Last Updated on

ADVERTISEMENT

WPScan is described as a “black box” WordPress vulnerability checker and is free to use. It took me a couple of hours fiddling around, so I thought I’d help you get this installed by showing you some of the problems and providing the files and sources I used to get it working.

WPScan is a command line utility, so you will need to know a little bit about the command prompt environment and the PATH variable. It isn’t hugely tricky to use, just don’t expect a fancy user interface. You’ll be telling the executable what to run and how to run via the command prompt.

WPScan is a command line utility, so you will need to know a little bit about the command prompt environment and the PATH variable. It isn’t hugely tricky to use, just don’t expect a fancy user interface. You’ll be telling the executable what to run and how to run via the command prompt.

  • Ruby (up-to-date)

You must have the latest version of Ruby installed. To install Ruby you need to open the terminal and enter:

sudo apt install ruby

To update Ruby (and all other installed packages) type:

sudo apt update

Things to know before you start

ADVERTISEMENT
  • Do not use WPScan on sites that are not your property

We do not recommend trying to “hack” a website. By doing so you may have serious legal problems.

  • WPScan is a utility to discover system flaws (also called Exploit) and then repair them

 

  • Always update WPScan before scanning a WordPress site

Installing WPScan

Installing WPScan is easier than you think. Type in the terminal:

sudo apt install wpscan

Scanning for Vulnerabilities

ADVERTISEMENT

Next, we are going to point the WPScan application at your WordPress website. With a few commands, we can check your website for vulnerable themes, plugins, and users. This will let you know if your website has a high risk of becoming infected. From there you can take steps to secure your site by updating or disabling the security problems.

WPScan commands will always start with “sudo wpscan” followed by your website URL.

sudo wpscan --url [https wordpress url]

Running the basic command above will perform a quick scan of the website to identify your active theme and basic issues, such as exposed WordPress version numbers. You can also look for specific vulnerabilities by adding arguments to the end of this basic command.

Here is the log.

[+] URL: https://wikicat.net/
[+] Started: Sat Oct 26 23:26:03 2019

Interesting Finding(s):

[+] https://wikicat.net/
| Interesting Entries:
| - x-cf-powered-by: WP Rocket 3.4.0.5
| - x-download-options: noopen
| - x-dns-prefetch-control: on
| - x-ua-compatible: IE=edge,chrome=1
| - content-security-policy: report-to https://jetstudio.report-uri.com/r/d/csp/enforce; upgrade-insecure-requests
| - referrer-policy: strict-origin-when-cross-origin
| - expect-ct: max-age=31536000, report-uri="https://jetstudio.report-uri.com/r/d/ct/reportOnly"
| - report-to: {"url": "https://jetstudio.report-uri.com/a/d/g", "group": "default", "max-age": 31536000, includeSubDomains}
| - feature-policy: accelerometer 'none'; camera 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
| - cf-cache-status: DYNAMIC
| - server: cloudflare
| - cf-ray: 52bf818b0fbacc52-ZRH
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] //wikicat.net/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 30%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] https://wikicat.net/wp-content/backup-db/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 70%
| Reference: https://github.com/wpscanteam/wpscan/issues/422

[+] This site has 'Must Use Plugins': https://wikicat.net/wp-content/mu-plugins/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 80%
| Reference: http://codex.wordpress.org/Must_Use_Plugins

Fingerprinting the version - Time: 00:03:58 <=======================================> (387 / 387) 100.00% Time: 00:03:58
[i] The WordPress version could not be detected.

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] elementor
| Location: https://wikicat.net/wp-content/plugins/elementor/
| Latest Version: 2.7.4 (up to date)
| Last Updated: 2019-10-06T13:05:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 2.7.4 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - https://wikicat.net/wp-content/plugins/elementor/readme.txt
| Confirmed By: Javascript Comment (Aggressive Detection)
| - https://wikicat.net/wp-content/plugins/elementor/assets/js/admin-feedback.js, Match: 'elementor - v2.7.4'

[+] translatepress-multilingual
| Location: https://wikicat.net/wp-content/plugins/translatepress-multilingual/
| Latest Version: 1.6.1 (up to date)
| Last Updated: 2019-10-22T10:08:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 1.6.1 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - https://wikicat.net/wp-content/plugins/translatepress-multilingual/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://wikicat.net/wp-content/plugins/translatepress-multilingual/readme.txt

[+] wp-rocket
| Location: https://wikicat.net/wp-content/plugins/wp-rocket/
|
| Detected By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 3.4 (60% confidence)
| Detected By: Translation File (Aggressive Detection)
| - https://wikicat.net/wp-content/plugins/wp-rocket/languages/rocket.pot, Match: 'Project-Id-Version: WP Rocket 3.4'

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:13 <===========================================> (21 / 21) 100.00% Time: 00:00:13

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.

[+] Finished: Sat Oct 26 23:31:08 2019
[+] Requests Done: 461
[+] Cached Requests: 5
[+] Data Sent: 209.13 KB
[+] Data Received: 1.905 MB
[+] Memory used: 128.746 MB
[+] Elapsed time: 00:05:05

Checking for Vulnerable Plugins & User Enumeration

When hackers know your WordPress usernames it becomes easier for them to perform a successful brute force attack. If attackers gain access to one of your users with sufficient permissions, they can gain control of your WordPress installation.

To find out the login names of users on your WordPress website, we will use the argument “-enumerate u” at the end of the command.

sudo wpscan -–url [https wordpress url] –enumerate u

If vulnerable plugins are found you will see red exclamation icons and references to further information. Any vulnerable plugin should be replaced and removed if you cannot update it to patch the vulnerability.

WPScan Common Errors

ADVERTISEMENT

If you have a Website Firewall or a plugin that stops WPScan, you may see an error like this:

The target is responding with a 403, this might be due to a WAf or a plugin.
You shuld try to suplly a valid User-Agent via the --user-agent option or use the --random-agent option

It is always best to use a different nickname than the one used to login and some “.htaccess” solutions also exist for preventing user enumeration.

Password Guessing

Now we are going to try a number of passwords. If you have a list of passwords, WPScan can use the list to try logging in to each user account that it finds. This way you can see if any of your users are practicing poor password habits.

You can create or gather a wordlist, which is just a text file with passwords on each line. Hackers have huge collections of passwords but you can make a simple text document containing a decent number of top passwords. The file just needs to be placed in your wpscan directory so that the WPScan application can easily use it.

When you have the wordlist file in the WPScan directory, you can add the –wordlist argument along with the name of the wordlist file. You can also specify the number of threads to use at the same time to process the list. Depending on the length of the wordlist, it could take a lot of time or computer resources to complete.

Video Tutorial

ADVERTISEMENT

Sucuri have prepared a little video tutorial so you can see how it looks when these commands are run.

How to secure WordPress

Safety is very important. Try our guide: The Ultimate WordPress Security Guide – Guide 2019

Read Also This

ADVERTISEMENT
ADVERTISEMENT

Jonathan Terreo

Jonathan Terreo

Hi! I'm Jonathan the owner of Wikicat. Currently, I'm learning Visual Basic, WordPress SEO, and Security. Feel free to ask me anything like WordPress tips and so on.

Share via
Copy link