Cara Audit Keamanan WordPress Dengan WPScan • Blog Situstarget
Blog Situstarget » Tips Tekno » Cara Audit Keamanan WordPress Dengan WPScan

Cara Audit Keamanan WordPress Dengan WPScan

Setiap pemilik situs WordPress wajib melakukan audit keamanan WordPress secara berkala.

Tahukah kamu bahwa dari hari ke hari ditemukan sebuah bug baru pada plugin, theme, dan Core WordPress?

Sayangnya sedikit orang yang memperhatikan hal ini, sampai di titik tiba-tiba situsnya di hack oleh orang lain.

Pada artikel kali ini saya ingin berbagi cara melakukan audit keamanan WordPress menggunakan WPScan.

WPScan adalah tools yang bisa kamu gunakan secara gratis, yang bertujuan untuk menemukan kerentanan atau celah keamanan yang mungkin bisa berdampak pada situs web WordPress kamu.

WPScan akan melakukan pemeriksaan pada situs WordPress kamu dengan mengecek pada database kerentanan dan eksploitasi mereka.

Para peretas situs juga melakukan hal yang sama, seperti WPScan.

Ada banyak insgiht yang nantinya bisa kamu jadikan bahan untuk meningkatkan keamanan situs WordPress.

Cara Menggunakan WPScan

Kamu bisa menginstal WPScan pada OS Linux maupun MacOS, dengan memasukkan perintah berikut ini pada terminal.

Jalankan instalasi di Linux dengan bantuan gem.

gem install wpscan

Sedangkan di MacOs, kamu membutuhkan homebrew.

brew install wpscanteam/tap/wpscan

Setelah itu, kamu membutuhkan token API, daftarkan melalui situs wpscan.com.

Buatlah sebuah folder dan file berikut ~/.wpscan/scan.yml, lalu simpen token API dari situs wpscan.com tadi.

cli_options:
  api_token: TOKEN_API_KAMU

Sekarang, kamu bisa melakukan pengecekan pada situs WordPress kamu dengan menjalankan perintah berikut

wpscan --url https://domainkamu.tld/ --enumerate u

Silahkan ubah alamat https://domainkamu.tld/ dengan URL situs WordPress kamu.

Sebagai contoh berikut ini hasil scanning WPScan dari Situstarget.com.

robi@MacBook ~ % wpscan --url https://www.situstarget.com/blog/ --enumerate u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.15
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://www.situstarget.com/blog/ [172.67.213.101]
[+] Started: Sat Aug 21 17:10:19 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - cf-cache-status: HIT
 |  - expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
 |  - report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=THmNiBlqnyQUvbKrUX7CkVWwfjFw2lQaxK%2FNaUGQvYD2xhsPiZqu5uriSZryBat16CNp9l4NegZ3ijhh4q82YxLMQI4XI1M6Q%2FtghOV3%2Bgh2gC5kqdzMgv9mwUsfZ%2BoIks1ocBmE"}],"group":"cf-nel","max_age":604800}
 |  - nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
 |  - server: cloudflare
 |  - cf-ray: 68231207dc19523f-LAX
 |  - alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] This site seems to be a multisite
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | Reference: http://codex.wordpress.org/Glossary#Multisite

[+] This site has 'Must Use Plugins': https://www.situstarget.com/blog/wp-content/mu-plugins/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 80%
 | Reference: http://codex.wordpress.org/Must_Use_Plugins

[+] The external WP-Cron seems to be enabled: https://www.situstarget.com/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8 identified (Latest, released on 2021-07-20).
 | Found By: Meta Generator (Passive Detection)
 |  - https://www.situstarget.com/blog/, Match: 'WordPress 5.8'
 | Confirmed By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
 |  - https://www.situstarget.com/blog/wp-includes/css/dist/block-library/style.min.css?ver=5.8

[+] WordPress theme in use: blog-situstarget
 | Location: https://www.situstarget.com/blog/wp-content/themes/blog-situstarget/
 | Style URL: https://www.situstarget.com/blog/wp-content/themes/blog-situstarget/style.css?ver=1.0.1
 | Style Name: Blog Situstarget
 | Description: Made by Love...
 | Author: Robi Erwin Setiawan
 | Author URI: https://www.robierwinsetiawan.com
 |
 | Found By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.0.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://www.situstarget.com/blog/wp-content/themes/blog-situstarget/style.css?ver=1.0.1, Match: 'Version: 1.0.1'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:06 <==> (10 / 10) 100.00% Time: 00:00:06

[i] User(s) Identified:

[+] Robi Erwin Setiawan
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Rss Generator (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Sat Aug 21 17:11:31 2021
[+] Requests Done: 68
[+] Cached Requests: 11
[+] Data Sent: 18.4 KB
[+] Data Received: 2.387 MB
[+] Memory used: 198.293 MB
[+] Elapsed time: 00:01:12

Dari informasi di atas kamu bisa mengetahui apakah ada plugin, theme, ada Core WordPress yang memiliki celah.

Hasil scan yang berwarna merah menunjukan bahwa terdapat celah keamanan pada situs kamu.

Jika hasilnya berwarna hijau bisa dikatakan kamu sudah melakukan optimasi keamanan WordPress dengan baik.

Bruteforce Menggunakan WPScan

Bruteforce adalah serangan dengan memasukkan username dan password secara paksa dan terus menerus hingga menemukan kombinasi yang tepat dan berhasil login.

Setelah mengetahui username dengan cara di atas, selanjutnya yaitu menargetkan username dan melakukan bruteforce pada situs web WordPress kamu sendiri.

wpscan --url domainkamu.tld -passwords file/path/passwords.txt

Ubah domainkamu.tld menjadi nama situs kamu sendiri, dan file path kamu ubah menjadi wordlist.

Kamu bisa mendapatkan wordlist untuk bruteforce dari situs seperti Github.

Pastikan kamu melakukan hal ini untuk mengaudit keamanan situs sendiri.

Bukan untuk melakukan ilegal hacking pada situs orang lain.

Panduan Menggunakan WPSCan

Selain cara di atas, masih banyak lagi kombinasi dari perintah yang WPScan miliki.

Kamu bisa mengetahuinya dengan menjalankan perintah wpscan –help pada teriminal.

robi@MacBook ~ % wpscan --help
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.15
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

Usage: wpscan [options]
        --url URL                                 The URL of the blog to scan
                                                  Allowed Protocols: http, https
                                                  Default Protocol if none provided: http
                                                  This option is mandatory unless update or help or hh or version is/are supplied
    -h, --help                                    Display the simple help and exit
        --hh                                      Display the full help and exit
        --version                                 Display the version and exit
    -v, --verbose                                 Verbose mode
        --[no-]banner                             Whether or not to display the banner
                                                  Default: true
    -o, --output FILE                             Output to FILE
    -f, --format FORMAT                           Output results in the format supplied
                                                  Available choices: cli-no-color, json, cli, cli-no-colour
        --detection-mode MODE                     Default: mixed
                                                  Available choices: mixed, passive, aggressive
        --user-agent, --ua VALUE
        --random-user-agent, --rua                Use a random user-agent for each scan
        --http-auth login:password
    -t, --max-threads VALUE                       The max threads to use
                                                  Default: 5
        --throttle MilliSeconds                   Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.
        --request-timeout SECONDS                 The request timeout in seconds
                                                  Default: 60
        --connect-timeout SECONDS                 The connection timeout in seconds
                                                  Default: 30
        --disable-tls-checks                      Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)
        --proxy protocol://IP:port                Supported protocols depend on the cURL installed
        --proxy-auth login:password
        --cookie-string COOKIE                    Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]
        --cookie-jar FILE-PATH                    File to read and write cookies
                                                  Default: /tmp/wpscan/cookie_jar.txt
        --force                                   Do not check if the target is running WordPress or returns a 403
        --[no-]update                             Whether or not to update the Database
        --api-token TOKEN                         The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile
        --wp-content-dir DIR                      The wp-content directory if custom or not detected, such as "wp-content"
        --wp-plugins-dir DIR                      The plugins directory if custom or not detected, such as "wp-content/plugins"
    -e, --enumerate [OPTS]                        Enumeration Process
                                                  Available Choices:
                                                   vp   Vulnerable plugins
                                                   ap   All plugins
                                                   p    Popular plugins
                                                   vt   Vulnerable themes
                                                   at   All themes
                                                   t    Popular themes
                                                   tt   Timthumbs
                                                   cb   Config backups
                                                   dbe  Db exports
                                                   u    User IDs range. e.g: u1-5
                                                        Range separator to use: '-'
                                                        Value if no argument supplied: 1-10
                                                   m    Media IDs range. e.g m1-15
                                                        Note: Permalink setting must be set to "Plain" for those to be detected
                                                        Range separator to use: '-'
                                                        Value if no argument supplied: 1-100
                                                  Separator to use between the values: ','
                                                  Default: All Plugins, Config Backups
                                                  Value if no argument supplied: vp,vt,tt,cb,dbe,u,m
                                                  Incompatible choices (only one of each group/s can be used):
                                                   - vp, ap, p
                                                   - vt, at, t
        --exclude-content-based REGEXP_OR_STRING  Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.
                                                  Both the headers and body are checked. Regexp delimiters are not required.
        --plugins-detection MODE                  Use the supplied mode to enumerate Plugins.
                                                  Default: passive
                                                  Available choices: mixed, passive, aggressive
        --plugins-version-detection MODE          Use the supplied mode to check plugins' versions.
                                                  Default: mixed
                                                  Available choices: mixed, passive, aggressive
    -P, --passwords FILE-PATH                     List of passwords to use during the password attack.
                                                  If no --username/s option supplied, user enumeration will be run.
    -U, --usernames LIST                          List of usernames to use during the password attack.
                                                  Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
        --multicall-max-passwords MAX_PWD         Maximum number of passwords to send by request with XMLRPC multicall
                                                  Default: 500
        --password-attack ATTACK                  Force the supplied attack to be used rather than automatically determining one.
                                                  Available choices: wp-login, xmlrpc, xmlrpc-multicall
        --login-uri URI                           The URI of the login page if different from /wp-login.php
        --stealthy                                Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive

[!] To see full list of options use --hh.

Kesimpulan

Setelah mengetahui celah keamanan yang ada pada situs WordPress kita sendiri.

Kamu bisa melakukan optimasi keamanan di situs WordPress dengan cara berikut:

Semoga cara audit keamanan WordPress di atas bisa bermanfaat.

Mohon jangan melakukan ilegal hacking dengan ilmu di atas ya.

Setiap tindakan kita akan diminta pertanggungjawabannya oleh Allah Azza Wa Jalla kelak.

Gabung Bersama +30.000 Pembaca Kami!

Daftarkan email anda untuk mendapatkan artikel terbaru dari Situstarget.com.

Proses pendaftaran hampir selesai, mohon cek email Anda dan Klik tombol konfirmasi.

Pin It on Pinterest

Share This