Do not use the following instructions to exploit websites , Usage of WP-Scan for attacking targets without prior mutual consent is illegal.
WordPress now powers 30 percent of the web, according to data from web technology survey firm W3Techs.
WordPress is important framework and as the aove statistics it is widely used thats why securing a web site based on WordPress framework is something obvious.
What is WP-Scan ?
WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.
You can install it via Docker with the following commands :
docker pull wpscanteam/wpscan
Scan WordPress Site
docker run -it –rm wpscanteam/wpscan –url Website URL
Using default options is a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.
Only Display Vulnerable Plugins
docker run -it –rm wpscanteam/wpscan –url Site URL –enumerate vp
Enumerate User Name
docker run -it –rm wpscanteam/wpscan –url Site URL –enumerate