WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes.
Scanning for Vulnerabilities
Scan the whole WordPress blog
wpscan --url wordpress.example.com
WPScan can scan both http and https protocols. If not specified, it will scan http by default.
If you want to save the scanner output results in a file, use the -o/--output option.
wpscan --url http://wordpress.example.com -o scan-test
There are three detection modes in which wpscan can run against a WordPress site; passive, aggressive, mixed(default).
- The
passivemode runs a non-intrusive detection i.e it sents a few requests to the server. It commonly scans the home page for any vulnerability. The passive mode is less likely to be detected by IDS/IPS solutions. - The
aggressivemode on the other hand performs a more intrusive scan as it sents a thousand request to the server. It tries all the possible plugins even if the plugin has no known vulnerabilities linked to it. This may result in an increased load on the target server. - The
mixed(default)mode uses a mixture of both aggressive and passive.
To specify detection mode;
wpscan --url wordpress.example.com -o test --detection-mode aggressive
Check for Vulnerable Plugins
To scan for vulnerable plugins on your WordPress blog, pass the -e/--enumerate [OPTS] option to the wpscan command where [OPTS] can be; vp (vulnerable plugins), ap (all plugins), p (plugins). For example to scan for every plugin which has vulnerabilities linked to it,
wpscan --url wordpress.example.com -e vp
Check for Vulnerable Themes
Just like we used the -e/--enumerate [OPTS] option to check for vulnerable plugins, the same can be done when checking for vulnerable themes with the [OPTS] being any of the following; vt (Vulnerable themes), at (All themes), t (Themes). For example to scan for themes with known vulnerabilities;
wpscan --url wordpress.example.com -e vt
Enumerate WordPress Users
To find out the users that can login to WordPress site, you would pass the -e/--enumerate u option to wpscan where u basically means the user IDs.
wpscan --url wordpress.example.com -e u
Test for Password Strength/Bruteforce Attack against a WordPress User
Once you have enumerated the usernames, you can try to perform a brute-force attack again them as shown below. This process may be a bit slower depending on the number of passwords specified in the password file (-P, --passwords FILE-PATH) and number of threads (-t, --max-threads VALUE) you are using. For example to brute-force an admin,
wpscan --url wordpress.example.com -P password-file.txt -U admin -t 50
To test for password strength for multiple users, you would use the same command above this time round without the specific username specified.
wpscan --url wordpress.example.com -P password-file.txt -t 50
Run WordPress scan in undetectable mode
To run wpscan in a stealthy mode which basically means (--random-user-agent --detection-mode passive --plugins-version-detection passive), specify the --stealthy option.
wpscan --url wordpress.example.com --stealthy