WordPress is very popular Content Management System (CMS). It is used by diverse range of users by different purposes and areas. This makes WordPress project very dynamic and rich. The security of the wordpress is important because of the its user base. There are also a lot of different plugins which can create security holes in the wordpress sites. In this tutorial we will look very good tool to scan wordpress sites inorder to list existing vulnerabilities

Install Wpscan

We are using Kali as operating system and we will issue apt install command in order to install wpscan tool.

$ apt install wpscan -y

Wpscan Help

We can list all options provided by wpscan with -h option.

$ wpscan -h

Run Wpscan Without Option

We will run wpscan without providing any option. In the first scan wpscna will try to update its vulnerability database.

$ wpscan -u poftut.com

We can see that wpscan provides information about the site it is scanning. It will provide information about the following issues;

• URL of the web site
• robots.txt file and its location with interesting entries
• Version information about the WordPress site
• Server name and version information
• XML-RPC information and related urls
• Plugins list and more information like version and url location

Update Wpscan Explicitly

After the installation wpscan automatically updated. But in the future we need update wpscan explicitly tog get new vulnerabilities and futures. We will update with --update option.

$ wpscan --update

Enumerate WordPress User ID’s

As we know WordPress have users and these user have related ID’s. We can use wpscan for enumerate these ID’s. We will provide -e options with u[1-200] which simply enumerates user ID’s from 1 to 200.

$ wpscan -e u[1-200] -u poftut.com

As we can see that there are two users named admin and georgi with ID 1 and 2.

Hide Wpscan Banner

As we see in previous example wpscan  provides a huge banner each time it is used. This may become annoying. We can hide this banner with --no-banner option.

$ wpscan --no-banner -u poftut.com

Provide Proxy For Wpscan

In enterprise environments we may need to use proxy. Another cause for using proxy is hiding our self from target and using intermediate proxies. We will provide proxy information with --proxy option. The syntax is like [protocol://]host:port and protocol part is optional.

$ wpscan --proxy sock:192.168.1.10 -u poftut.com

Provide Username and Password For Http Basic Authentication

For the authentication mechanisms we can provides Http Basic authentication username and password like below. We will use --basic-auth option with username:password credentials.

$ wpscan --basic-auth ismail:123456 -u poftut.com

Faster Scan With Multiple Threads

Scan time may change according to provided parameters and the size of the WordPress site. We can lower the scan time by using multi thread option. Multi thread will run multiple jobs concurrently to scan WordPress site. We will provide thread count with --threads or -t parameter.

$ wpscan -t 8 -u poftut.com

Without Treads

With Threads

Output More With Verbose Option

Output provides information about the scan operation. We can get information about findings, errors and warning from output. This output can be made more verbose with --verbose or -v option.

 $ wpscan -v --no-banner -u poftut.com

Brute Force For User Login

We can use wpscan to bruteforce against the WordPress site. We will prodide the username with --username and list of passwords with --wordlist . In the example we bruteforce for user  admin with wordlist named pass.txt .

$ wpscan -u www.example.com --wordlist pass.txt --username admin

Provide Cookie For Authenticated Sessions

Cookies are used for creating autheticated user session. We can provide all ready authenticated session with its cookie by providing to the wpscan. We will use --cookie option.

$ wpscan -u www.example.com --cookie 3q4f34seght4g4tgegdf