April 21, 2023 / By Securium Solutions
WordPress is the most popular CMS used for developing a website and for good reasons. Anyone can develop a website using WordPress without much technical or coding knowledge and for free. WordPress is generally considered safe if everything is kept updated and certain security measures are implemented such as ensuring sensitive files are no disclosed, strong password policy are used, defenses against brute force attacks are set and some others. WPScan is a WordPress Vulnerability Scanner written in the Ruby programming language. It was first released in June 2011 and has been frequently updated since then. WPScan or WordPress Vulnerability Scanner primarily use is to find vulnerabilities in a WordPress website but not exploit them. Your website should be occasionally scanned to ensure the website is secure
WPScan can enumerate installed themes and plugins version, WordPress version, and usernames. WPScan automatically identifies Online WordPress Vulnerability Scanner, if any is found. It also tests whether any sensitive files and backups like wp-cron.php, xmlrpc.php, configuration backups, and database backups are publicly accessible. It also tests against the use of weak and common passwords.
User enumeration works on every WordPress websites if default settings are enabled. The techniques used are through permalinks (which are permanent URLs) and reference to post authors (users) using their predictable ID (e.g. /?author=1), even if the user has posted nothing, IDs can be provide the their username. This username enumeration is useful if password attacks are to be performed.
WPScan includes a inbuilt database of known vulnerabilities plugins in WordPress installations, themes, and plugins. If any vulnerability is found, it provides references to its CVE. No exploits are provided but could be found elsewhere. Using the database requires API Token. This API token can be free or paid. The free plan allows upto 75 requests per day. One API request is consumed for each installed theme, plugin, or for WordPress version. The database is frequently updated with newer vulnerabilities.
Commands
Basic scan -> wpscan –url <website>
The vulnerability database can be updated by->
wpscan –update
API token can be set by ->
–api-token <token>
Setting enumeration scope->
-e or –enumerate
Requires at least one of the following options-
- vp – vulnerable plugins
- ap – all plugins (takes longer for the scan to complete)
- vt – vulnerable themes
- al – all themes (takes longer for the scan to complete)
- u – users
- cb – config backups
- dbe – database backups
e.g. wpscan –url <website> -e vp,vt –api-token <token>
Number of threads can be set to speed up the scanner by using “-t” flag. By default, 5 threads are used. e.g.
wpscan –url <website> -t 15
Password attacks can be performed by using->
-P <passwords>
-U <usernames> (found during enumeration)
e.g. wpscan –url <website> -U <list> -P <wordlist>
Custom path for login, plugins, and content can be specified if default paths are not used->
–wp-plugins-dir <URL>
–wp-content-dir <URL>
–login-uri <URL>
Cookies, if required, can be provided by using ->
–cookie-string <cookies>
–cookie-jar <file>
Authentication, if required, can be provided by ->
–http-auth <username:password>
Author
Karan
Cyber Security Intern