How To Scan WordPress Sites With Wpscan (Tutorial) For Security Vulnerabilities? – POFTUT

How To Scan WordPress Sites With Wpscan (Tutorial) For Security Vulnerabilities?

WordPress is very popular Content Management System (CMS). It is used by diverse range of users by different purposes and areas. This makes WordPress project very dynamic and rich. The security of the wordpress is important because of the its user base. There are also a lot of different plugins which can create security holes in the wordpress sites. In this tutorial we will look very good tool to scan wordpress sites inorder to list existing vulnerabilities

Install Wpscan

We are using Kali as operating system and we will issue apt install command in order to install wpscan tool.

$ apt install wpscan -y

Wpscan Help

We can list all options provided by wpscan with -h option.

$ wpscan -h
Wpscan Help
Wpscan Help

Run Wpscan Without Option

We will run wpscan without providing any option. In the first scan wpscna will try to update its vulnerability database.

$ wpscan -u
Run Wpscan Without Option
Run Wpscan Without Option

We can see that wpscan provides information about the site it is scanning. It will provide information about the following issues;

  • URL of the web site
  • robots.txt file and its location with interesting entries
  • Version information about the WordPress site
  • Server name and version information
  • XML-RPC information and related urls
  • Plugins list and more information like version and url location

Update Wpscan Explicitly

After the installation wpscan automatically updated. But in the future we need update wpscan explicitly tog get new vulnerabilities and futures. We will update with --update option.

$ wpscan --update
Update Wpscan Explicitly
Update Wpscan Explicitly

Enumerate WordPress User ID’s

As we know WordPress have users and these user have related ID’s. We can use wpscan for enumerate these ID’s. We will provide -e options with u[1-200] which simply enumerates user ID’s from 1 to 200.

$ wpscan -e u[1-200] -u
Enumerate WordPress User ID's
Enumerate WordPress User ID’s

As we can see that there are two users named admin and georgi with ID 1 and 2.

Hide Wpscan Banner

As we see in previous example wpscan  provides a huge banner each time it is used. This may become annoying. We can hide this banner with --no-banner option.

$ wpscan --no-banner -u

Provide Proxy For Wpscan

In enterprise environments we may need to use proxy. Another cause for using proxy is hiding our self from target and using intermediate proxies. We will provide proxy information with --proxy option. The syntax is like [protocol://]host:port and protocol part is optional.

$ wpscan --proxy sock: -u

Provide Username and Password For Http Basic Authentication

For the authentication mechanisms we can provides Http Basic authentication username and password like below. We will use --basic-auth option with username:password credentials.

$ wpscan --basic-auth ismail:123456 -u

Faster Scan With Multiple Threads

Scan time may change according to provided parameters and the size of the WordPress site. We can lower the scan time by using multi thread option. Multi thread will run multiple jobs concurrently to scan WordPress site. We will provide thread count with --threads or -t parameter.

$ wpscan -t 8 -u

Without Treads

Faster Scan With Multiple Threads
Faster Scan With Multiple Threads

With Threads

Faster Scan With Multiple Threads
Faster Scan With Multiple Threads

Output More With Verbose Option

Output provides information about the scan operation. We can get information about findings, errors and warning from output. This output can be made more verbose with --verbose or -v option.

 $ wpscan -v --no-banner -u

Brute Force For User Login

We can use wpscan to bruteforce against the WordPress site. We will prodide the username with --username and list of passwords with --wordlist . In the example we bruteforce for user  admin with wordlist named pass.txt .

$ wpscan -u --wordlist pass.txt --username admin

Provide Cookie For Authenticated Sessions

Cookies are used for creating autheticated user session. We can provide all ready authenticated session with its cookie by providing to the wpscan. We will use --cookie option.

$ wpscan -u --cookie 3q4f34seght4g4tgegdf

1 thought on “How To Scan WordPress Sites With Wpscan (Tutorial) For Security Vulnerabilities?”

  1. Hi, thanks for this site. But this commands not work my friend… i try but is not work. can u help me?
    i try with kali & ubuntu


Leave a Comment