Tag Archives | wordpress

WordPress Security Testing with Nmap

With the popularity of WordPress as a publishing platform, security testing is an important part of ensuring the installation is secure. Nmap has a couple of NSE scripts specifically for the testing of WordPress installations. Using those scripts as a base I have developed a couple more that expand the capabilities of using Nmap to […]

Continue Reading

WordPress User Enumeration

A common technique to reveal the usernames of a WordPress based site can be undertaken with this simple bash one liner. In many WordPress installations it is possible to enumerate usernames through the author archives, (usually ID:1). This is not a new trick and is available in a number of WordPress Security Testing tools. Here […]

Continue Reading

Top WordPress sites vulnerable 6 wks after plugin patch released

In this brief analysis I look at whether plugin security updates are being applied to the most popular WordPress based sites. Everyone knows WordPress is an incredibly popular platform for not only traditional blogs but also increasingly as a full blown content management system (CMS). This popularity combined with a makes it a popular target […]

Continue Reading

There are no WordPress Timthumb Hackers in Mongolia

What is Timthumb? Back in August 2011 a serious vulnerability was found in many popular WordPress themes and Plugins. The code that enabled automatic thumbnail creation when publishing with the WordPress content management system. While not a part of the WordPress core, the code had been reused by many developers including both commercial and free […]

Continue Reading

100K WordPress Powered Sites

Analysis of the 100K Top WordPress Sites provides us with insight into the technology and the security posture of these Internet properties. While WordPress Powered sites number in the millions around the world the focus here is sites that have significant Internet traffic. Updated: September 2017 Web Servers of the Top WordPress Powered Sites These […]

Continue Reading

Woothemes Framework Update Analysis

In this post I examine the fact that only 31% of Wootheme based sites in the top 1 million are running the latest version of the Wootheme Framework. WordPress themes are an important part of the security checklist when maintaining your WordPress installation. On 29th April 2012, an exploit was released for the Woothemes Framework. […]

Continue Reading

WordPress themes in top 1 million websites

WordPress themes have been extracted from our latest analysis of the worlds top 1 million websites (by alexa rank). Digging into the data shows interesting trends in the WordPress content management space, and can also provide insight into security vulnerabilities. Third party wordpress components that include plugins and themes can introduce exploitable security issues. Top […]

Continue Reading

Top 100K Sites WordPress Usage Infographic

WordPress.org have a post up detailing the “state of the word”. Around the same time we have been putting a wordpress infographic that highlights some of the findings from our analysis of wordpress usage among the top 100K sites (as rated by Alexa). WordPress Usage in the Top 100K Infographic

Continue Reading

Security Testing WordPress

A couple of wordpress security assessment tools have popped up over the past couple of months, this has to be a good thing with the number of WordPress installations sky-rocketing. First of course there is the HackerTarget.com scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, […]

Continue Reading

Malware in WordPress Themes

Found an interesting article over at OttoPress with some in depth analysis of malware discovered in a theme on a less than reputable WordPress theme site. Seems there are some dodgey sites out there that have infected themes, both free ones and ripped off professional themes. Beware and check the reputation of your themes. It […]

Continue Reading