Protect WordPress Sites from WP Scan

WP Scan is a tool to scan for vulnerable parts on your WordPress website. It checks various kinds of files and directories to make sure you don’t leave the backdoor behind.

WP Scan is capable to:

  1. Scan in general
  2. Guess WordPress login name and password
  3. List all plugins the site is using
  4. List what theme the site is using
  5. Ability to read .htaccess, XML files, …

However, hackers can use it to scan your site, looking for possible backdoors, and use them to attack your site and steal the information. Cam CERT’s tip has written a great advice on what to allow and what not to.

WP Scan does not support Windows operating system. It comes pre-installed on some Linux distributions and is packaged by Homebrew for Mac OS.

Regardless of the operating systems needed, install WP Scan by using Docker.

First, you need Docker to be up and running on your machine. To install Docker, follow this tutorial.

Next, install WP Scan by running the following command:

docker pull wpscanteam/wpscan

Scan any of your sites by running the following command:

docker run -it --rm wpscanteam/wpscan -u https://yourblog.com [options]

You can find the [options] argument on the WP Scan official website.

Here are the things we should add to stop hackers who might use this tool against us.

1. Block from Reading robots.txt File

Hook the following codes to your functions.php:

/** Block Robot Information */
add_action(‘do_robots’, ‘hook_robots’, 1);
function hook_robots() {
// Return 404
status_header(404);
// End script
die();
}

2. Block from Reading readme.txt File

Simply put the following code to your .htaccess file:

RewriteRule ^readme\.html$ – [R=404,L,NC]

3. Block Full Path Disclosure

When a website is badly configured, hackers can pull down all your directory structures from wp-includes/rss-functions.php.

To stop this action, put the following setting to your .htaccess file:

RewriteRule ^wp-includes/rss-functions\.php$ – [R=404,L,NC]

4. Block from Reading wp-config.php File

Put the following settings to your .htaccess file:

RewriteRule ^wp-config\.php\.save$index.php?wp_config_enumeration=1 [L]
RewriteRule ^\.wp-config\.php\.swp$ index.php?wp_config_enumeration=1 [L]
RewriteRule ^wp-config\.php\.swp$ index.php?wp_config_enumeration=1 [L]

Then put the following codes to your functions.php:

/** Detect this requests and temporary block user. */
$transient_name = ‘wce_block_’.$_SERVER[‘REMOTE_ADDR’];
$transient_value = get_transient( $transient_name );

if ( $transient_value !== false ) {
die( ‘BANNED!’ );
}

if ( isset( $_GET[‘wp_config_enumeration’] ) ) {
set_transient( $transient_name, 1, DAY_IN_SECONDS );
die(‘BANNED!’);
}

5. Disable User-Agent

Put the following codes to your functions.php:

/** Detect User Agent */
if ( !empty( $_SERVER[‘HTTP_USER_AGENT’] ) && preg_match(‘/WPScan/i’, $_SERVER[‘HTTP_USER_AGENT’] ) ) {
die( ‘Wrong user agent’ );
}

6. Block from Reading from  XML-RPC Server

Put the following codes into your functions.php:

/** Remove strange XML-RPC server info. */
function add_fake_xmlrpc() {
// We don’t want to display die(‘XML-RPC server accepts POST requests only.’); on $_GET
if ( !empty( $_POST ) ) {
return ‘wp_xmlrpc_server’;
} else {
return ‘fake_xmlrpc’;
}
}

add_filter(‘wp_xmlrpc_server_class’, ‘add_fake_xmlrpc’);

class fake_xmlrpc {
function serve_request() {
// Its fake 😉
die();
}
}

7. Hide Your WordPress Version Information

Append these codes to your functions.php:

/** Remove generator info. */
remove_action(‘wp_head’, ‘wp_generator’);
add_filter(‘the_generator’, ‘remove_generator’);
function remove_generator() {
// Return nothing
return ”;
}

8. Stop Advance Fingerprint

First, add the following setting to your .htaccess file:

RewriteRule ^wp-includes/js/tinymce/wp-tinymce\.js\.gz$ index.php?advanced_fingerprinting=1 [L]

then put the following codes to append to your functions.php

/** Prevent advanced fingerprinting */
if ( isset( $_GET[‘advanced_fingerprinting’] ) ) {
switch ($_GET[‘advanced_fingerprinting’]) {
case ‘1’:
// Unpack file
$file = gzopen( ABSPATH . ’wp-includes/js/tinymce/wp-tinymce.js.gz’, ‘rb’ );
// Add comment
$out = ‘// ‘ . uniqid(true) . ”\n”;
while( !gzeof( $file ) ) {
$out .= gzread( $file, 4096 );
}

// Pack again
header( ‘Content-type: application/x-gzip’ );
echo gzencode($out);
break;
default:
status_header( 404 );
}

die();
}

9. Remove WordPress Version Number

Append these codes to the functions.php:

/** Remove version number from stylesheet. */
add_action( ‘init’, ‘init’ );
function init() {
global $wp_version;
$wp_version = ‘some_strange_number’;
}

10. Disable Plugin Enumeration

Put the following setting to your .htaccess file:

RewriteRule ^(.*)wp-content/plugins/(.*)$ index.php?plugin_enumeration=1 [L]

Then put the following codes to your functions.php:

/** Stop plugin enumeration. */
if (isset($_GET[‘plugin_enumeration’])) {
// Display something random
die(‘‘);
}

11. Block Username Enumeration

Hackers can get your username easily by just appending the ?author=[user_id] to the domain name. To disable the access to the $_GET['author'], simply add the following codes to your functions.php file:

/** Prevent username enumeration. */
if ( ! is_admin() && isset( $_REQUEST[‘author’] ) ) {
status_header(404);
die();
}

After applying the above configurations, when WP Scan scans your website, it will tell you that "The remote website is up, but does not seem to be running WordPress".

Source: CamCERT

 

About Author:

I am a WordPress lover. I make my living by using WordPress.

Leave A Comment

Your email address will not be published. Required fields are marked *