As part of my on-going interest in WordPress security I wanted to find out for myself what the state of security was like on installations in the wild.
A list of servers running WordPress was acquired from Shodan by searching for a particular HTTP response header and its value. The list contained 10,000 entries, I don’t know for sure, but I assume the list contained servers from around the world and was fairly random.
An Open Source project I have been working on, WPScan, a WordPress security scanner, was used to passively scan 100 of those WordPress installations. This was done partly to test the scanner for any defects and also to gather data about the security of WordPress installations in the wild.
Below are the results:
The readme.html file was present: 85/100
An error_log file was present: 2/100
Was effected by Full Path Disclosure (FPD): 59/100
Were running the latest version (3.2.1): 44/100
The oldest version found running was 2.0.3.
Had the version in the ‘generator’ meta tag: 95/100
The version was detected through ‘advanced’ fingerprinting: 4/100
The version was not detected: 1/100
Timthumb file detected: 10/100
Metasploit integration has been put on hold due to the deprecation of the MSF XML-RPC server and implementation of the new MessagePack RPC. There are plans to possibly integrate other tools such as fimap, sqlmap and others, see issue 56. We hope to release a new version of WPScan before the end of the year. I’d like to thank all of WPScan’s contributors for making this possible.
To contribute or report a bug, you can do so here; http://code.google.com/p/wpscan/issues/list
The latest code base is available from our subversion repository, which should always be stable enough to run and will contain the latest vulnerability data. The following command can be issued to checkout the code; “svn checkout http://wpscan.googlecode.com/svn/trunk/ ./wpscan”