Scan Your WordPress For Security Vulnerabilities With WPScan

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, May 10, 2015

Follow me on Twitter as @mattiasgeniar

If you’re comfortable at the CLI, WPScan is super easy to get going.

The project is open source on Github and uses the WPScan Vulnerability Database, an open dataset of known WordPress vulnerabilities.

Installation on a Mac is a piece of cake. Other methods and operating systems are documented on Github.

$ git clone https://github.com/wpscanteam/wpscan.git
$ cd wpscan
$ bundle install --without test

The first time you run wpscan.rb, you’ll be prompted to update the vulnerability database.

$ ./wpscan.rb

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]Y

[i] Updating the Database ...
[i] Update completed.

To scan your own site, simply pass the --url parameter.

$ ./wpscan.rb --url https://ma.ttias.be
...
[+] robots.txt available under: '/robots.txt'
[!] The WordPress '/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: nginx
[+] XML-RPC Interface available under: /xmlrpc.php
...
[+] WordPress version 4.x.x identified from meta generator
...
[+] Enumerating plugins from passive detection ...
 | 9 plugins found:
...

[+] Finished: Sun May 10 16:19:35 2015
[+] Requests Done: 126
[+] Memory used: 20.738 MB
[+] Elapsed time: 00:00:12

It enumerates all known themes and plugins, detects the WordPress version and gives you a nice summary. In my case, I still had to remove a readme.html file that exposes the version number.

If it happens to find a known vulnerability, you’ll be notified in the output. Like the example below:

...
[!] Title: Jetpack <= 3.5.2 - DOM Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7964
    Reference: https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html

This was from an old WordPress I had lying around that hadn’t been updated in a while.

Very useful tool, I would recommend it to everyone to at least scan your own site once!



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.