最近看了infosec 出品的《Protecting WordPress Installations in an IaaS Environment》，决定给裸奔的wordpress做做安全加固。

wordpress是国人搭建个人博客的首选，其地位等同于论坛搭建首选discuz(话说，discuz才报出全局变量绕过导致的命令执行大洞，唉，开源的APP都是不产蜜而产getshell的蜂巢)

wordpress以丰富的插件(插件漏洞)闻名，因此攻击者一般会对wordpress来个指纹识别(除去找暴力破解/社工后台登陆口的快捷方法)。

一、wpscan – WordPress指纹识别及漏洞检查工具

该网站被丧心病狂的GFW封掉了，翻墙吧psiphon搔年，或者使用渗透套装kali(重点不是wpscan，了解攻击才能给出相应防御措施)

a.安装

以ubuntu安装为例

apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential




git clone https://github.com/wpscanteam/wpscan.git




cd wpscan/




gem install bundler && bundle install --without test

b.基本使用

枚举站点信息：用户名、插件、样式等信息

ruby wpscan.rb --url http://www.zjjv.com/ --enumerate

以下是探测结果样本

[+] URL: http://http://www.zjjv.com//
[+] Started: Tue Oct 28 15:46:30 2014
[!] The WordPress 'http://http://www.zjjv.com///readme.html' file exists
[+] XML-RPC Interface available under: http://http://www.zjjv.com///xmlrpc.php
[!] Upload directory has directory listing enabled: http://http://www.zjjv.com///wp-content/uploads/
[+] WordPress version 4.0 identified from meta generator
[+] WordPress theme in use: twentyfourteen - v1.2
[+] Name: twentyfourteen - v1.2
| Location: http://http://www.zjjv.com///wp-content/themes/twentyfourteen/
| Style URL: http://http://www.zjjv.com///wp-content/themes/twentyfourteen/style.css
| Referenced style.css: http://http://www.zjjv.com///wp-content/themes/twentyfourteen/style.css
| Theme Name: Twenty Fourteen
| Theme URI: http://http://www.zjjv.com///themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
| Author: the WordPress team
| Author URI: http://http://www.zjjv.com///
[+] Enumerating installed plugins (only vulnerable ones) ...
Time: 00:00:37 <==============================================> (880 / 880) 100.00% Time: 00:00:37
[+] No plugins found
[+] Enumerating installed themes (only vulnerable ones) ...
Time: 00:00:16 <==============================================> (308 / 308) 100.00% Time: 00:00:16
[+] No themes found
[+] Enumerating timthumb files ...
Time: 00:01:48 <============================================> (2539 / 2539) 100.00% Time: 00:01:48
[+] No timthumb files found
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
 +----+---------+---------+
 | Id | Login | Name |
 +----+---------+---------+
 | 1 | tanjiti | tanjiti |
 +----+---------+---------+
[+] Finished: Tue Oct 28 15:49:34 2014

察看详细的探测信息

ruby wpscan.rb --url http://www.zjjv.com/ --debug-output --random-agent >debug.log

(注意：wpscan 默认User-Agent为WPScan v2.5.1 (http://http://www.zjjv.com//)，扫描器使用常识之一使用正常变化的ua，避免触发WAF之类的防御部署)

基本察看LOG，我们就可以知道wpscan是如何收集信息

例如检查响应头X-Pingback: http://http://www.zjjv.com///xmlrpc.php 头 (xmlrpc漏洞)

检查xmlrpc.php (xmlrpc漏洞)

检查robots.txt文件 (敏感信息泄露)

检查readme.html文件(敏感信息泄露)

检查/wp-content/debug.log(敏感信息泄露)

检查配置文件(能够明文读取配置文件基本就是挂掉了)，wp-config.php.swo，%23wp-config.php%23，wp-config.orig，wp-config.php_bak，wp-config.original，wp-config.php.orig，wp-config.php.old，.wp-config.php.swp，wp-config.php.save，wp-config.bak，wp-config.txt，wp-config.php~ ，wp-config.save ，wp-config.old，wp-config.php.swp (敏感信息泄露)

识别指纹后，一般会去漏洞信息库中查找可以利用的漏洞，例如MSF

1

内容导航

第 1 页：Wordpress指纹识别及漏洞检查工具 第 2 页：MSF-wordpress漏洞利用 第 3 页：wordpress防护 第 4 页：屏蔽敏感信息访问

原文：如何为WordPress做安全防护?(1) 返回网络安全首页