Tag Archives: Wordpress

Find and correct WordPress vulnerabilities using WPScan

wordpress running on a variety of technology devicesIf you run a WordPress based website then you should sit up, pull out your notepad, and carefully consider the idea of running WPScan on your site in order to if you have any security vulnerabilities that may require your attention. This is not to say that WordPress is vulnerable per say, but the fact is all software contains some level of vulnerabilities and the more you know, the more you will understand and be able to better protect your site.

You may be surprised to learn that CVE has 177 documented vulnerabilities over the years concerning WordPress. If you are really interested in better protecting your site then you absolutely must take the time to read about hardening WordPress. For example, there are a number of excellent recommendations in the areas of securing wp-admin, securing wp-includes, securing wp-config.php, disable File Editing, and so much more.

It would be well worth the time and effort reviewing and possibly implementing these recommendations to better protect your site. In fact, as I was researching this article I found one recommendation that I had not considered and after reading that I could add a second layer of protection to my wp-includes folder structure by simply adding a simple block to the .htaccess file, I thought why not. The code in question is:

 # Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

There are so many other things you can address in the .htaccess file and hardening WordPress will help immensely in this area. The following are a handful of options that you may also want to consider.

# disable directory browsing
Options All -Indexes
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

Scan, scan, and scan

To get started with WPScan you will need to install it. I am not going to cover installation because there are a number of different options you can take depending upon your scenario. I will however say that I prefer to use WPScan on Kali Linux because it not only saves time and effort surrounding the installation, but Kali has dozens upon dozens of tools that you may fine very useful on your journey of security. If for any reason you want to review the source code then you’re in luck because WPScan is located on GitHub.

wpscan --url radicaldevelopment.net --enumerate

The basic command switches include:

--url | -u <target url> The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)] Enumeration.
 option :
 u usernames from id 1 to 10
 u[10-20] usernames from id 10 to 20 (you must write [] chars)
 p plugins
 vp only vulnerable plugins
 ap all plugins (can take a long time)
 tt timthumbs
 t themes
 vt only vulnerable themes
 at all themes (can take a long time)
 Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
 If no option is supplied, the default is "vt,tt,u,vp"

For more detail on the command arguments be sure to review the WPScan documentation. Upon execution of the scan you will see something similar to the following:

WordPress Security Scanner by the WPScan Team
 Version v2.4.1
 Sponsored by the RandomStorm Open Source Initiative
 @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
[+] URL: http://radicaldevelopment.net/
 [+] Started: Tue Aug 12 20:18:28 2014
[+] robots.txt available under: 'http://radicaldevelopment.net/robots.txt'
 [!] Full Path Disclosure (FPD) in: 'http://radicaldevelopment.net/wp-includes/rss-functions.php'
 [+] Interesting header: SERVER: nginx/1.6.1
 [+] XML-RPC Interface available under: http://radicaldevelopment.net/xmlrpc.php
[+] WordPress version 3.9.2 identified from rss generator
[+] WordPress theme in use: RadDev - v1.0
[+] Name: RadDev - v1.0
 | Location: http://radicaldevelopment.net/wp-content/themes/RadDev/
 | Style URL: http://radicaldevelopment.net/wp-content/themes/RadDev/style.css
 | Theme Name: RadDev
 | Theme URI: http://radicaldevelopment.net
 | Description: A modern two-column blog theme. A responsive layout optimizes the theme for mobile devices like t...
 | Author: Steven M. Swafford
 | Author URI: http://radicaldevelopment.net
[+] Enumerating installed plugins (only vulnerable ones) ...

If you running a multi-author WordPress site then you may find running dictionary attacks useful to ensure your authors are using strong passwords. The command for do so is:

wpscan –url www.somedomain.com –wordlist passwords.txt –username admin

It is also important to note that if your target WordPress site allows visitors to register, a password brute force attack may take a great deal of time or even impact the performance of the website. Because of this, you may want to first enumerate the users and target a smaller subset.

Conclusion

Overall the WordPress platform does a good job at implementing security, but at the end of the day it is software and all software will have vulnerabilities. When you factor in the use of themes and plugins the rate of the risk increases quickly. For this reason, it is always a good idea to run a security scan and this is where WPScan can greatly help to protect your site. If you have not given this tool a look, then I highly recommend that you do so. You may find that there are steps you can take to harden your website and protect not only yourself, but also you visitors.

Web Hosting Gone Wrong: Webhost4life

As you may have noticed last Friday evening my website was extremely slow and when it loaded it resulted in error after error. As soon as I saw the problem I begun to investigate the root cause in order to determine the best approach to resolve the issue. To my surprise WebHost4Life whom I am now calling WebHostNot4Life had migrated my site and database to a new server. Typically a move to newer hardware represents a positive aspect but in this case WebHost4Life completely failed at the task, in fact a quick search of Google yielded a number of customers experiencing similar problems as myself and in some cases a complete loss of data. It makes one wonder if this company no longer cares about quality or is simply unqualified to perform the job. Turning to Twitter I noticed a number of others in the exact same boat as myself.

As I mentioned earlier last Friday around 6:00 PM I noticed the problems with my site. After a few hours trying to resolve the problem I contacted technical support to let them know that I learned that my site had been migrated to the new platform and the database was a mixture of outdated content and configuration that spanned weeks if not months. The same held true for the physical file system content. For the life of me I just could not understand how they could have made such a massive mistake. At this point begun a 24 hour period of trying to get technical support to fix what they had broken.

Round One 18-Jun-2010:

tech: Hi Steven, my name is Tech. How are you today?
steven: seems my site was migrated and I can no longer log in via FTP and the site is throwing errors.. http://radicaldevelopment.net/
tech: I apologize for any inconvenience this has caused you.
steven: I just fixed the FTP issue. Need you help with the site
tech: Please make sure to use the following settings in the FTP client software to connect our server through FTP:
tech: 1. FTP server is: ???.webhost4life.com
tech: 2. Host directory: /
tech: 3. Username: FTP username
tech: 4. Password: FTP password
tech: 5. Port: 21
tech: 6: login type: Normal.
steven: : I just fixed the FTP issue. Need you help with the site
tech: Okay.
tech: You need to update the scripts available in the file ‘functions.php’ to fix the website issue.
steven: how
tech: You need to fix this issue from your end. You can contact the script vendor to get help with editing the file ‘functions.php’.
steven: wait.. this only occured after you folks migrated my site. why now am I on my own??
tech: May I place you on hold for 4 or 5 minutes, while I check this for you?
steven: sure.. I am trying to log into my site now to disable the plugin that seems to fighting me
tech: Okay.
steven: why is the site so SLOW?
steven: and what you all migrated contains files that came from weeks if not months back. It differs than what was on my site as early as today
steven: OMG! even the database is wrong. There are plugins there that I removed a long time back!
tech: Okay.
steven: Please tell me what I had in place at midnight last night on the old server is still there
tech: Thank you for your patience, I am still testing the issue, I will be back with some more information in 5 more minutes.
steven: sure
tech: Thank you for holding.
tech: Steven, it appears that the files have not been migrated properly to the server. I will run a tool from back end to migrate all the files and database to the new server.
tech: I ran the tool from back end. It will take couple of hours to move the database and files to the new server.
tech: Did you receive my last message?
steven: please be sure it is the database a file content as of midnight last night. I must say this is very disappointing and I expect that the second attempt at migration goes without fail. Speaking with others I know with webhost4life this seems to be an ongoing problems as many folks have had numerous problems after the migration. May I expect what you just ran will be complete at 12:15 CDT?
tech: Yes

At this point I had no reason to believe that the two hour window would resolve the issue as technical support had always resolved any issues quickly in the past. Little did I know that this time would be very different.

Round Two 19-Jun-2010:

tech: Hi Steven. My name is tech #2, how are you today?
steven: My site was improperly migrated and at 10:00pm on 6/18 I was told in two hours it would be corrected. It has not. Please advise.
tech: I apologize for any inconvenience this has caused you.
tech: Can you please provide me the exact URL, with which you are experiencing the issue?
steven: http://radicaldevelopment.net/
tech: Okay.
tech: May I place you on hold for 4 or 5 minutes, while I check this for you?
steven: the database and content is out of date for one. Whatever was migrated was old and weeks and weeks old.
steven: sure
tech: Thank you for holding.
tech: I apologize for any inconvenience this has caused you.
tech: I have checked the website and noticed that it is coming up. I can see an error message at the top of the website. Also, can you please let me know whether this is the old contents?
steven: the error is due to the database is out of date with the wordpress functions and etc. There are themes and logs on my site now that have not been there for weeks. Whatever was pulled from the old server is not was was online as on 6/17
tech: Okay.
steven: it is SLOW as well… I do not want to go over all of this again. Here is what the tech stated hours ago.
steven: tech #1: Steven, it appears that the files have not been migrated properly to the server. I will run a tool from back end to migrate all the files and database to the new server.
tech #1: I ran the tool from back end. It will take couple of hours to move the database and files to the new server.
tech: I apologize for any inconvenience this has caused you.
tech: I was able to duplicate your issue. In order to investigate further, I need to escalate the issue to one of our technical specialists. You will be able to view the activity and the status of the ticket in the Support Console of the account.
tech: You can check the status of the ticket at:
tech: http://www.webhost4life.com/member/sconsole
steven: why did this process not fall under a QA review? I should not have to spend my time on this..
tech: Yes, I can understand your concern but there seems to be some other issue with the website.
tech: One of our specialists will contact you as soon as possible.
steven: Please put in the notes that what needs to be migrated is what was in place on 6/17. I do not want to explain this problem again for a third time.
tech: Yes, sure.

Well now the problem has begun to be so severe that it was escalated. Maybe now something will get resolved. Oh, did you notice that I have been apologized to four times now? At this point it was after midnight and decided to go to bed and let the technical folks work their magic.

Round Three 19-JUN-2010:

No that I woke up well rested it was time to check and see if my issues had been resolved. To my surprise the ticket from the previous night had no indication that anyone even begun working on it. Therefore it was time for yet another online chat with the live support and here it how that went.

tech #3: Hi Steven, my name is tech #3. How are you today?
steven: what is the status of 7175624? The problem is not resolved and nothing reflects status in the ticket
tech #3: I apologize for any inconvenience this has caused you.
tech #3: I have noticed that you have updated the ticket. I will ask our engineers to resolve your issue at the earliest.
steven: It is 18hrs now and counting that my site is down and failing to work because of folks on your end. This is unacceptable and the support thus far has been a failure. Please do escalate this
tech #3: Okay.

For those of you that are counting that is a grand total of five apologies and still no fix in sight.

My Next Step

Since I backup both my database a file content myself I decided to transfer my domain to another host and within three hours I had completed this transfer, restored the database, and uploaded the file content. As I was doing all of this I wondered why WebHost4Life technical support was so incompetent that they could not had done the same. Remember that they had a 24 hour window and did absolutely nothing to correct the problems that they caused.

The last step was to contact WebHost4Life sales and terminate my account. I was asked why I had elected to terminate the account and after I explained the problem the sales representative offered me a discounted rate if I would stay with them. I found this so funny that I laughed and replied why would I pay a discounted rate for service that clearly is not working.

At the time of this post my website is sitting on a new host and the best advice I have for anyone thinking of using WebHost4Life is don’t! I have no idea what has happened with this company but it is not what it once was! I have heard that is was sold and tech support is now outsourced overseas. If this is the case then it may explain the crash and burn that I recently experienced.

Are you currently a customer of WebHost4Life or have you decided to take your business elsewhere? I am interested in hearing your story so please leave a comment.

AutoBlogged WordPress Plugin Product Review

If you’re wanting to automate your blog posting with external content then look no more. AutoBlogged is a powerful autoblogging plugin for WordPress that automatically creates blog posts from any RSS or Atom feed. Autoblogging is a great way to automate your WordPress posts so you can focus your efforts on earning money with your blog. With dozens of features, AutoBlogged is one of the most powerful autoblog software plugins available for WordPress and the best way to get automated blog content. Not only is the product easy to use, but it does a great job at syndication all without breaking the bank.

Features

  • Image and video support
  • Custom post templates
  • Advanced post filtering
  • Enhanced tagging engine
  • Regular Expression Search & Replace
  • Create thumbnails for images
  • Override feed data with your own values
  • Fully supports WordPress 2.7 and later

Review

If you are running WordPress and looking for a way to bring outside information into your blog this plugin is for you. Installing the plugin is no different that any other plugin and I find the entire process very simple and user friendly. In fact, I was able to install AutoBlogged and get it configure in under 15 minutes.

While there are a number of products on the market I must say that I am impressed with this product. My time spent looking at the features was time well spent and AutoBlogged works extremely well performing exactly as I hoped.

Rating: 4 out of 5

Summary

One very strong point I would make is that you must take in account guidelines when republishing content and should you have any question contact the RSS feed owners for permission. There is nothing more frowned upon than republishing someones work without knowing first if it is acceptable with the original content owner. Remember, syndication can be a good thing while taken in moderation.

If you would like a chance at winning a single site license view the contest details.

Vendor Details

Name: Autoblogged
MSRP: $59.95 single site license and $129.95 multiple site license