linux on a system to pentest our WordPress site. Multiple approaches can be followed for this as Kali can be installed on a virtual box, a PC, or even an Android phone! However, for this article, we shall be using the virtual box. It is noteworthy here that in a real attack scenario, using Virtual Box to obtain reverse shell can become tricky due to multiple port forwarding involved.

OWASP top 10

Installing Kali Linux for WordPress Security Audit

  • Step1: Download and install the latest version of Virtual box or any other emulator of your choice.
  • Step2: Now download and install the latest version of Kali Linux on Virtual Box for WordPress penetration testing.
  • Step3: Post-installation doesn’t forget to install certain “guest addition” tools with the help of this article.
  • Step4: If you still face any troubles with installing Kali on a VM, use the Kali VM image.

Now once, we have installed Kali, it is time to go for WordPress penetration testing. However, before conducting a security audit of a WordPress site, it is necessary to seek the permission of the related authority.

Related blog – Detailed Sample Penetration Testing Report | Penetration Testing Quote

Seeking Consent for WordPress Penetration Testing

Before actively attacking a target, it is important that you take permission and get a contract signed by the respective WordPress site owner. In case you fail to do so, legal complications may arise. You might even have to face jail time depending on the country and the cyber laws where the target is located. Moreover, the tools of Kali come with a warning that they should be run only after getting approval from the target or for educational purposes only. Once all this is done, make sure to draft a good agreement with the help of a cybersecurity lawyer. Further, there are certain proactive steps that can be taken to avoid complications:

  • It is common wisdom to use virtual machines as much as possible for WordPress security audits to avoid complications.
  • In case you host a WordPress site on a third-party server, you may need the consent of the hosting provider before conducting a WordPress security audit on your own site!
  • Trying to find vulnerabilities beyond your authorized resources may lead to a felony. Avoid accidentally testing unauthorized resources like routers owned by a different company.

Also Read: 11 Top Penetration Testing Tools/Software of 2022 | Top 6 Web Pentest Tools You Should Not Miss

The Three Steps of WordPress Penetration Testing

WordPress Penetration Testing: Mapping

The first step towards WordPress penetration testing while using the “Black Box” approach is gathering as much information about the target as possible. This is known as Mapping or Reconnaissance. This can be done through a variety of tools. Let us take a look at some of them.

NMAP

NMAP a.k.a ‘Network Mapper’ offers a wide variety of flexibility while mapping a target for WordPress security audit. Not only can NMAP scan ports and fingerprint backend technologies, but it can also evade firewalls to scan stealthily, use NSE scripts for automatic vulnerability discovery and so much more!

To access this tool, simply open the command line terminal on your Kali Linux and type:

nmap

Doing so would open the help interface of this tool containing all the key features. Now let us take a look at a live target. In the image given below, Nmap scans the domain scanme.nmap.org which is provided by the Nmap site to test this tool.

Related article: How to Fix WordPress Account Suspension by Host?

WordPress security audit and WordPress Penetration Testing using Nmap

The ‘-A’ option of Nmap means enabling OS detection, version detection, script scanning, and traceroute. Thereafter, the -T option helps Nmap to fine-grain the timing controls. The number 4 means an aggressive scan. Finally, Nmap has provided us with the following info:

  • Open ports along with the services running on them i.e. port 80 are open with Apache 2.0.52 running.
  • The operating system running on the target machine that is Linux 2.6.0-2.6.11. Along with the uptime of the server.

Thereafter, Nmap has also consecutively scanned our internal machine named ‘d0ze’ with Local IP 192.168.12.3. This scan has also revealed the Open ports along with their services and OS. Not only this, but Nmap has also enumerated the MAC address of this local machine. This is just the tip of the iceberg as Nmap can perform a wider variety of tasks. Apart from Nmap, some other popular tools for mapping site for WordPress security audit are:

Also Read: 7 Top Cyber Security Auditors for SaaS Companies [Reviewed]

Zenmap

If beginners find trouble using Nmap, a GUI alternative of Nmap known as Zenmap can be used for automation.

WordPress security audit + WordPress penetration Testing + using Zenmap

Also Read: Why Firewall Penetration Testing is Essential to Your Security Strategy

ReconDog

Another good tool available on Github for black-box mapping is Recondog. Its description calls it a “Reconnaissance Swiss Army Knife”. It uses a mixture of OSINT and Mapping for WordPress security audits.

WordPress security audit + WordPress penetration Testing + using ReconDog

Open Source Intelligence (OSINT)

Moreover, other info about the target to conduct a WordPress security audit can be gathered from the public domain. Information like:

  • Number of Subdomains available.
  • Nameservers.
  • Ownership info and emails of employees(for social engineering attacks).
  • Geolocation.

The resources that can be used for gathering OSNIT are:

  • Whois.com
  • Socialmention.com
  • recon-ng (Kali Linux tool)
  • theharvester (Kali Linux tool)
  • Shodan search engine
  • Netcraft
  • Dark Web Sites:
  • http://onion.city/
  • https://ahmia.fi/search/
  • http://thehiddenwiki.org/
  • http://xmh57jrzrnw6insl.onion/ (Torch a.k.a. The Tor Search)

WPintel Chrome Plugin

You can use a WordPress Vulnerability scanner plugin like WPintel to scan your WordPress site for vulnerabilities, version, themes, plugins, and even enumerate users.

Need a complete WordPress security audit?. Drop us a message on the chat widget, and we’d be happy to help you fix it. Help me with my WordPress Penetration Testing now.

WordPress Penetration Testing: Discovery

Post mapping all the technologies, it is now time for finding active vulnerabilities to conduct a WordPress security audit. The discovery part focuses on system-specific vulnerability discovery. In our case, the target uses WordPress so, we shall see all the tools that can be used for WordPress vulnerability discovery. Apart from WordPress, if the target is using other CMS or other systems, even then some specific tools can be used for finding vulnerabilities.

Related article: WordPress Backdoor Hack: Symptoms, Finding & Fixing

WPScan

WP scan a free tool that can be used to conduct a WordPress security audit. Designed with WordPress security in mind, this tool is a great choice for black-box testing of your WordPress site. This tool keeps a vulnerability database of WordPress and keeps updating it from time to time. Not only core WordPress but, this tool can scan for vulnerabilities in WordPress plugins and themes too.

WordPress security audit + WordPress penetration Testing + using WPScan

As shown in the image above, this tool first updates the vulnerability database before performing discovery on the target.

To use this tool. Open the terminal in your Kali Linux and type:

wpscan --url www.example.com

This simple command will scan the target for vulnerabilities. This is just one example, for more help, on your terminal type: ‘wpscan -h’. This tool can also be used for:

  • WordPress login brute force.
  • User Enumeration on WordPress.
  • Enumerating WordPress themes and Plugins.
  • Finding default WordPress directories.

Nikto

Nikto is a great open-source vulnerability scanner to conduct a WordPress security audit. It can scan multiple kinds of servers and is very comprehensive. However, the downside of Nikto is that it takes too much time and makes too much noise. Therefore, Nikto is easily detectable of a WAF or IDS. Moreover, Nikto also generates many false positives that need to be vetted manually for WordPress penetration testing. For more options type “nikto -H

WordPress security audit + WordPress penetration Testing + using Nikto

Burp Suite

Burp Suite is a great collection of tools that can significantly ease the process of WordPress security audits. It can act as a proxy between the browser and the server. Therefore, all the HTTP requests can be manipulated in real-time to find various kinds of vulnerabilities. Apart from this, the Burp suite also provides various automatic tools for paid users only. The free edition of the Burp suite is good for manual testing.

WordPress security audit + WordPress penetration Testing + using Burp Suite

Also Read: Top 5 Software Security Testing Tools in 2022 [Reviewed]

Fuzzing

Fuzzing is the last resort in WordPress security audit when nothing seems to work. It basically sends a large number of random characters to the parameters of your WordPress site. This can uncover even some zero-day flaws!. Although, fuzzing creates large noise which can be picked by IDS. Some lightweight fuzzing tools are:

For SQL injection: For comprehensive fuzzing of WordPress to find SQLi vulnerabilities, Sqlmap is probably the best tool. Not only fuzzing but Sqlmap can also be used for the successful exploitation of an SQLi attack. Sqlamp can be used to enumerate databases on a vulnerable URL by the following command in Kali Linux:

sqlmap -u "target URL" --dbs

WordPress security audit + WordPress penetration Testing + using SQLmap

For XSS: XSSer can not only find but actively exploit XSS vulnerabilities. For more help type: ‘xsser -h‘. And, for GUI, type: ‘xsser --gtk

WordPress security audit + WordPress penetration Testing + using XSSer
XSSer GUI

For Command Injection: Commix a.k.a. COMMand Injection eXploiter can detect and exploit various types of command injections during a WordPress security audit. For more help, in Kali Linux type:

commix -h

WordPress security audit + WordPress penetration Testing + using Commix

Other tools provided by Kali Linux for fuzzing during WordPress security audit are:

  • sfuzz
  • powerfuzzer
  • wfuzz

Also Read: API Penetration Testing: What You Need to Know

WordPress Penetration Testing: Exploitation

Post mapping and discovery, it is now time to identify exploitation points during a penetration testing. Trying the exploits can help us weed out the false positives. Though there are numerous frameworks for exploitation but for this article we shall only discuss one and its features.

Metasploit

Metasploit is an exploitation framework which can be used to exploit web apps, such as CMSes like WordPress. Developed and maintained by Rapid 7, Metasploit hosts a variety of exploits for different operating systems. First, update Metasploit before using it by running the ‘msfupdate’ command in Kali Linux. Now, run Metasploit using the ‘msfconsole’ command. Some key parameters that need to be set in this tool are:

  • search: This feature can be used to search for WordPress related exploits
  • use exploit: Using this feature, a particular exploit related to WordPress can be uploaded i.e. use exploit/unix/webapp/wp_wpshop_ecommerce_file_upload
  • show options: This command list the parameters that need to be set thereafter.
  • set RHOST: This parameter needs the IP of the machine you wish to exploit.
  • TARGETURI: This parameter lists the file path of the target.
  • set exploit: This command finally runs the exploit. Alternatively, the ‘run’ command can also be used for this.
WordPress security audit + WordPress penetration Testing + using Metasploit

Comments

Popular posts from this blog

How to DDOS an IP using HOIC