Finding WordPress Vulnerabilities - Using WPScan
When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list of vulnerabilities.
This time we are going to dive into how to use WPScan with the most basic commands.
Open Terminal and change your directory to the wpscan folder we downloaded in the first tutorial:
WPScan commands will always start with ruby wpscan.rb followed by your website URL.
Running the basic command above will perform a quick scan of the website to identify your active theme and basic issues, such as exposed WordPress version numbers. You can also look for specific vulnerabilities by adding arguments to the end of this basic command.
To find out the login names of users on your WordPress website, we will use the argument –enumerate u at the end of the command.
If you have a Website Firewall or a plugin that stops WPScan, you may see an error like this:
It is always best to use a different nickname than the one used to login and some .htaccess solutions also exist for preventing user enumeration.
You can create or gather a wordlist, which is just a text file with passwords on each line. Hackers have huge collections of passwords but you can make a simple text document containing a decent number of top passwords. The file just needs to be placed in your wpscan directory so that the WPScan application can easily use it.
When you have the wordlist file in the WPScan directory, you can add the –wordlist argument along with the name of the wordlist file. You can also specify the number of threads to use at the same time to process the list. Depending on the length of the wordlist, it could take a lot of time or computer resources to complete.
This time we are going to dive into how to use WPScan with the most basic commands.
Updating WP Scan
You should always update WPScan to leverage the latest database before you scan your website for vulnerabilities.Open Terminal and change your directory to the wpscan folder we downloaded in the first tutorial:
cd wpscan
From this directory we can run a command to pull the latest update from Github, and then another command to update the database.git pull
ruby wpscan.rb --update
You will see the WPScan logo and a note that the the database update has completed successfully.Scanning for Vulnerabilities
Next we are going to point the WPScan application at your WordPress website. With a few commands we can check your website for vulnerable themes, plugins, and users. This will let you know if your website has a high risk of becoming infected. From there you can take steps to secure your site by updating or disabling the security problems.WPScan commands will always start with ruby wpscan.rb followed by your website URL.
ruby wpscan.rb --url http://yourwebsite.com
Running the basic command above will perform a quick scan of the website to identify your active theme and basic issues, such as exposed WordPress version numbers. You can also look for specific vulnerabilities by adding arguments to the end of this basic command.
Checking for Vulnerable Plugins
Adding the –enumerate vp argument checks the WordPress website for vulnerable plugins.ruby wpscan.rb --url http://yourwebsite.com --enumerate vp
If vulnerable plugins are found you will see red exclamation icons and references to further information. Any vulnerable plugin should be replaced and removed if you cannot update it to patch the vulnerability.Checking for Vulnerable Themes
Similarly, adding –enumerate vt to the command checks the WordPress website for vulnerable themes.ruby wpscan.rb --url http://yourwebsite.com --enumerate vt
As with plugins, look for red exclamation icons and URLs with more information. Any vulnerable theme should be replaced and removed if you cannot update it to patch the vulnerability.Checking User Enumeration
When hackers know your WordPress usernames it becomes easier for them to perform a successful brute force attack. If attackers gain access to one of your users with sufficient permissions, they can gain control of your WordPress installation.To find out the login names of users on your WordPress website, we will use the argument –enumerate u at the end of the command.
ruby wpscan.rb --url http://yourwebsite.com --enumerate u
Ideally you should not be able to list the login names of your WordPress users.If you have a Website Firewall or a plugin that stops WPScan, you may see an error like this:
It is always best to use a different nickname than the one used to login and some .htaccess solutions also exist for preventing user enumeration.
Password Guessing
Now we are going to try a number of passwords. If you have a list of passwords, WPScan can use the list to try logging in to each user account that it finds. This way you can see if any of your users are practicing poor password habits.You can create or gather a wordlist, which is just a text file with passwords on each line. Hackers have huge collections of passwords but you can make a simple text document containing a decent number of top passwords. The file just needs to be placed in your wpscan directory so that the WPScan application can easily use it.
When you have the wordlist file in the WPScan directory, you can add the –wordlist argument along with the name of the wordlist file. You can also specify the number of threads to use at the same time to process the list. Depending on the length of the wordlist, it could take a lot of time or computer resources to complete.
ruby wpscan.rb --url http://yourwebsite.com --wordlist passwords.txt threads 50