WordPress is very popular Content Management System (CMS). It is used by diverse range of users by different purposes and areas. This makes WordPress project very dynamic and rich. The security of the wordpress is important because of the its user base. There are also a lot of different plugins which can create security holes in the wordpress sites. In this tutorial we will look very good tool to scan wordpress sites inorder to list existing vulnerabilities
WPScan is recommended for auditing your WordPress installation security. By using WPScan you can check if your WordPress setup is vulnerable to certain types of attacks, or if it’s exposing too much information in your core, plugin or theme files. This WordPress security tool also lets you find any weak passwords for all registered users, and even run a brute force attack against it to see which ones can be cracked.
WPScan receives frequent updates from the wpvulndb.com WordPress vulnerability database, which makes it a great software for up-to-date WP security.
What can you do with WPScan?
- Non-intrusive security scans
- WP username enumeration
- Bruteforce attack & weak password cracking
- WordPress plugins vulnerability enumeration
- Schedule WordPress security scans
Are you interested in WordPress security? Check out our blog post on asking exactly that: Is WordPress secure?
Install Wpscan
We are using Kali as operating system and we will issue apt install
command in order to install wpscan tool.
$ apt install wpscan -y
We can list all options provided by wpscan with -h
option.
$ wpscan -h
Run Wpscan Without Option
We will run wpscan without providing any option. In the first scan wpscna will try to update its vulnerability database.
$ wpscan -u example.com
We can see that wpscan provides information about the site it is scanning. It will provide information about the following issues;
URL
of the web siterobots.txt
file and its location with interesting entriesVersion
information about the WordPress siteServer
name and version informationXML-RPC
information and related urlsPlugins
list and more information like version and url location
Update Wpscan Explicitly
After the installation wpscan automatically updated. But in the future we need update wpscan explicitly tog get new vulnerabilities and futures. We will update with --update
option.
$ wpscan --update
Enumerate WordPress User ID’s
As we know WordPress have users and these user have related ID’s. We can use wpscan for enumerate these ID’s. We will provide -e
options with u[1-200]
which simply enumerates user ID’s from 1 to 200.
$ wpscan -e u[1-200] -u example.com
Enumerate WordPress User ID’s
As we can see that there are two users named admin
and georgi
with ID 1 and 2.
Hide Wpscan Banner
As we see in previous example wpscan provides a huge banner each time it is used. This may become annoying. We can hide this banner with --no-banner
option.
$ wpscan --no-banner -u example.com
Provide Proxy For Wpscan
In enterprise environments we may need to use proxy. This is the another reason for utilizing intermediary is concealing our self from target and utilizing transitional . We will provide proxy information with --proxy
option. The syntax is like [protocol://]host:port
and protocol part is optional.
$ wpscan --proxy sock:192.168.1.10 -u example.com
Provide Username and Password For Http Basic Authentication
For the authentication mechanisms we can provides Http Basic authentication username and password like below. We will use --basic-auth
option with username:password
credentials.
$ wpscan --basic-auth jo:123456 -u example.com
Faster Scan With Multiple Threads
Scan time may change according to provided parameters and the size of the WordPress site. We can lower the scan time by using multi thread option. Different cord will run different work at the same time to check WordPress place on the net
. We will provide thread count with --threads
or -t
parameter.
$ wpscan -t 8 -u example.com
Without Treads
Faster Scan With Multiple Threads
With Threads
Faster Scan With Multiple Threads
Output More With Verbose Option
Output provides information about the scan operation. We can get information about findings, errors and warning from output. This output can be made more verbose with --verbose
or -v
option.
$ wpscan -v --no-banner -u example.com
Brute Force For User Login
We can use wpscan to bruteforce against the WordPress site. We will prodide the username with --username
and list of passwords with --wordlist
. In the example we bruteforce for user admin
with wordlist named pass.txt
.
$ wpscan -u www.example.com --wordlist pass.txt --username admin
Provide Cookie For Authenticated Sessions
Cookies are used for creating autheticated user session. We can provide all ready authenticated session with its cookie by providing to the wpscan. We will use --cookie
option.
Hope this article helpful for you. Thank You
If You Appreciate What We Do Here On Hackonology, You Should Consider:
Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.
Let's be a part of Hacker's Community! Join our Hacking Team
We Are Indian We Are Great
$ wpscan -u www.example.com --cookie 3q4f34seght4g4tgegdf