If you’re comfortable at the CLI, WPScan is super easy to get going.
The project is open source on Github
and uses the WPScan Vulnerability Database
, a dataset of known WordPress vulnerabilities. Heads-up: that database now lives behind a free API token. You can scan without one, but to get told about plugin and theme vulnerabilities you’ll need to register on wpscan.com
and pass your token with --api-token (the free tier gives you 25 requests a day).
WPScan ships as a Ruby gem, so installation is a piece of cake. Other methods (Docker, Homebrew) are documented on Github .
$ gem install wpscan
The first time you run it, you’ll be prompted to update the vulnerability database.
$ wpscan
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]Y
[i] Updating the Database ...
[i] Update completed.
To scan your own site, simply pass the --url parameter.
$ wpscan --url https://ma.ttias.be
...
[+] robots.txt available under: '/robots.txt'
[!] The WordPress '/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: nginx
[+] XML-RPC Interface available under: /xmlrpc.php
...
[+] WordPress version 4.x.x identified from meta generator
...
[+] Enumerating plugins from passive detection ...
| 9 plugins found:
...
[+] Finished: Sun May 10 16:19:35 2015
[+] Requests Done: 126
[+] Memory used: 20.738 MB
[+] Elapsed time: 00:00:12
It enumerates all known themes and plugins, detects the WordPress version and gives you a nice summary. In my case, I still had to remove a readme.html file that exposes the version number.
If it happens to find a known vulnerability, you’ll be notified in the output. Like the example below:
...
[!] Title: Jetpack <= 3.5.2 - DOM Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7964
Reference: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html
This was from an old WordPress I had lying around that hadn’t been updated in a while.
Very useful tool, I would recommend it to everyone to at least scan your own site once!