WordPress is the leading CMS platform enabling anyone to create and maintain websites of varying levels of complexity quickly. It supports many different uses and sizes and can be a great CMS for organizations to use. It is unfortunately also very prone to vulnerabilities through common exploits, misconfigurations, and simply attacking intended functionality. Care needs to be taken to ensure that WordPress sites are properly protected.
Exploiting Out-of-Date Components
WordPress supports massive ranges of functionality and design through the extensive library of themes and plugins available. These have the advantage of allowing users to precisely fine-tune various aspects of their website to get it to their exact requirements. These components can range from minor details, such as small tweaks to how contact forms work, to massive overhauls of the site, completely changing the functionality of the basic WordPress site.
WordPress accounts for around 43% of all websites, and around 63% of all websites built using a CMS. This makes it and the most common plugins a prime target for attackers and security researchers. Hundreds and sometimes thousands of vulnerabilities are discovered in WordPress each year. These exploits can perform various functions, ranging from minor information leakage to a complete takeover of the web server with no interaction.
WPScan is a popular command line tool that analyzes WordPress sites for out-of-date components or misconfigurations. The team maintaining it is constantly updating its database with the latest vulnerabilities, allowing the scanner to catch them as soon as they have been disclosed. Aside from identifying vulnerabilities, it is an effective tool for mapping out a WordPress site and seeing what is running on it. This is of great use for defenders and security researchers, but as with many tools, is also a helpful tool in the hands of malicious hackers.
Good patch management is one of the most important things when it comes to defending WordPress sites. Keeping components updated as security fixes are released will massively reduce the time when part of the site is left vulnerable. This cuts down on the window where attackers would be able to find and exploit an out-of-date plugin or core version. Keeping good track of what is running on any exposed sites is very important to make sure that nothing slips through the cracks.
Common Misconfigurations and Intended Functionality
Aside from software exploits, WordPress sites can be left vulnerable through simple misconfigurations. When setting up a WordPress site, it can be easy to miss small steps that can greatly aid attackers. Many files or settings when left exposed will provide a wealth of information about the components of the website and the web server to attackers. Often sites have pages such as an exposed phpinfo() page that was left over during installation. Finding this will allow attackers to craft much more targeted exploits.
One extremely common misconfiguration is allowing for username enumeration. This can be done in several ways, such as varying error messages on the wp-admin page, though it is often as simple as looking at the wpjson/v2/users endpoint. A list of usernames can allow attackers to begin password-spraying attacks and work towards compromising a user account and accessing the backend panel of the site.
If an attacker can get through the wp-admin page, many dangerous features can be abused. The website can be defaced with malicious pages that include dangerous JavaScript, such as with XSS attacks. Even more dangerous is the fact that WordPress sites are configured by default to run PHP code. If a compromised account has the ability to add or modify existing pages, a PHP back door can be planted on the website, allowing access to the underlying web server and anything stored there.
Best practices should be followed when initially setting up a WordPress site and when making any adjustments. Dangerous features should be disabled and the site should be configured to disclose as little information as possible to attackers. Any user accounts should be set with strong passwords in the event of usernames being discovered to prevent any access to the administrative panel. It is also important to only allow user accounts the lowest level of privilege needed to perform their function.
Test Your Security With Blue Goat Cyber
We are able to analyze many types of internal and external infrastructure to identify any underlying vulnerabilities and work with you to defend against attacks. Our team has years of experience in defending WordPress sites, along with many other types of network devices. Contact us to learn more.
