• Subscribe to the low volume list for updates.

Archives of #wordpress

100K WordPress Powered Sites

Analysis of the 100K Top WordPress Sites provides us with insight into the technology and the security posture of these Internet properties. While WordPress Powered sites number in the millions around the world, the focus here are sites that have significant Internet traffic. Web Servers of the Top WordPress Powered Sites These statistics are based […]
Read More

WordPress Security Testing with Nmap

With the popularity of WordPress as a publishing platform, security testing is an important part of ensuring the installation is secure. Nmap has a couple of NSE scripts specifically for the testing of WordPress installations. Using those scripts as a base I have developed a couple more that expand the capabilities of using Nmap to […]
Read More

WordPress User Enumeration

A common technique to reveal the usernames of a WordPress based site can be undertaken with this simple bash one liner. In many WordPress installations it is possible to enumerate usernames through the author archives, including the admin username (usually ID:1). This is not a new trick and is available in a number of WordPress […]
Read More

Top WordPress sites vulnerable 6 wks after plugin patch released

Background on the Vulnerabilities W3 Total Cache and WP Super Cache two of the WordPress communities most popular plugins were found to have a code execution vulnerability. An exploit that enables code execution is about as bad as it gets. New releases of the plugins were released on the 18th of April. The following caching […]
Read More

There are no WordPress Timthumb Hackers in Mongolia

What is Timthumb? Back in August 2011 a serious vulnerability was found in many popular WordPress themes and Plugins. The code that enabled automatic thumbnail creation when publishing with the WordPress content management system. While not a part of the WordPress core, the code had been reused by many developers including both commercial and free […]
Read More

Woothemes Framework Update Analysis

In this post I examine the fact that only 31% of Wootheme based sites in the top 1 million are running the latest version of the Wootheme Framework. WordPress themes are an important part of the security checklist when maintaining your WordPress installation. A key security maintenance function of any WordPress install is performing regular […]
Read More

WordPress themes in top 1 million websites

WordPress themes have been extracted from our latest analysis of the worlds top 1 million websites (by alexa rank). Digging into the data shows interesting trends in the WordPress content management space, and can also provide insight into security vulnerabilities. Third party wordpress components that include plugins and themes can introduce exploitable security issues. Methodology: […]
Read More

Top 100K Sites WordPress Usage Infographic

WordPress.org have a post up detailing the "state of the word". Around the same time we have been putting a wordpress infographic that highlights some of the findings from our analysis of wordpress usage among the top 100K sites (as rated by Alexa). WordPress Usage in the Top 100K Infographic
Read More

Security Testing WordPress

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment. Simply put brute forcing: Plugins is achieved by testing URL's: http://myexampleblog.cm/wp-content/plugins/$pluginname Usernames can be brute forced with a POST request to the login form (Incorrect username) Passwords can be brute […]
Read More

Malware in WordPress Themes

Found an interesting article over at OttoPress with some in depth analysis of malware discovered in a theme on a less than reputable WordPress theme site. Seems there are some dodgey sites out there that have infected themes, both free ones and ripped off professional themes. Beware and check the reputation of your themes. It […]
Read More
  • 1
  • 2