Sorry TorontoBoy, no experience with either of those tools, or WP either really :)

But curious about what UAs look like. From your logs, could you post the entire UA string for each one please.

It would be interesting to see the UAs from the log. I was ding some pen testing today, so I'll look at tomorrow's log. These tools are pretty common on Kali Linux, a hacker's Linux distribution. Lots of youtube videos showing how to crack sites and computers.

Great, post them here then we can document them in the Search Engine Spider & User Agent ID Forum [webmasterworld.com]

These tools are available in the Kali Linux distribution, a hacker specific version of Linux. They are, therefore pretty common and well used.

Both these can collect usernames used in Wordpress. Once they have a list of usernames, they can follow with a brute force attack using a file of common passwords, all available on the internet. If you see WPScan in your log you should monitor it carefully, as someone might want to try to break in.

Both these tools also look for WP core, plugin and theme vulnerabilities. They cross reference these with the Sucuri WP Vulnerability database at [wpvulndb.com...] Once a vulnerability is detected. a hacker can correlate the vulnerability with a database in Metaspoloit, yet another hacker tool common in Kali, but also available for download.

Metasploit has a vulnerability scanner as well as a database of payloads, and does much more than just Wordpress. These payloads are used to break into the web site, pc or server. Once an exploit is successful a piece of software called meterpreter, within Metasploit, is used to get into the server/computer, where it has options to view files, start a dos terminal session, start a shell, delete, upload or download files, take a web cam snap (I have not done this yet. I've done most of the rest on test machines), keystroke logging or even turn off the target machine.

WPScan has a UA of "WPScan v2.9.3 (http://wpscan.org)". It does not vary at all. The UA correlates with the version I installed and used.

WPSeku has a more anonymous UA of "Mozilla/5.0", and does not vary.

Both try to break Wordpress by attacking the wp-config.php file, or find an old copy. Here is the list from WPScan:

GET /subdir/.wp-config.php.swp HTTP/1.1
GET /subdir/%23wp-config.php%23 HTTP/1.1
GET /subdir/wp-config.bak HTTP/1.1
GET /subdir/wp-config.old HTTP/1.1
GET /subdir/wp-config.orig HTTP/1.1
GET /subdir/wp-config.original HTTP/1.1
GET /subdir/wp-config.php_bak HTTP/1.1
GET /subdir/wp-config.php.bak HTTP/1.1
GET /subdir/wp-config.php.old HTTP/1.1
GET /subdir/wp-config.php.orig HTTP/1.1
GET /subdir/wp-config.php.original HTTP/1.1
GET /subdir/wp-config.php.save HTTP/1.1
GET /subdir/wp-config.php.swo HTTP/1.1
GET /subdir/wp-config.php.swp HTTP/1.1
GET /subdir/wp-config.php%7E HTTP/1.1
GET /subdir/wp-config.save HTTP/1.1
GET /subdir/wp-config.txt HTTP/1.1

Here's the list from WPSeku:

GET /wp-config-sample.php HTTP/1.1
GET /wp-config.backup HTTP/1.1
GET /wp-config.bak HTTP/1.1
GET /wp-config.bck HTTP/1.1
GET /wp-config.old HTTP/1.1
GET /wp-config.php~ HTTP/1.1
GET /wp-config.save HTTP/1.1
GET /wp-config.back HTTP/1.1
GET /wp-config.copy HTTP/1.1
GET /wp-config.dat HTTP/1.1
GET /wp-config.db HTTP/1.1
GET /wp-config.tar.gz HTTP/1.1
GET /wp-config.tmp HTTP/1.1
GET /wp-config.txt HTTP/1.1
GET /wp-config.zip HTTP/1.1

Both tools are really entertaining to use for pen testing and hardening Wordpress, but the dark side is only a keystroke command away, already built into the tool.

Thanks Torontoboy, could you post the range as well?





[fix typo]

[edited by: keyplyr at 6:27 pm (utc) on Jul 22, 2017]

Many of those files would produce a 404 on most sites. The files that do exist, many/most of those are files that should have permissions settings to prevent access. Part of "Hardening WP 101". Do many people save .old, .original, .bak files online?

@not2easy - I think many WP users just never update from the amount of malicious vulnerability scans I've seen over the years.

Thanks Torontoboy, could you post the range as well?

There is really no range. Anyone in the world with a linux box can download these packages and run them from the comfort of their homes against any site in the world. The data goes back to the listening linux box.

You could install WPScan on your laptop and launch a scan from your house. Your house IP will be registered in the site's log.

Long time I did not build any WP but I am actually doing it again.
How will you harden your WP config?

Add this into your htaccess. Also ensure wp-config has strict permissions. I also have moved my wp-config to my root directory, as my WP install is in a subdirectory, but you cannot do this for all WP installs. Here's the Codex [codex.wordpress.org] for WP hardening.

<files wp-config.php>
order allow,deny
deny from all
</files>

The most important security feature I implemented is 2 factor authentication 2FA, done from your htaccess. When you try to login, you get an Apache authentication first with an ID and password challenge. If you cannot get by this then you cannot get to he Wordpress login. This is excellent protection against brute force attacks.

Thanks so much
I suppose I will be able on my server to move my config.
didn't do that for 3 or 4 years :)

Problem moving the file is if you have more than one WP install on the server you can't move but 1.

All you need to do is block them in .htaccess file and they're gone


These would never touch my server in the first place for most of my sites as I only allow things that are or at least pretend to be the major browsers

Thank you for the info and the feedback! I don't have experience with WPScan and I haven't heard about WPSeku. I tried WordPress Security Scan and wploop.com and I was pretty satisfied.

I tried WordPress Security Scan and wploop.com and I was pretty satisfied.

Never heard of Wordpress Security Scan, so looked them up and tried it. It is different in that it does a "Linked Sites" check, basically safety checking links that you link to. It would be bad if one of your links to another site was a safety risk. I don't remember seeing this in any of the other vulnerability scanners. Good to know.

Google Safe browse checks have been performed on each of the linked sites. Links with poor reputation could be a threat to users of the site. Hosting and location are also included in the results.

I could not find a tool on wploop.