WordPress is the worlds leading Content Management System (CMS) accounting for approximately 27% of all websites on the Internet. As such, WordPress is a common target for malicious attackers and malware authors aiming to propagate malicious software by compromising websites.
Almost all studies into the most commonly compromised CMS based websites list WordPress as the biggest offender, with one study citing 78% of CMS hacks attributed to WordPress.
In the overwhelming majority of cases investigated by the AppCheck team, the WordPress site was compromised via vulnerabilities within extensible components (Plugins & Themes) or through configuration weaknesses, rather than the core WordPress CMS.
AppCheck is a leading web application security scanner that operates by closely mirroring the actions of a professional penetration tester. AppCheck adopts a first principals approach to detecting vulnerabilities rather than relying on vulnerability databases or being tied to a specific platform or technology.
At AppCheck we realise that being able to identify security flaws from first principals is a huge benefit, however there are occasions where a specific technology may present security challenges that are unique to the platform and require a focused approach. WordPress (and similar plugin based CMS systems) is one such platform. Some of the WordPress specific checks that are performed by AppCheck are listed below.
Plugin & Theme Security Assessment
WordPress is a PHP based content management system that employs a plugin based architecture to add features and themes to the core platform. Many plugins are downloaded from the internet and installed without any prior analysis of the code that is being installed. Plugins can be written by anyone and then distributed via the WordPress plugin directory, there is no way to know if they plugin you are installing contains a security flaw.
The AppCheck scanner is able to detect security vulnerabilities in WordPress plugins for which there are no previously known security flaws. It does this by adopting a ‘first principals’ approach to vulnerability detection. Each component exposed by the plugin is analysed to determine its use under normal operation. Each HTTP request to the application is then manipulated and resubmitted to determine if code within the plugin is handling client supplied input insecurely. This approach is typical of a black-box security assessment conducted by a professional security consultant and allows AppCheck to maintain a high level of accuracy that doesn’t rely of databases of known security flaws.
There are however some circumstances where this approach does not see the whole picture when it comes to WordPress deployments. For example, a plugin may ship with vulnerable functionality that is not used under normal operation and therefore crawling the site and flexing plugin components does not reach the vulnerable code path. The AppCheck research team maintains a code repository of available plugins and performs regular static analysis and manual code review to identify new security flaws which are then added to our database. Our research is prioritised based on the plugins installed by our customers, if a new plugin is detected on your WordPress installation it is added to our list of plugins to be reviewed.
By combining a first principals approach with a growing database of known vulnerabilities, AppCheck offers the most comprehensive plugin assessment tool available.
WordPress is susceptible to multiple username enumeration vulnerabilities by default. The most severe of which allows all configured usernames to be extracted by the attacker. AppCheck attempts all known enumeration methods and reports discovered usernames along with recommendations to lock down each exposed area.
Enumerated usernames are implemented in a password guessing attack to identify weak account passwords. By default, AppCheck selects the top 50 most common password in combination with passwords generated from the domain name of the target system. For example; if the targeted domain is blog.appcheck.com, passwords such as Appcheck1, Appcheck2016, Appcheck! and similar are added to the list. Optionally a word list can be uploaded via the user interface to expand this list.
Version enumeration and vulnerability detection
The AppCheck scanner will fingerprint the core WordPress installation version and Cross-Reference this against know vulnerabilities that affect the deployed version. By scheduling regular scans, you can be altered when an insecure WordPress installation is deployed within your environment.
Insecure configuration files
AppCheck will detect insufficiently protected configuration files that could disclose sensitive information such as database credentials to the attacker. As well as checking the default configuration file, AppCheck will search for backup files and temporary files such as those that may have been left behind by a text editor.
Sign up for a free security assessment now
If you’re currently utilising WordPress and would like to run a free vulnerability assessment, then please click on the SCAN NOW button below. Every assessment executed via the AppCheck scanner will include a detailed analysis of discovered security vulnerabilities along with clear remediation steps to resolve the flaw. AppCheck will also flag WordPress configuration weaknesses that could be improved to harden the system against persistent attackers.
If you would like to run a test, but have any questions first, then please feel free to contact firstname.lastname@example.org