How To Scan WordPress Sites With Wpscan (Tutorial) For Security Vulnerabilities?


WordPress is very popular Content Management System (CMS). It is used by diverse range of users by different purposes and areas. This makes WordPress project very dynamic and rich. The security of the wordpress is important because of the its user base. There are also a lot of different plugins which can create security holes in the wordpress sites. In this tutorial we will look very good tool to scan wordpress sites inorder to list existing vulnerabilities

Install Wpscan

We are using Kali as operating system and we will issue apt install command in order to install wpscan tool.



Wpscan Help

We can list all options provided by wpscan with -h option.

Wpscan Help

Wpscan Help

Run Wpscan Without Option

We will run wpscan without providing any option. In the first scan wpscna will try to update its vulnerability database.

We can see that wpscan provides information about the site it is scanning. It will provide information about the following issues;

  • URL of the web site
  • robots.txt file and its location with interesting entries
  • Version information about the WordPress site
  • Server name and version information
  • XML-RPC information and related urls
  • Plugins list and more information like version and url location

Update Wpscan Explicitly

After the installation wpscan automatically updated. But in the future we need update wpscan explicitly tog get new vulnerabilities and futures. We will update with --update option.

Update Wpscan Explicitly

Update Wpscan Explicitly

Enumerate WordPress User ID’s

As we know WordPress have users and these user have related ID’s. We can use wpscan for enumerate these ID’s. We will provide -e options with u[1-200] which simply enumerates user ID’s from 1 to 200.

LEARN MORE  Understanding and Configuring Apache Access Log

Enumerate WordPress User ID's

Enumerate WordPress User ID’s

As we can see that there are two users named admin and georgi with ID 1 and 2.

Hide Wpscan Banner

As we see in previous example wpscan  provides a huge banner each time it is used. This may become annoying. We can hide this banner with --no-banner option.

Provide Proxy For Wpscan

In enterprise environments we may need to use proxy. Another cause for using proxy is hiding our self from target and using intermediate proxies. We will provide proxy information with --proxy option. The syntax is like [protocol://]host:port and protocol part is optional.

Provide Username and Password For Http Basic Authentication

For the authentication mechanisms we can provides Http Basic authentication username and password like below. We will use --basic-auth option with username:password credentials.

Faster Scan With Multiple Threads

Scan time may change according to provided parameters and the size of the WordPress site. We can lower the scan time by using multi thread option. Multi thread will run multiple jobs concurrently to scan WordPress site. We will provide thread count with --threads or -t parameter.

Without Treads

With Threads

Output More With Verbose Option

Output provides information about the scan operation. We can get information about findings, errors and warning from output. This output can be made more verbose with --verbose or -v option.

LEARN MORE  How To Get JSON Data with Django

Brute Force For User Login

We can use wpscan to bruteforce against the WordPress site. We will prodide the username with --username and list of passwords with --wordlist . In the example we bruteforce for user  admin with wordlist named pass.txt .

Provide Cookie For Authenticated Sessions

Cookies are used for creating autheticated user session. We can provide all ready authenticated session with its cookie by providing to the wpscan. We will use --cookie option.

You may also like...

Leave a Reply

Your email address will not be published.

Enjoy this blog? Please spread the word :)