WPScan: WordPress Vulnerability Scanner Guide [5 Steps]


Kali Linux, Ethical hacking, Security

Related Searches: wordpress vulnerability scanner, wp scan, wpvulndb, wordpress scanning tools, enumerate users wpscan, how does wpscan enumerate users, wpscan api

As of 2021, 39.5% of websites online are powered by WordPress. That's about 64 million-plus websites. When we talk of all websites powered by Content Management Systems (CMS), WordPress powers 60% of these sites; from these figures, it's evident that WordPress is one of the most used CMS in web development. That, however, raises one concern - How secure is your WordPress site?

 

What is WPScan?

WPScan is a WordPress vulnerability scanner, a penetration testing tool used to scan for vulnerabilities on WordPress-powered websites. It uses the WPScan WordPress Vulnerability Database, which has been around since 2014, to scan for WordPress vulnerabilities, plugin vulnerabilities, and theme vulnerabilities. The Database is updated regularly by security specialists, developers, and the community at large. As of writing this post, the database contains more than 21,000 known WordPress security vulnerabilities.

WPScan: WordPress Vulnerability Scanner Guide [5 Steps]

Web developers are advised to use WPScan to scan their sites for vulnerabilities and implement the right security measures before hackers exploit these security flaws. Additionally, you can use WPScan to reveal any existing server issues, such as directory listings that are not turned OFF present on Apache or NGINX.  Other than Password brute-forcing, the WPScan tool by itself cannot be used maliciously on a website. However, the information revealed during the scans can be used to develop ways of exploiting the security flaws on the website.

In this tutorial, we will give you step by step guide on how to carry out vulnerability scanning on your site with WPScan. Let's get started.

 

Pre-requisites

You must have an up and running Kali Linux Setup to use WPScan

 

Step-1: Install WPScan on Kali Linux

If you are running the full version of Kali Linux, WPScan should be installed by default on your system. However, if that's no the case for you, execute the command below on the Terminal:

$ sudo apt update
$ sudo apt install wpscan

Sample Output:

WPScan: WordPress Vulnerability Scanner Guide [5 Steps]

 

Step-2: Update Database and Run a Basic WPScan

WPScan is a pretty straightforward tool to work with. You start by invoking the tool for every command, pass any additional arguments, and then end with the target website's name. For a basic scan, execute the command below on your Kali Linux terminal.

Note:

In this post, we will use the website URL as http://yourSite.com. Always remember this domain with your target website.

$ wpscan --url http://yoursite.com

When you first execute the WPScan command, it will update the Vulnerability database as shown below:

WPScan: WordPress Vulnerability Scanner Guide [5 Steps]

Once the update is complete, WPScan will scan your website for vulnerabilities and security flaws. It will print all the necessary findings from the scan on the Terminal. This information includes:

  • Findings of the server powering the site
  • Accessibility of xmlrpc.php
  • Accessibility of XML-RPC and wp-cron.php
  • WordPress version
  • Robots.txt file
  • Active theme
  • Active plugins
  • Discoverable Configuration backups

If you get an error like, "Scan Aborted: The target is responding with a 403, this might be due to a WAF," execute the command again using the --random-user-agent argument.

$ wpscan --url http://yoursite.com --random-user-agent

Sample Output:

WPScan: WordPress Vulnerability Scanner Guide [5 Steps]

 

Step-3: Scan for Vulnerable Themes and Plugins

The basic WPScan only gives us information about the website and its themes and plugins. It doesn't tell you what vulnerabilities or security flaws are present on the currently installed version. To get this information, we will need to use the WPScan Vulnerability Database API. You can get a free API token with 25 daily requests by registering at https://wpscan.com/register. Once you have acquired the API token, you can insert it in your command to get detailed information.

You can also include some additional flags to tell WPScan what exactly you want to scan for on the website. For example, in the command below, we used the -e flag for enumerating and the -vpWhich tells WPScan to scan for vulnerable plugins.

$ wpscan --url http://yourSite.com -e vp --api-token YOUR_TOKEN

Sample Output:

WPScan: WordPress Vulnerability Scanner Guide [5 Steps]

This scan might take a little longer compared to the basic scan we performed previously. In my case, the basic scan took 5 minutes, while this one took around 20 minutes.

To scan your WordPress site for vulnerable themes, replace the vp flag in the previous command with vt as shown below:

wpscan --url http://yourSite.com -e vt --api-token YOUR_TOKEN

Besides giving you information about vulnerable plugins and themes, WPScan will also output information on the WordPress version and any existing vulnerabilities with that version.

 

Step-4: Enumerate WordPress Users with WPScan

Once you have scanned for any vulnerable plugins and themes, don't stop there! Proceed to scan for usernames that are discoverable from the outside. This scan enables you to mitigate most of the Password Attacks used to exploit many WordPress sites.

To enumerate users with WPScan, we will use the command below:

$ wpscan --url http://yourSite.com -e u

Here, the flag u stands for users.

To discover users on a WordPress site, WPScan combines different techniques, including looking for author names used on various posts and blogs.  From the image below, you can see WPScan discovered the different authors on our site.

WPScan: WordPress Vulnerability Scanner Guide [5 Steps]

Knowing the usernames on your website visible to the outside world enables you to implement measures to mitigate brute force password attacks on your website. That's because if an attacker already has a hint of what the username is, all they are left with is to brute force the password. One simple trick you can apply is to use a different username that appears publicly on posts and blogs instead of your login username.

 

Step-5: Bruteforce a WordPress Login Password With WPScan

In the previous section, we learned how you could get usernames used on a WordPress site. With this information, you can use WPScan to perform a brute-force attack for the login password. To get started, you need to develop a wordlist which is essentially a list of collected passwords in plain text. You can develop one using a tool like Crunch, download from the internet, or use the existing wordlist present in the /usr/share/wordlists directory on Kali Linux.

NOTE:

These wordlists can be quite large, and the scanning process will have an impact on the webserver. If you were performing a penetration test, it would be best to alert the system or web administrator.

The command to initiate a password attack on a WordPress site uses the syntax below:

wpscan --url http://yourSite.com --passwords path-to-wordlist

Sample Output:

WPScan: WordPress Vulnerability Scanner Guide [5 Steps]

 

Summary

WordPress is a CMS that contains so much code, plugins, and themes. That creates a large surface attack for hackers to try and exploit. To ensure security, a web developer needs to put into consideration all factors. Starting from how the webserver is configured to checking whether the plugins and themes have any reported vulnerabilities or security flaws. WPScan is a penetration tool that you can use to test for any security vulnerability and flaws on your WordPress site. You can use these findings to make the right decisions to implement the right security measures.

 

Further Readings

WPScan Tool
WPScan Plugin to scan WordPress

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

1 thought on “WPScan: WordPress Vulnerability Scanner Guide [5 Steps]”

  1. very interesting. i have used quttera, but i suppose the more one can scan, the better.

    this can also be installed on rocky/rhel as well, although i have not tried it yet. apparently WPSCAN requires ruby to be installed first.

    Reply

Leave a Comment