Friday, April 12, 2013

Secure WordPress: Part 1 - User Accounts

Update: The countermeasures described in this post also prevent the currently ongoing brute force attacks against the admin user of WordPress sites!

Update 2: MVIS Security Center has been updated and now detects all week user accounts that are currently exploited in the global brute force attacks. Get version 1.3.2 and check if you are vulnerable. 

In this multipart series we will cover typical mistakes that are commonly exploited by hackers to take over or deface WordPress sites and we will cover how to prevent them.

Those of you who have ever taken a look at the WordPress support forum will know how often WordPress users from all over the world ask for help, because they got hacked. A Google search for "WordPress Help I've Been Hacked" yields 1,770,000 results.

The main reason why attackers choose to hack WordPress sites is because it is one of the most widely used content management systems (CMS). It has even been estimated that roughly 17% of the Internet runs on WordPress. This obviously makes it an attractive target.

The first part of our series focuses on one of the most trivial issues attackers abuse to fully take control of a WordPress site - security issues regarding WordPress user accounts and passwords.

Usernames and Passwords


During the initial WordPress setup the proposed username is "admin" and as you can imagine this username is not changed in a majority of all active setups. Subsequently, this allows attackers to launch automated brute-force attacks against passwords for this known username. In the case that the attacker guesses the correct password they immediately obtain full control over the website.

Even if the username has been changed to something different than admin, there are still ways to easily find out which usernames exist for a specific WordPress site. Whenever a post is published, the username or alias is shown as the author. Clicking on the author will open the link like for example http://urlofwordpressite.com/?author=1. This url will show all posts by the author with the given ID, 1 in this example. Attackers can abuse this functionality to figure out which usernames and their according IDs are available on the site. Naturally, lower IDs such as 1 and 2 likely have higher privileges (e.g. admin or editor roles) and make a good target for a password brute-force attack. There are even tools available that can automate the process of enumerating usernames and IDs from a given WordPress site such as WPScan (see image below).

WPScan in action

So even if the username is not admin, it is quite possible that attackers still figure out all the usernames and if the passwords are weak they can easily succeed in taking over the website.

User Roles


Let's talk about user roles in WordPress and identify which one of them should be considered as dangerous and used with caution.

Role Permissions Dangerous
Super Administrator Full rights (Multisite)
Yes
Administrator Full rights (Single Site)
Yes
Editor Manage all posts, upload files
Yes
Author Mange and create own posts, upload files
Yes
Contributor Edit own posts, manage profile
No
Subscriber Read posts, manage profile
No
Visitor Read posts
No

Many of the existing roles are considered privileged and if those accounts are taken over by attackers, they could deface your website and even fully take over the web server (by uploading malicious scripts). Limiting the accounts that exist for your WordPress site to ensure that only few users have privileged user accounts and that they use secure passwords goes a long way in protecting your website. If you want to create a secure password you can for example use this password generator.

Another feature that might put your WordPress site at risk, is "enabled user registration" and even more so if the default role that new users obtain after registration is changed like below.
A very insecure example of enabled user registration
This in disabled by default but if it actually is configured insecurely like above it would potentially allow anybody to freely register to your site as e.g Administrator user and get full access to your site. This would be disastrous for your site.

Recommendations


Additional to the security improvements already mentioned, there are further countermeasures that can be crucial in protecting your sites from attacks:

Activating HTTPS: When you connect to your admin backend over a public WLAN at e.g Starbucks anybody in the same WLAN could read the username and password you are using to login.
More information on how to enable HTTPs for your WordPress admin interface can be found here.

Securing your Computer: Many times the only reason WordPress sites are hacked is because the computer that is used to upload files to the site via FTP has been hacked as well. The FTP application such as Filezilla often is used to store the user credentials and this is abused by automated malware to deface websites. Make sure that your computer is protected with a personal firewall and anti virus software and does not get infected with malware.

Summary 


  1. Ensure that you don't use the admin username.
  2. Ensure that all of the passwords, especially for dangerous user roles, are very strong.
  3. Ensure that user registration is disabled if not absolutely necessary.
  4. Ensure that HTTPS is enabled for the admin interface.
  5. Ensure that your client computer is protected and free from malware.


If you need support with solving these issues, install MVIS Security Center. It identifies problems like these and will provide you with the information needed to solve them.