Secure WordPress with WPScan
Updated: Feb 13
WPScan is a popular open-source vulnerability scanner for WordPress websites. It is used by security professionals and website owners to identify security vulnerabilities in their WordPress installations and to implement best practices for securing their sites.
WPScan performs a deep scan of a WordPress site, including the core WordPress software, plugins, and themes, and identifies potential security issues, such as outdated software versions, unpatched vulnerabilities, and weak passwords.
The results of the scan are then presented in a report, which includes recommendations for improving the security of the site.
Note: It is important to use WPScan responsibly and ethically. Only scan WordPress sites for which you have explicit permission, and be mindful of the potential consequences of exploiting vulnerabilities discovered.
Firstly, update the WPScan database
Before scanning a WordPress site, it is important to ensure that WPScan database is up-to-date by running the following command:
To perform a basic scan of a WordPress site, simply run the following command, replacing "example.com" with the URL of the site you want to scan:
wpscan --url example.com
Identifying vulnerable themes and plugins
While a basic scan will show you if a theme or plugin version is out of date, it won’t tell you if there are specific vulnerabilities with that particular version.
To get that info, you’ll need to utilize the WPScan Vulnerability Database API from https://wpscan.com/api
Once registered insert your unique API token into a scan in order to access this useful information.
You’ll also add some additional flags based on the specific information you want to get. The most important one in this case is --enumerate and then either vp or vt which stand for vulnerable plugins and vulnerable themes respectivly.
Here’s the command to search for vulnerable plugins:
wpscan --url yourwebsite.com --enumerate vp --api-token YOUR_TOKEN
To search for vulnerable themes replace the vp with vt:
wpscan --url yourwebsite.com --enumerate vt --api-token YOUR_TOKEN
Scanning without an API token will not produce the important vulnerability data:
wpscan --url http://example.com --enumerate p,t
"No WPScan API Token given, as a result vulnerability data has not been output."
How to check user enumeration
Don’t stop at vulnerable plugins and themes, though. Password attacks pose another big threat to your site’s security and WordPress can provide attackers with this critical access information.
You can determine what usernames are discoverable from the outside, to run this enumeration scan, we’ll use this command:
wpscan --url http://example.com --enumerate u
This will provide a list of usernames, which in turn can then be used on the password attack below.
How to perform the password attack
First, you’ll need to obtain a password list for the brute force attack on your test website.
Once you have the password list, initiate the scan with the following command:
wpscan –url example.com --passwords passwordlist.txt –usernames dave
These are just some of the most commonly used options in WPScan. For a full list of options and their usage, you can run wpscan --help in the command line or head over to https://wpscan.com/
Nessus: Nessus is a commercial vulnerability scanner that can be used to scan WordPress sites. It provides detailed information on vulnerabilities, including the severity and impact of each issue, and provides recommendations for fixing them.
Acunetix: Acunetix is another commercial vulnerability scanner that can be used to scan WordPress sites. It provides a comprehensive report on the security of your site, including details on any vulnerabilities and exploits, and provides recommendations for fixing them.
Sucuri SiteCheck: Sucuri SiteCheck is a free, online tool that can be used to scan WordPress sites for vulnerabilities and exploits. It provides a detailed report on the security of your site and provides recommendations for fixing any issues it finds.
Credit to: https://blog.sucuri.net/
Keep WordPress and all plugins and themes up to date: Updating to the latest version ensures that you have the latest security features and patches.
Use a strong username and password: Choose a unique username that is not easily guessable and use a strong password containing upper and lowercase letters, numbers, and special characters.
Use two-factor authentication: Adding an extra layer of security helps prevent unauthorized access to your site, even if someone manages to obtain your login credentials.
Limit login attempts: Brute force attacks can be prevented by limiting the number of login attempts that can be made in a certain amount of time.
Disable file editing: Disabling file editing from the WordPress dashboard can prevent accidental or malicious changes to your site's code.
Use a security plugin: There are many security plugins available that offer features such as firewalls, malware scanning, and brute-force protection.
Use a reliable web host: Choosing a web host that offers strong security features, such as firewalls and regular backups, can help prevent security breaches.
Regularly backup your site: Regular backups of your site's data, files, and databases can help you quickly recover in case of a security breach or other problem.
Use SSL/TLS certificates: Using SSL/TLS certificates helps protect sensitive information, such as passwords and credit card information, transmitted between your site and your users.
Monitor your site's logs and activities: Regularly monitoring your site's logs and activities can help you detect and respond to security incidents quickly.
These are just a few ways to harden your WordPress site. By implementing these security measures, you can help protect your site and its data from potential security threats.