WordPress Security testing using WP-Scan

Do not use the following instructions to exploit others websites / services , Usage of WP-Scan for attacking targets without prior mutual consent is illegal.

WordPress now powers 30 percent of the web, according to data from web technology survey firm W3Techs.

WordPress is important framework and as the aove statistics it is widely used thats why securing a web site based on WordPress framework is something obvious.

What is WP-Scan ?

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.

Installation

You can install it via Docker with the following commands :

docker pull wpscanteam/wpscan

Scan WordPress Site

Default Scan

docker run -it –rm wpscanteam/wpscan –url Website URL

screen shot 2019-01-12 at 1.16.09 pm

screen shot 2019-01-12 at 1.18.17 pm

Using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings.

Only Display Vulnerable Plugins

docker run -it –rm wpscanteam/wpscan –url Site URL –enumerate vp

screen shot 2019-01-12 at 1.28.00 pm

screen shot 2019-01-12 at 1.29.27 pm

Enumerate User Name

docker run -it –rm wpscanteam/wpscan –url Site URL –enumerate

screen shot 2019-01-12 at 1.33.51 pm

screen shot 2019-01-12 at 1.34.41 pm

Useful Links

WPScan Vulnerability Database

https://wpvulndb.com/

WPScan on GitHub

https://github.com/wpscanteam/wpscan

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s