With the popularity of WordPress as a publishing platform, security testing is an important part of ensuring the installation is secure. Nmap has a couple of NSE scripts specifically for the testing of WordPress installations. Using those scripts as a base I developed a couple more that expanded the capabilities of using Nmap to audit WordPress installations. These scripts were then merged with nmap's http-wordpress-enum.nse script
Nmap comes with two Lua NSE scripts for high level testing of WordPress installations. The scripts allow for brute forcing of the plugins on the system and for enumerating WordPress user accounts that are on the system.
5998
published CVE's (vulnerabilities) for
WordPress and its components
NMAP NSE Scripts for WordPress
http-wordpress-info.nse
Rather than brute forcing paths, this script is much more polite and will only download the main page of the WordPress site and examine the theme and plugin paths in the html. The WordPress version will also be identified using the default readme.html file if the meta generator is not present.
http-wordpress-enum.nse
The http-wordpress-enum.nse script comes with default Nmap installation and allows you to attempt to identify users of the WordPress installation. Once you have user names it is possible to brute force the passwords using methods I detailed in the attacking wordpress article.
Hacker Target NMAP-nse-scripts for WordPress
http-wordpress-plugins.nse
Deprecated as http-wordpress-enum.nse updated to include this functionality,
In addition to identifying the plugins in use, I added a feature to the http-wordpress-plugins.nse script that will identify the version of the installed plugin and compare that to the latest version that is checked in real time against the WordPress Plugin API.
-- Interesting ports on my.woot.blog (123.123.123.123): -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-wordpress-plugins: -- | search amongst the 500 most popular plugins -- | akismet 3.0.4 (latest version: 3.0.4) -- | wordpress-seo 1.7 (latest version: 1.7.1) -- | disqus-comment-system 2.83 (latest version: 2.84) -- |_ wp-to-twitter 1.2 (latest version: 1.45)
http-wordpress-themes.nse
Deprecated as http-wordpress-enum.nse updated to include this functionality,
Based on the NSE script http-wordpress-plugins.nse I created out a variation that tests for WordPress themes. One of the often overlooked parts of keeping a secure WordPress installation is ensuring all themes (even inactive ones) are kept up to date or removed if not in use. Security vulnerabilities can be found in WordPress themes and these are often exploitable even if the theme is inactive.
The wp-theme.lst was created after I crawled the Alexa top 1 million sites and found around 200000 WordPress sites. By basing the theme list on the in use themes and sorting by popularity this list is a good representation of the most popular themes in being used across the web.
-- Interesting ports on my.woot.blog (123.123.123.123): -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-wordpress-themes: -- | search amongst the 500 most popular themes -- | twentyfourteen 1.3 -- | canvas 5.8.7 -- |_ twentytwelve 1.5
Assess the risk and work on mitigation.
Remove limits with a full membership.
We host OpenVAS, Nmap and other Vulnerability Scanners.
Trusted tools. Hosted for easy access.