Last Revised: October 2, 2021
WordPress is a secure system, but we can always expect attacks from other hackers or people who have some malicious intent against our site. And to avoid this, we will analyze our site with WPScan.
WPScan is an open source tool that allows you to analyze the security of any website with WordPress, your own or others. This is why it is important to protect your site against all the possible warnings that this tool uses, since it is the one that many intruders use to analyze.
Although there is a plugin, it only collects the vulnerabilities of your site and that are easily detectable, but not other factors that can get possible intruders.
This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.
In addition, you have the possibility to create your VPS with the WordPress image in one click.
- More options
- About this document
- Linux (Kali or Ubuntu)
We will access the machine by SSH. In case of being a VPS server we will make a complete update and we will put it on time as an initial system.
First we will put the system on time.
timedatectl set-timezone 'UTC' timedatectl set-ntp on
We will do a review of the system and update the existing ones.
lsb_release -a apt -y update && apt -y upgrade && apt -y dist-upgrade && apt -y autoremove
Before installing WPScan, we will add some software that may be necessary for its correct operation.
apt -y install software-properties-common build-essential curl vim zip unzip apt-transport-https libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev git gem ruby zlib1g zlib1g-dev
We will proceed to the installation
gem install wpscan
If we run the following command, we should get a result to know that everything is correct.
Getting the following
_______________________________________________________________ __ _______ _____ / / __ / ____| / / /| |__) | (___ ___ __ _ _ __ ® / / / | ___/ ___ / __|/ _` | '_ / / | | ____) | (__| (_| | | | | / / |_| |_____/ ___|__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.10 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ Current Version: 3.8.10 Last DB Update: 2020-12-11
If we haven’t done a software update or run it in a while, we should update both to update the WPScan itself, and to update the database of analysis and vulnerabilities.
gem update wpscan wpscan --update
With this we will have everything we need to do the analysis.
All examples will use the domain example.com as the sample domain, which you must replace with the domain you want to scan. we recommend that you use the final URL, without redirects, for optimal results.
With this we will get a first analysis with the default configuration of WPScan. It will give us some information, although not complete.
wpscan --url https://example.com/ --random-user-agent
The result will be similar to this
[+] URL: https://example.com/ [22.214.171.124] [+] Started: Fri Dec 11 17:04:05 2020 Interesting Finding(s): [+] Headers | Interesting Entries: | - server: Apache | - content-security-policy: upgrade-insecure-requests; | - referrer-policy: origin-when-cross-origin | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: https://example.com/robots.txt | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] This site seems to be a multisite | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | Reference: http://codex.wordpress.org/Glossary#Multisite Fingerprinting the version - Time: 00:00:00 <==================================================================================================================================> (694 / 694) 100.00% Time: 00:00:00 [+] WordPress version 5.6 identified (Latest, released on 2020-12-08). | Found By: Unique Fingerprinting (Aggressive Detection) | - https://example.com/wp-admin/js/customize-controls.js md5sum is 60fd86fb779d8562016277fa549883c5 [i] The main theme could not be detected. [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] wp-super-cache | Location: https://example.com/wp-content/plugins/wp-super-cache/ | Latest Version: 1.7.1 | Last Updated: 2020-12-09T09:55:00.000Z | | Found By: Comment (Passive Detection) | | The version could not be determined. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:02 <======================================================================================================================================> (22 / 22) 100.00% Time: 00:00:02 [i] No Config Backups Found. [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register [+] Finished: Fri Dec 11 17:04:24 2020 [+] Requests Done: 75 [+] Cached Requests: 5 [+] Data Sent: 21.574 KB [+] Data Received: 2.803 MB [+] Memory used: 232.898 MB [+] Elapsed time: 00:00:19
This analysis will return all the information that the system detects without performing an active search, simply analyzing what is ahead. It is not the best option, although it is one of the fastest.
wpscan --url https://example.com/ --random-user-agent --verbose --disable-tls-checks --clear-cache --wp-version-all --plugins-version-all --themes-version-all --detection-mode passive --interesting-findings-detection passive --wp-version-detection passive --main-theme-detection passive --plugins-detection passive --plugins-version-detection passive --themes-detection passive --themes-version-detection passive --timthumbs-detection passive --config-backups-detection passive --db-exports-detection passive --medias-detection passive --users-detection passive
This analysis will return all the information that the system detects by performing an active search, analyzing what can be found, but also looking for contents that at first glance may not be seen.
In this case, the plugins and themes of which there is evidence of a vulnerability will be searched.
wpscan --url https://example.com/ --random-user-agent --verbose --disable-tls-checks --clear-cache --wp-version-all --plugins-version-all --themes-version-all --detection-mode mixed --interesting-findings-detection mixed --wp-version-detection mixed --main-theme-detection mixed --plugins-detection mixed --plugins-version-detection mixed --themes-detection mixed --themes-version-detection mixed --timthumbs-detection mixed --config-backups-detection mixed --db-exports-detection mixed --medias-detection mixed --users-detection mixed --enumerate vp,vt,tt,cb,dbe,u1-25,m1-100
This is the most aggressive analysis WPScan can run. It looks for all possible options at the level of plugins (all those in the official repository will be searched), as well as themes (all those in the official repository will be searched).
wpscan --url https://example.com/ --random-user-agent --verbose --disable-tls-checks --clear-cache --wp-version-all --plugins-version-all --themes-version-all --detection-mode mixed --interesting-findings-detection mixed --wp-version-detection mixed --main-theme-detection mixed --plugins-detection mixed --plugins-version-detection mixed --themes-detection mixed --themes-version-detection mixed --timthumbs-detection mixed --config-backups-detection mixed --db-exports-detection mixed --medias-detection mixed --users-detection mixed --enumerate ap,at,tt,cb,dbe,u1-100,m1-1000
WPScan has some extra options that can be very useful if we can not leave the system open per screen, or we want to get the results in a downloadable file.
Download the information in text format
wpscan --url https://example.com/ --output '/tmp/example.txt'
Download the information in JSON format
wpscan --url https://example.com/ --format json --output '/tmp/example.json'
Depending on the results we obtain, we will have to act accordingly or not. There are some elements that, because they are detected, does not mean that they are insecure, for example knowing the version of WordPress, which is something quite simple to know.
What we must do is try to minimize the detection of some elements, such as the list of plugins, themes, and other files that do not have to be accessible.
In any case, I recommend a visit to the Security section so that you apply all possible measures.
About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.