WordPress is the most popular open-source C. M. S. (Content Management System) with ‘N’ number of plugins & themes which could make it very fun to use. But sometimes these plugins and themes could cause security issues on our site as many of them are poorly coded. So in this tutorial we are going to discuss the ways on – How to scan a WordPress site for vulnerabilities and fixing it.
Vulnerability scanner which we will be using for this tutorial is named ‘WPScan’ which is free to download and install. You can also use the almighty KALI Linux which pre-includes this tool and many more. If you don’t have KALI : GET IT FROM HERE.
So Let’s Get To It :-
WPScan works by scanning the installed themes & plugins on a given website and matching them to it’s ‘database’ of vulnerable plugins/themes. If a match is found it will show a few links to SecurityFocus’s CVE database where you can read more about the vulnerability.
Scan A Website :-
wpscan –url “http://example.com”
This command will check a given site and provide various information about the installation of wordpress, themes and plugins installed.
Scan Installed Plugins For Vulnerability :-
wpscan –url “http://example.com” –enumerate vp
After executing this command, WPScan will start to match the installed plugins from it’s database and upon finding a vulnerability it will show CVE (Common Vulnerabilities and Exposures) reference links.
Scan Installed Themes For Vulnerability :-
wpscan –url “http://example.com” –enumerate t
Like the command before this, it will scan for vulnerable themes and show the related CVE reference links.
Scan The Name Of WordPress Users :-
wpscan –url “http://example.com” –enumerate u
Using this command will show the name of users with access to the admin area (wordpress login) of a particular site.
Testing All At Once :-
wpscan –url “http://example.com” –enumerate u,vp,t
If you like, you can also test all the three things at once using this command.
Bruteforcing a Weak WordPress Password :-
This post is just about scanning for vulnerabilities so bruteforcing a password doesn’t need to be here but as this is part of WPScan, it needs a mention. A weak password is no less harmful (infact much harmful) than a vulnerable theme or plugin.
wpscan –url “website.com” –wordlist passwords.txt –username helge
For this command to work you also need to provide the path to a wordlist (a file with possible passwords). You can find number of them spread across the internet but i would recommend this one.
Don’t Miss :- How To Check Website For Vulnerabilities.Securing The Site :-
When done with the scanning part you should focus on securing your site by removing the reported plugins and themes or update them (if available).
Note :- Do not simply rely on WPScan as it won’t notify you of 0-day (Zero-Day) exploits.
So, don’t waste time & start securing your site. Feedback and suggestions are welcome, feel free to comment.
Enjoy..!!
Also See :- How To Exploit The Heartbleed Bug.
Nice write-up Aditya. Two of my WordPress sites were infected with malicious code due to old versions of few plugins and scanning my sites with WPScan really helped me. I have Ubuntu on my server and I installed WPScan following the instructions at Rosehosting . It is really useful and helpful tool.
Thanks again!