WPScan : Scan WordPress Site for Vulnerability

WordPress is very popular Content Management System (CMS). It is used by diverse range of users by different purposes and areas. This makes WordPress project very dynamic and rich. The security of the wordpress is important because of the its user base. There are also a lot of different plugins which can create security holes in the wordpress sites. In this tutorial we will look very good tool to scan wordpress sites inorder to list existing vulnerabilities

WPScan is recommended for auditing your WordPress installation security. By using WPScan you can check if your WordPress setup is vulnerable to certain types of attacks, or if it’s exposing too much information in your core, plugin or theme files. This WordPress security tool also lets you find any weak passwords for all registered users, and even run a brute force attack against it to see which ones can be cracked.

WPScan receives frequent updates from the wpvulndb.com WordPress vulnerability database, which makes it a great software for up-to-date WP security.

What can you do with WPScan?

  1. Non-intrusive security scans
  2. WP username enumeration
  3. Bruteforce attack & weak password cracking
  4. WordPress plugins vulnerability enumeration
  5. Schedule WordPress security scans

Are you interested in WordPress security? Check out our blog post on asking exactly that: Is WordPress secure?

Install Wpscan

We are using Kali as operating system and we will issue apt install command in order to install wpscan tool.

 $ apt install wpscan -y 
Install

We can list all options provided by wpscan with -h option.

 $ wpscan -h 
Wpscan Help

Run Wpscan Without Option

We will run wpscan without providing any option. In the first scan wpscna will try to update its vulnerability database.

 $ wpscan -u  example.com 

We can see that wpscan provides information about the site it is scanning. It will provide information about the following issues;

  • URL of the web site
  • robots.txt file and its location with interesting entries
  • Version information about the WordPress site
  • Server name and version information
  • XML-RPC information and related urls
  • Plugins list and more information like version and url location

Update Wpscan Explicitly

After the installation wpscan automatically updated. But in the future we need update wpscan explicitly tog get new vulnerabilities and futures. We will update with --update option.

 $ wpscan --update 

Enumerate WordPress User ID’s

As we know WordPress have users and these user have related ID’s. We can use wpscan for enumerate these ID’s. We will provide -e options with u[1-200] which simply enumerates user ID’s from 1 to 200.

 $ wpscan -e u[1-200] -u  example.com 

Enumerate WordPress User ID’s

As we can see that there are two users named admin and georgi with ID 1 and 2.

Hide Wpscan Banner

As we see in previous example wpscan  provides a huge banner each time it is used. This may become annoying. We can hide this banner with --no-banner option.

 $ wpscan --no-banner -u  example.com 

Provide Proxy For Wpscan

In enterprise environments we may need to use proxy. This is the another reason for utilizing intermediary is concealing our self from target and utilizing transitional . We will provide proxy information with --proxy option. The syntax is like [protocol://]host:port and protocol part is optional.

 $ wpscan --proxy sock:192.168.1.10 -u  example.com 

Provide Username and Password For Http Basic Authentication

For the authentication mechanisms we can provides Http Basic authentication username and password like below. We will use --basic-auth option with username:password credentials.

 $ wpscan --basic-auth jo:123456 -u  example.com 

Faster Scan With Multiple Threads

Scan time may change according to provided parameters and the size of the WordPress site. We can lower the scan time by using multi thread option. Different cord will run different work at the same time to check WordPress place on the net
. We will provide thread count with --threads or -t parameter.

 $ wpscan -t 8 -u  example.com 

Without Treads

Faster Scan With Multiple Threads

Faster Scan With Multiple Threads

With Threads

Faster Scan With Multiple Threads

Faster Scan With Multiple Threads

Output More With Verbose Option

Output provides information about the scan operation. We can get information about findings, errors and warning from output. This output can be made more verbose with --verbose or -v option.

 
  $ wpscan -v --no-banner -u  example.com 

Brute Force For User Login

We can use wpscan to bruteforce against the WordPress site. We will prodide the username with --username and list of passwords with --wordlist . In the example we bruteforce for user  admin with wordlist named pass.txt .

 $ wpscan -u www.example.com --wordlist pass.txt --username admin 

Provide Cookie For Authenticated Sessions

Cookies are used for creating autheticated user session. We can provide all ready authenticated session with its cookie by providing to the wpscan. We will use --cookie option.

Hope this article helpful for you. Thank You


If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

Let's be a part of Hacker's Community! Join our Hacking Team

We Are Indian We Are Great


 $ wpscan -u www.example.com --cookie 3q4f34seght4g4tgegdf