WordPress penetration testing is something of an art. While movies and TV series might make it seem easy, in reality, there’s a learning curve and a lot of trial-and-error involved. Do not let this discourage you, however. Cybersecurity is an interesting field and as WordPress site owners, a critical one.
In this article, we will review some of the most common tools used in WordPress penetration testing and explain how to set up your own environment.
Before we proceed: The information provided in this article is for educational purposes only. Pentesting websites/infrastructures that you do not own or have permission to test is illegal in most jurisdictions. Setting up a local staging WordPress website is highly recommended.
Table of contents
The role of penetration testing in WordPress security
Your WordPress website’s security is an important part of overall site health and performance. WordPress vulnerabilities, which are what we scan WordPress websites for when running penetration tests, remain a threat. After all, it is only when we uncover vulnerabilities that we can begin to address them.
Mastering WordPress penetration testing is not easy—it requires deep domain knowledge of various technologies and how they interact with each other. While this article is based on industry-standard tools used by professional testers and bad actors alike, if you’re concerned about an attack, it can be worth working with a professional firm.
Step 1: Setting up your environment
Before we get into the how it is worth spending some time talking about the setup you’ll need to pen-test your WordPress websites.
The bulk of penetration testing is done using tools that automate or at least facilitate the tests. Downloading these tools individually can be something of a nightmare, which is why operating systems such as Kali Linux exist.
What is Kali Linux?
Kali Linux is one of the most popular security-focused Linux OS (Operating System) distributions available. This means you’ll find plenty of tutorials and support should you need it. Kali, however, is not the only security-focused Linux distribution available. Other popular options include ParrotOS and BlackArch.
The setup
The easiest way to install a Kali Linux pen testing machine is by using a VM, short for Virtual Machine. VMWare Workstation and Oracle’s VirtualBox are two of the most popular options available. Of course, you can choose another virtualization software or install it on a bare metal machine if you prefer.
We will need to set up two virtual machines. One will host Kali Linux, which we’ll use to run the tests. The second machine will host our WordPress staging environment. For the purposes of this article, we are using Ubuntu for the staging environment.
Pro tip: Linux has made great strides in improving its usability over the past few years. As such, you should have no problem installing Kali Linux or any other Linux distribution. From experience, the best way to learn is to experiment and occasionally break something. This being a virtual environment, there is nothing to worry about—you can always start again if need be.
1: Step 1: Download VMWare Workstation
2: Step 2: Download Kali Linux ISO and Ubuntu ISO
3: Step 3: Set up two Virtual Machines to host Kali Linux and Ubuntu
4: Step 4: Install Kali on one of the Virtual Machines and Ubuntu on the other
How to make the most out of your setup
Kali Linux comes with all of the tools you need straight out of the box. However, we will need to install WordPress on the Ubuntu machine.
For best results, you should set up the staging environment to mimic your WordPress sites as close as possible. This will ensure that any vulnerabilities present in your live WordPress sites are also present in your staging environment, which is what we will be doing the penetration testing on.
While replicating the infrastructure might not always be possible, do make sure you’re running the same core WordPress software version on both sites and have installed the same plugins, themes, and configurations.
Common WordPress vulnerabilities
WordPress websites can present different vulnerabilities that allow bad actors to gain unauthorized access. Our job as pen-testers is to find these vulnerabilities and attempt to exploit them just like a bad actor would. Of course, we’ll need to report any vulnerabilities we find or fix them if they are within our scope of work.
Because we’ll be reporting any vulnerabilities we find, it is important to note the exact steps you take during the pentest process. Detailed notes can be very helpful to whoever needs to fix the issue.
Note: Many vulnerabilities are not straightforward to find. Typically, they require several conditions to be met, which means a considerable amount of patience and testing cases are required to carry out effective pentest.
So, what sort of vulnerabilities should be on the lookout for?
Configuration vulnerabilities
Configuration vulnerabilities are those vulnerabilities present due to a misconfiguration or failure to implement security best practices. These types of vulnerabilities are typically within your control, meaning you can take relatively easy steps to resolve them.
- Lack of TSL certification: When using HTTP instead of HTTPS, data is sent in plain text. This makes such setups ripe for MITM (Man-in-the-middle) attacks.
- Weak passwords: Weak passwords are easy to crack in brute-force attacks, whether these take place online or offline.
- Lack of 2FA: 2FA is known to greatly improve login security so that even if passwords are compromised, bad actors will still not be able to log in without access to the secondary authentication method.
- Unlimited login attempts: With no restrictions on login attempts, bad actors can keep trying different username and password combinations until they hit the right one—with you being none the wiser.
Technical vulnerabilities
Technical vulnerabilities can typically become present due to a software bug in WordPress itself or a plugin or theme.
- XSS: XSS vulnerabilities enable bad actors to inject malicious code into your WordPress site to steal data or compromise security.
- CSRF: Cross-Site Request Forgery (CSRF) vulnerabilities trick users into taking actions without their consent.
- Privilege escalation: Privilege escalation vulnerabilities allow authenticated users to gain privileges their designated role does not allow them access to.
- SQL injection: SQL injection vulnerabilities allow bad actors to inject SQL code into
Stage 2: Reconnaissance (aka Information gathering)
In the reconnaissance stage, our job is to collect as much information as possible about our target – our WordPress websites we want to pentest.
In real-life situations, the attacker will try to uncover as much information about you and your website as possible. They will start with your email address and run it against databases of leaked credentials. They might check your social media accounts and any affiliations you might have. This is why you should never overshare on social media and take steps to secure your accounts.
Technical reconnaissance
The main idea behind technical reconnaissance is to identify potential security risks that we can investigate further. Keep an eye open for:
- Outdated software including an older WordPress version
- User enumeration
- Vulnerable plugins
- Vulnerabilities such as SQL injection, XSS vulnerabilities (Cross-Site Scripting)
Let’s now have a look at some of the tools available for WordPress penetration testing:
nmap and zenmap
nmap is a port-scanning tool that enumerates open ports, protocols, and services. It does not scan WordPress itself but rather the server on which WordPress is hosted. Nmap is a command-line tool, whilst Zenmap is its GUI counterpart.
We can use Nmap to scan entire subnets, but since we’re only concerned with WordPress, we can scan the WordPress server directly.
In our lab, the WordPress server is on local IP 192.168.80.128
So, to scan the server, we simply need to type the following command in the command line:
nmap 192.168.80.128
What we are looking for here are open ports. Open ports can be used to launch attacks in the next phase of the pentesting process. In our case, the scan tells us that port 80/tcp is open. Port 80 is used by the HTTP protocol. Thus, we can expect this port to be open since the target server is running WordPress. Had Nmap detected other open ports, we would have seen them here as well.
Of course, Nmap offers way more functionality than our simple example. You can type the following command to see the manual:
nmap manWPScan
WPScan is a dedicated WordPress vulnerability scanner. It comes pre-installed on Kali Linux; however, installing WPScan on Windows or Mac is also very easy.
We’ll run a basic scan using the following command:
wpscan --url 192.168.80.128Remember, the IP address is that of our test machine, so you will need to enter your own IP or URL.
Do keep in mind that by adding an API key we can get more detailed results, including any known vulnerabilities associated with installed plugins.
We can also try adding the—detection-mode aggressive flag to ensure that we run our penetration testing at full force and uncover any vulnerabilities we can.
We can also add our API key by using the –api-token flag.In this case, we can see that WPScan failed to enumerate WordPress usernames, plugins, and themes. When you scan WordPress sites with WPScan, it is always worth taking note of anything it highlights, including any provided links. This will help you familiarize yourself with different results and broaden your knowledge.
ffuf
ffuf is an acronym for fuzz faster u (sic) fool. Fuzzing (verb) is the act of trying different combinations to see what sticks and what breaks, like throwing spaghetti at the wall.
Fuzzing has various purposes. However, for WordPress penetration testing, we’ll use it for directory discovery and HTTP fuzzing. Since fuff’s purpose is to try many different combinations, a more effective way to fuzz is by using a dictionary. In this case, a dictionary is merely a text file with a list of commonly used words in our context. You can find many of these dictionaries (also known as wordlists) on sources such as Github.
The basic ffuf command is as follows:
ffuf -u https://example.com -w wordlistWhere: example.com is the URL of the target website and wordlist is the URI of the wordlist we want to use.
Real-life example
First, we need to download the wordlists, which we can do by using the GitHub link provided above. Keep in mind that it is not a small file and will take a while to download. Once, download, we need to extract all the individual files, of which there are more than a few.
Next, we’ll choose which file we want to use for our fuzzing. In this case, we’re looking for any leftover database backup files, so we’ll be using the Common-DB-Backups.txt file. So, the command will look like this:
ffuf -u http://192.168.80.128:80/FUZZ -w /home/joel/Downloads/SecLists-master/Discovery/Web-Content/Common-DB-Backups.txt:FUZZOf course, the IP and directory need to be changed to reflect the your setup. Keep in mind that different wordlist files can yield different results
This command gives us the following result:
We can see that our fuzzing scan has struck gold – we found a leftover backup file called db_backup.sql
All we have to do now is append the file name to the URL to download the file and get access to all the data stored in it.
Nikto
Nikto is a server scanner used in penetration testing to identify vulnerabilities. While it’s not specific to WordPress website security, it can be used to scan WordPress websites just the same.
We can initiate a Nikto scan by running the following command:
nikto -h 192.168.80.128
This will initiate a simple scan on our testing web server.
If you remember, our earlier nmap scan showed us Port 80 to be open. We can use this information to narrow our scan by specifying the port as follows:
nikto -h 192.168.80.128 -p 80This will target port 80.
The results present us with some interesting findings, including:
1: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
This can allow us to run XSS (cross-site scripting) attacks in certain scenarios, as per the provided link
2: Apache/2.4.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
If we can find some vulnerabilities linked to Apache version 2.4.52, we can exploit them since the web server has not been updated to the latest version.
3: /wp-login.php: WordPress login found.
We know the WordPress login page, so we can attempt brute-force attacks.
SQLMap
SQLMap is a penetration testing tool that’s geared towards finding SQL injection vulnerabilities. Here we need to pass a URL that includes a value input. SQLMap will then try different combinations in an attempt to find and exploit a vulnerability.
If there are any known SQL injection vulnerabilities, WPScan will highlight them. We can then use SQLMap to exploit them.
However, we can also use SQLMap to find vulnerabilities that are not known yet. While SQLMap might look like a simple enough tool, do keep in mind it comes with a number of options that let you do anything from identifying the vulnerable parameters to taking over the database server.
Stage 3: Vulnerability exploitation
In the vulnerability exploitation phase, we’ll attempt to gain access to the WordPress site, based on the information we gathered in the previous stage. You’ll notice there is some overlap since most exploitation tools can also be used to gather information. The opposite is also true.
In this section we will look at commonly used tools for exploiting vulnerabilities. Keep in mind that a bad actor might also attempt to gain access manually without the help of any tools. However, the tools described in this section are known for their robustness and efficacy.
Burp Suite
Burp Suite is a collection of tools aimed at testing web app security. It is quite extensive and can be further customized through the use of extensions. As Burp Suite is very extensive, how we use it will largely depend on the vulnerabilities we uncovered in Stage 2 of the WordPress penetration testing process.
One of the basic functions of Burp Suite is intercepting and modifying HTTP requests. This can allow us to exploit vulnerabilities that lack input sanitization or validation controls.
OWASP ZAP works in a similar fashion and can equally be used to pentest WordPress installations.
Metasploit
Metasploit is a penetration testing framework that enables you to use its extensive vulnerability and exploit database to test the security of different software – from Windows to WordPress. While it is not a WordPress security tool, its database includes hundreds of WordPress vulnerability and module entries.
When running a Metasploit penetration test, we can only exploit known vulnerabilities that have been included in the database. Here, the WPScan results will come in handy as we can cross-reference them with Metasploit. If you’re working with a team, you can discuss exploiting specific vulnerabilities you uncover, starting from those with the highest severity level.
Running Metaploit WordPress scanners
Metasploit has its own WordPress vulnerability scanners. You can find available scanners by running the following command once Metasploit loads up:
search type:auxiliary http wordpressThis will return all available WordPress scanners. You’ll notice there are more than a few to choose from, most of which will let you scan for specific vulnerabilities rather than a sweeping scan. The Description column will give you a better idea of what each scanner does.
For the purposes of this exercise, we’ll run the wordpress_scanner by running the following command:
use auxiliary/scanner/http/wordpress_scannerNext, we’ll set our target website and port, which we got from our earlier Nmap scan
set RHOSTS 192.168.80.128
set RPORT 80We can now run the scan by typing:
runThe scan will run, and the results will be printed on the screen.
Running Metasploit exploits
To run an exploit, we follow a procedure that is very similar to running a scanner and we’ve just discussed. Some exploits will require additional parameters such as the target URI, username, and password.
How to minimize the risk of being hacked
Finding and exploiting WordPress site vulnerabilities is no walk in the park. It requires equal parts perseverance, technical knowledge, and meticulousness. The good news is that most attacks are not targeted and thus lack perseverance. From the bad actors’ point of view, it’s often a numbers game. Thus, softer targets are preferred.
Tip the odds in your favor by following the below guidelines:
Update software – religiously
No software is above vulnerabilities. A bug or an oversight can leave software open to attacks. As we saw in the article, most vulnerabilities are tied to specific versions. Once the software has been updated, that vulnerability is no longer present.
Updating software, whether WordPress, plugins, themes, PHP, an Operating System, or anything else, reduces the risk of a successful attack.
Follow security best practices
Complying with security best practices will greatly reduce the risks of a successful attack straight out of the gate. Security standards are there for a reason, and implementing them is often a low-hanging fruit.
Security best practices can also help you mitigate some of the risks associated with zero-day vulnerabilities, for which there are no updates.
These include:
- Install WordPress 2FA
- Set up WordPress login policies, including password strength policies, limit login attempts, and terminating idle sessions
- Fix publicly exposed files
Harden systems
The most secure system is the one that’s switched off and unplugged. The least secure system is the one with no passwords or access management. Hardening is a practice that aims to find the middle ground. It ensures that settings are configured securely, thus making systems less vulnerable to attacks, while still ensuring they’re usable.
More about WordPress penetration testing
In this article, we have covered industry-standard tools used in WordPress penetration testing and attacks. However, domain knowledge is required to ensure pen tests uncover vulnerabilities. To improve your penetration testing skills, consider:
1: Practice. The more you practice a skill, the better you’ll become. Now that you have a testing environment, dedicate some time to practicing how to use different penetration testing tools.
2: Education. WordPress security is always changing. New threats emerge with new WordPress versions, and old ones become irrelevant. Academies such as HackTheBox can help you stay informed while equipping you with the skills you need to improve your cyber defenses.
