Scan Your WordPress For Security Vulnerabilities With WPScan

Tired of the privacy invasion of the Chrome webbrowser? Worried about the risk of seeing ads everywhere? Give the Brave Browser a try. It supports all the same Chrome extensions, with none of the telemetry. It auto-blocks ads and helps support content creators like me.

Give the Brave browser a try »

Profile image of Mattias Geniar

Mattias Geniar, May 10, 2015

Follow me on Twitter as @mattiasgeniar

If you’re comfortable at the CLI, WPScan is super easy to get going.

The project is open source on Github and uses the WPScan Vulnerability Database, an open dataset of known WordPress vulnerabilities.

Installation on a Mac is a piece of cake. Other methods and operating systems are documented on Github.

$ git clone https://github.com/wpscanteam/wpscan.git
$ cd wpscan
$ bundle install --without test

The first time you run wpscan.rb, you’ll be prompted to update the vulnerability database.

$ ./wpscan.rb

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]Y

[i] Updating the Database ...
[i] Update completed.

To scan your own site, simply pass the --url parameter.

$ ./wpscan.rb --url https://ma.ttias.be
...
[+] robots.txt available under: '/robots.txt'
[!] The WordPress '/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: nginx
[+] XML-RPC Interface available under: /xmlrpc.php
...
[+] WordPress version 4.x.x identified from meta generator
...
[+] Enumerating plugins from passive detection ...
 | 9 plugins found:
...

[+] Finished: Sun May 10 16:19:35 2015
[+] Requests Done: 126
[+] Memory used: 20.738 MB
[+] Elapsed time: 00:00:12

It enumerates all known themes and plugins, detects the WordPress version and gives you a nice summary. In my case, I still had to remove a readme.html file that exposes the version number.

If it happens to find a known vulnerability, you’ll be notified in the output. Like the example below:

...
[!] Title: Jetpack <= 3.5.2 - DOM Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7964
    Reference: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html

This was from an old WordPress I had lying around that hadn’t been updated in a while.

Very useful tool, I would recommend it to everyone to at least scan your own site once!



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.