Affichage des articles dont le libellé est WP Security Scan. Afficher tous les articles
Affichage des articles dont le libellé est WP Security Scan. Afficher tous les articles

Wordpress Security - Vulnerability Scanning

WordPress is one of the best and most popular content management system (CMS) among bloggers and there are a lot of bloggers using WordPress as a CMS. Wordpress is on the hit list of the hackers and spammers, spammers use their malware to compromise a wordpress website that is why reverse engineering of malware is necessary. 



However there are other CMS available, like Joomla!, but WordPress has its own importance and market. Since most bloggers are using WordPress the security is also important and a single dangerous vulnerability may lead to thousands of compromised WordPress blogs. From the penetration tester point-of-view an administrator must be aware at the system level, as well as the application level, of existing vulnerabilities in order to protect these website(s).

We provide our services to secure a wordpress website / blog more information.

A quick tip to secure a WordPress (or any other) blog from the system/server software vulnerability is by auditing. This includes keeping up-to-date all the server’s software, browsers, anti-virus, using strong passwords and changing them very often, scanning the server for malware and backdoors, using firewalls, etc.,. WordPress software itself has different vulnerabilities; in fact security researchers discover new vulnerabilities on a daily basis.

So in this article we will cover some tools and plug-ins to audit WordPress software for security holes and vulnerabilities. We will also discuss the possible ways and tools that an attacker might use to hack into WordPress, and some of the best way(s) to secure a WordPress blog.

WordPress Security Audit & Vulnerability Scanning

A security audit is one of the most important steps to finding possible vulnerabilities in WordPress and in this section I will discuss some tools and plug-ins you can use to find them.

Plecost WordPress Fingerprinting Tool:

Plecost is a wonderful tool to audit a WordPress blog and it is available by default on the most famous penetration test tools i.e., Backtrack, Backbox and Blackbuntu. Plecost contains a database of available plug-ins and compares them against the common vulnerability and exposure (CVE) list to verify its vulnerability on WordPress.
Plecost can work in two modes – either by auditing the security of a single targeted URL or Google search results. Our goal is to audit a single URL.


Here is the result of a quick and a simple audit on WordPress using Plecost.

root@bt:/pentest/web/scanners/plecost# ./plecost-0.2.2-9-beta.py -i wp_plugin_list.txt -c http://127.0.0.1/wordpress

-------------------------------------------------

[*] Input plugin list set to: wp_plugin_list.txt

[*] Colored output set on.

-------------------------------------------------

==> Results for: http://127.0.0.1/wordpress <==

[i] WordPress version found: 3.3

[i] WordPress last public version: 3.3.1

[*] Search for installed plugins

[i] Plugin found: akismet

|_Latest version: 2.4.0

|_ Installed version: 2.3.0

|_CVE list:

|___CVE-2009-2334: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2334)

|___CVE-2007-2714: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2714)

|___CVE-2006-4743: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4743)

|___CVE-2009-2334: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2334)

|___CVE-2007-2714: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2714)

|___CVE-2006-4743: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4743)

[i] Plugin found: wp-security-scan

|_Latest version: 2.7.1.2

|_ Installed version: trunk

|_CVE list:

|___CVE-2009-2334: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2334)

|___CVE-2009-2334: (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2334)

You can see that this WordPress software is outdated. The new version of WordPress is available and the new version of the plug-ins are also available, but they have not been updated. This is dangerous.

The next article of this series will be publish soon, do not forget to share this information. 

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Read more

by Malik korrich ~ jeudi 24 mai 2012 0 commentaires

7 Top Wordpress Security Plugins


Wordpress is one of the best CMS (content management system) that provides effective platform for blogging, millions of bloggers are using wordpress for their blogs because wordpress is open source and provides a lot of different features that makes blogging fun and informative.The best feature that wordpress has is a plugins, you can find different plugins for different purposes like there are some plugins for advertisement, some for comment, guest blogging plug-ins and more. 
  
Security of any website and blog is the main concern and you are running a wordpress blog than you must use some wordpress plugins to make your wordpress blog bullet proof, there are various tips for securing a wordpress blog are available but in this article I will discuss some plug ins that makes a wordpress blog secure.

WP Security Scan

The best tool to measure the security of a wordpress blog.WP security scan, scan the entire blog to find the vulnerabilities like database security, passwords and admin security. It will give suggestion against a vulnerability. It will hide the version of a blog so that you can secure your blog from the available exploits.

Semisecure Login Reimagined

It offers encryption technique that increase the security of the log in process by using RSA cryptography. It uses public and private key to encrypt password that cannot easily be decrypt. If SSL is not available than admin must use Semisecure plug in to remain secure from sniffing.

Admin SSL

Secure socket layer (SSL) give an extra level of protection from the attack like sniffing on the network, introduction to SSL has a great effort for the readers. Admin SSL works on both private and shared SSL connection, in on any page if password is needed than this plug in encrypt the password into hashes so it is best practice to secure admin area.

IP Ban

If you feel that some intruder continuously trying to access the admin area of your blog than some action is needed, it is recommended to use IP Ban plug in to ban this intruder. Returns 'Page Not Found' 404 error message for IP's visiting your blog specified in the IP Ban option on the Discussion Options page.

AskApache Password Protect

This plug in adds some multilayer of security, This plugin doesn't control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. The plug in is just a firewall and behind this firewall your blog still secure from hackers.

AntiVirus for Wordpress


Antivirus plug in for wordpress gives some advance features to protect your blog from exploits and spam injection, have you ever think about code injection hacking technique or cross site scripting technique? Than use this plug in to clean your blog from viruses and miscellaneous codes.

WP Email Guard

Wordpress email guard is the best plug in which protects your email addresses from spammer and intruders. Information gathering is the first step of any hacking attack so your email address would be a first piece of cake that the intruder going to eat. It converts every email written within your post body into a JavaScript code, so the emails is readable and can be clicked by humans only.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Other Readings
Read more

by Malik korrich ~ lundi 8 août 2011 0 commentaires

« Articles plus anciens