Table of Contents
Related Searches: wordpress vulnerability scanner, wp scan, wpvulndb, wordpress scanning tools, enumerate users wpscan, how does wpscan enumerate users, wpscan api
As of 2021, 39.5% of websites online are powered by WordPress. That's about 64 million-plus websites. When we talk of all websites powered by Content Management Systems (CMS), WordPress powers 60% of these sites; from these figures, it's evident that WordPress is one of the most used CMS in web development. That, however, raises one concern - How secure is your WordPress site?
What is WPScan?
WPScan is a WordPress vulnerability scanner, a penetration testing tool used to scan for vulnerabilities on WordPress-powered websites. It uses the WPScan WordPress Vulnerability Database, which has been around since 2014, to scan for WordPress vulnerabilities, plugin vulnerabilities, and theme vulnerabilities. The Database is updated regularly by security specialists, developers, and the community at large. As of writing this post, the database contains more than 21,000 known WordPress security vulnerabilities.
Web developers are advised to use WPScan to scan their sites for vulnerabilities and implement the right security measures before hackers exploit these security flaws. Additionally, you can use WPScan to reveal any existing server issues, such as directory listings that are not turned OFF present on Apache or NGINX. Other than Password brute-forcing, the WPScan tool by itself cannot be used maliciously on a website. However, the information revealed during the scans can be used to develop ways of exploiting the security flaws on the website.
In this tutorial, we will give you step by step guide on how to carry out vulnerability scanning on your site with WPScan. Let's get started.
You must have an up and running Kali Linux Setup to use WPScan
Step-1: Install WPScan on Kali Linux
If you are running the full version of Kali Linux, WPScan should be installed by default on your system. However, if that's no the case for you, execute the command below on the Terminal:
$ sudo apt update $ sudo apt install wpscan
Step-2: Update Database and Run a Basic WPScan
WPScan is a pretty straightforward tool to work with. You start by invoking the tool for every command, pass any additional arguments, and then end with the target website's name. For a basic scan, execute the command below on your Kali Linux terminal.
In this post, we will use the website URL as
http://yourSite.com. Always remember this domain with your target website.
$ wpscan --url http://yoursite.com
When you first execute the WPScan command, it will update the Vulnerability database as shown below:
Once the update is complete, WPScan will scan your website for vulnerabilities and security flaws. It will print all the necessary findings from the scan on the Terminal. This information includes:
- Findings of the server powering the site
- Accessibility of xmlrpc.php
- Accessibility of XML-RPC and wp-cron.php
- WordPress version
- Robots.txt file
- Active theme
- Active plugins
- Discoverable Configuration backups
If you get an error like, "Scan Aborted: The target is responding with a 403, this might be due to a WAF," execute the command again using the
$ wpscan --url http://yoursite.com --random-user-agent
Step-3: Scan for Vulnerable Themes and Plugins
The basic WPScan only gives us information about the website and its themes and plugins. It doesn't tell you what vulnerabilities or security flaws are present on the currently installed version. To get this information, we will need to use the WPScan Vulnerability Database API. You can get a free API token with 25 daily requests by registering at https://wpscan.com/register. Once you have acquired the API token, you can insert it in your command to get detailed information.
You can also include some additional flags to tell WPScan what exactly you want to scan for on the website. For example, in the command below, we used the
-e flag for enumerating and the
-vpWhich tells WPScan to scan for vulnerable plugins.
$ wpscan --url http://yourSite.com -e vp --api-token YOUR_TOKEN
This scan might take a little longer compared to the basic scan we performed previously. In my case, the basic scan took 5 minutes, while this one took around 20 minutes.
To scan your WordPress site for vulnerable themes, replace the
vp flag in the previous command with
vt as shown below:
wpscan --url http://yourSite.com -e vt --api-token YOUR_TOKEN
Besides giving you information about vulnerable plugins and themes, WPScan will also output information on the WordPress version and any existing vulnerabilities with that version.
Step-4: Enumerate WordPress Users with WPScan
Once you have scanned for any vulnerable plugins and themes, don't stop there! Proceed to scan for usernames that are discoverable from the outside. This scan enables you to mitigate most of the Password Attacks used to exploit many WordPress sites.
To enumerate users with WPScan, we will use the command below:
$ wpscan --url http://yourSite.com -e u
Here, the flag
u stands for users.
To discover users on a WordPress site, WPScan combines different techniques, including looking for author names used on various posts and blogs. From the image below, you can see WPScan discovered the different authors on our site.
Knowing the usernames on your website visible to the outside world enables you to implement measures to mitigate brute force password attacks on your website. That's because if an attacker already has a hint of what the username is, all they are left with is to brute force the password. One simple trick you can apply is to use a different username that appears publicly on posts and blogs instead of your login username.
Step-5: Bruteforce a WordPress Login Password With WPScan
In the previous section, we learned how you could get usernames used on a WordPress site. With this information, you can use WPScan to perform a brute-force attack for the login password. To get started, you need to develop a wordlist which is essentially a list of collected passwords in plain text. You can develop one using a tool like Crunch, download from the internet, or use the existing wordlist present in the
/usr/share/wordlists directory on Kali Linux.
The command to initiate a password attack on a Wordpress site uses the syntax below:
wpscan --url http://yourSite.com --passwords path-to-wordlist
WordPress is a CMS that contains so much code, plugins, and themes. That creates a large surface attack for hackers to try and exploit. To ensure security, a web developer needs to put into consideration all factors. Starting from how the webserver is configured to checking whether the plugins and themes have any reported vulnerabilities or security flaws. WPScan is a penetration tool that you can use to test for any security vulnerability and flaws on your WordPress site. You can use these findings to make the right decisions to implement the right security measures.
WPScan Plugin to scan WordPress
1 thought on “WPScan: WordPress Vulnerability Scanner Guide [5 Steps]”
very interesting. i have used quttera, but i suppose the more one can scan, the better.
this can also be installed on rocky/rhel as well, although i have not tried it yet. apparently WPSCAN requires ruby to be installed first.