Locking down your WordPress site

Since I don’t really want to get in trouble for this, I need to put in a disclaimer.  Some of these tools can be invasive and if you are running them against somebody then I take no responsibility for their actions against you.  I am testing these tools against my own site so the consequences are minimal.  Just be aware that there can be serious consequences for using these tools on sites and companies against their will.  I don’t want anybody going to jail.

The tools

Let’s take a poke around with WP Scan.  This tool is a WordPress vulnerability scanner, often packaged together with Backtrack or the newer Kali Linux pentesting distro.   WPScan helps find and eliminate security weaknesses in your WordPress site.  More information about this tool can be found here.

There are many other tools out there but for basic WordPress scanning this tool should suffice, because it offers a number of things that are of interest in a nice single tidy and clean interface.  Other tools that may be of interest include tools like Burp Suite, SQLmap, username enumeration through Metasploit and other reconnaissance tools.

The process

Most real world attacks will reach for the low hanging fruit when it comes to exploiting WordPress sites, typically gaining access to a site through password exploitation.  With so many WordPress sites going up it becomes easy to move from site to site trying different password brute forcing attacks, so that’s where you will see a large number of attacks.  There are others as well, such as vulnerability attacks, SQL injection attacks, XSS, etc.

To begin the process let’s start gathering some information about the WordPress site that will be the focus of this attack, my blog.  Here, I am running WPScan through Kali Linux, so the syntax may change depending on how you decide to use this tool.  Let’s see what basic information we can get about my blog.  This site scan will attempt to gather the basics of the site it is scanning.  For help just type ‘wpscan –help’.

wpscan --url http://thepracticalsysadmin.com

Let’s see how far we can get with the password brute forcing method.  To enumerate a list of user account names use the following,

wpscan --url http://thepracticalsysadmin.com --enumerate u

If you get any interesting results from this scan, for example the result returns the username admin, go ahead and see if you can brute force the account.

wpscan --url http://thepracticalsysadmin.com --wordlist /pentest/passwords/wordlists/darkc0de.lst --username admin

There are more features packed in this tool so take some time to explore what all it can do (preferably on a test box).  Odds are that on a site that hasn’t been properly locked down you can probably get in, one way or another.  I wouldn’t recommend running wpscan against this site though because I have already beefed up the security and temporarily block access if users run malicious scans against the site.

Locking it down

There are a number of techniques to help reduce the attack surface for your WordPress site as well as methods to increase the difficulty of breaching your site.  The first and foremost is the use of strong passwords.  That should be a given and I won’t get into the details here of how important strong passwords are.  Another (hopefully) obvious technique is to keep up to date with your patches.  Whether it be on the Operating System or your WordPress site/plugins you should try to be proactive about patching your systems.  The third and final obvious solution I will mention are getting good backups.  If your site does get compromised then it is incredibly helpful to have a point in time to go back to rather than starting over from square one.  There are plugins designed to help with this process and even doing it by hand isn’t that difficult.  You can get back on your feet even if you only have a database dump from your site at some point in the past.

I’d like to specifically mention some good tools to use if you have publicly facing SSH; one of which is fail2ban.  This tool can be used as a layer of defense to slow attackers down by detecting malicious activity and banning IP addresses.  Another great tool, a handy plugin for WordPress  sites is called Better WP Security.  This is an easy to use site hardening tool that can fill up weaknesses and security holes quickly for somebody that doesn’t necessarily have security in the foreground of their minds.

By utilizing  these basic techniques you will infinitely increase your WordPress site’s security and make it much more difficult to attack and exploit.  There are of course other techniques to improve security but at a certain point it can become a balancing act.  *Most* site admins aren’t overly conscious about security and so do not spend a lot of time on their security efforts, they are more concerned about the content and getting things up.  Likewise, some are probably more prone to lock things down more than they perhaps need to.  It is important to maximize your effort, and to cover the most important security aspects by implementing the basics.

Josh Reichardt

Josh is the creator of this blog, a system administrator and a contributor to other technology communities such as /r/sysadmin and Ops School. You can also find him on Twitter and Facebook.