Linux Security WordPress

How to use WPScan to easily find your wordpress site vulnerabilities

More than 35% of the internet runs on WordPress. WordPress contributes to more than 60% to global CMS market with more than 10 million websites built already. Making a website and deploying it with WordPress is so easy and cost-less, that’s why WordPress is widely used. With the rise of wordpress market, its security is also a big concern. More than 8% of internet vulnerabilities are found in WordPress websites, making it a vulnerable target to hackers. There are numerous WordPress vulnerability scanners in the market like WordPress Security Scan, SUCURI, Detectify but WPScan is the scanner to scan your WordPress websites for vulnerable themes, plugins and security misconfigurations.

WPScan is an all in one tool for scanning vulnerabilities in websites built using WordPress framework. It can be used to enumerate WordPress plugins and themes, brute-force logins and identify security misconfigurations. Currently. it is available only for Linux (Debian, Fedora, Arch, CentOS) and MacOSX, not for Windows. You can use Windows Subsystem for Linux (WSL) to install WPScan in Windows. In this tutorial, we’ll look at how to install and use WPScan to find security loopholes in your website.

Installation

WPScan comes pre-installed in Kali Linux. For other distros, installing WPScan is very easy, according to official documentation. Type

// To install prerequisites
ubuntu@ubuntu:~$ sudo apt install patch build-essential zlib1g-dev liblzma-dev ruby-dev
ubuntu@ubuntu:~$ gem install nokogiri
Then
ubuntu@ubuntu:~$ gem install wpscan
OR
ubuntu@ubuntu:~$ git clone https://github.com/wpscanteam/wpscan
ubuntu@ubuntu:~$ cd wpscan/
ubuntu@ubuntu:~$ bundle install && rake install

To update installed WPScan to the latest, type

ubuntu@ubuntu:~$ wpscan --update

OR

azad@kali:~$ gem update wpscan

OR in Kali Linux

azad@kali:~$ sudo apt update && sudo apt upgrade

Usage

Now we’ll learn how to perform quick scan of your wordpress website, themes and plugins. WordPress will scan your website with multiple scan options and will show you the vulnerabilities and their details on the terminal. WPScan will also tell you a lot about your wordpress installation details and versions of themes and plugins installed. It can also enumerate usernames registered and brute force them to find passwords.

To perform a scan of your website, type

azad@kali:~$ wpscan --url http://www.redacted.com --rua

[+][32m0m] URL: http://www.redacted.com/
[+][32m0m] Started: Fri Oct 18 20:58:54 2019
 
Interesting Finding(s):
 
[+][32m0m] http://www.redacted.com/
| Interesting Entry: Server: Apache
| Found By: Headers (Passive Detection)
| Confidence: 100%
 
[+][32m0m] http://www.redacted.com/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
|  - Link Tag (Passive Detection), 30% confidence
|  - Direct Access (Aggressive Detection), 100% confidence
| References:
|  - http://codex.wordpress.org/XML-RPC_Pingback_API
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
 
[+][32m0m] http://www.redacted.com/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
 
[+][32m0m]Upload directory has listing enabled: http://www.redacted.com/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
 
[+][32m0m] http://www.redacted.com/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
|  - https://www.iplocation.net/defend-wordpress-from-ddos
|  - https://github.com/wpscanteam/wpscan/issues/1299
 
[+][32m0m] WordPress version 2.7.1 identified (Insecure, released on 2009-02-10).
| Detected By: Unique Fingerprinting (Aggressive Detection)
|- http://www.redacted.com/wp-admin/js/common.js md5sum is 4f0f9bdbe437f850430fae694ca046ba
 
[+][32m0m] WordPress theme in use: sliding-door
| Location: http://www.redacted.com/wp-content/themes/sliding-door/
| Last Updated: 2016-01-02T00:00:00.000Z
| Readme: http://www.redacted.com/wp-content/themes/sliding-door/README.txt
| [!][33m0m] The version is out of date, the latest version is 3.2.4
| Style URL: http://www.redacted.com/wp-content/themes/sliding-door/style.css
| Style Name: Sliding Door
| Style URI: http://mac-host.com/slidingdoor/
| Description: A template featuring sliding images in the menu, based on Samuel
Birch's phatfusion image menu....

| Author: Wayne Connor
| Author URI: http://www.macintoshhowto.com/
|
| Detected By: Css Style (Passive Detection)
| Confirmed By: Urls In Homepage (Passive Detection)
|
| Version: 1.5 (80% confidence)
| Detected By: Style (Passive Detection)
|- http://www.redacted.com/wp-content/themes/sliding-door/style.css, Match: 'Version: 1.5'
 
 
[i][34m0m] Plugin(s) Identified:
 
[+][32m0m] all-in-one-seo-pack
| Location: http://www.redacted.com/wp-content/plugins/all-in-one-seo-pack/
| Latest Version: 3.2.10
| Last Updated: 2019-10-17T15:07:00.000Z
|
| Detected By: Comment (Passive Detection)
|
| The version could not be determined.
 
[+][32m0m] google-analyticator
| Location: http://www.redacted.com/wp-content/plugins/google-analyticator/
| Last Updated: 2019-03-04T22:57:00.000Z
| [!][33m0m] The version is out of date, the latest version is 6.5.4
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 4.1.1 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
|  - http://www.redacted.com/wp-content/plugins/google-analyticator/readme.txt
 
[+][32m0m] nextgen-gallery
| Location: http://www.redacted.com/wp-content/plugins/nextgen-gallery/
| Latest Version: 3.2.18
| Last Updated: 2019-09-18T16:02:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
 
[+][32m0m] qtranslate
| Location: http://www.redacted.com/wp-content/plugins/qtranslate/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 2.3.4 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
|  - http://www.redacted.com/wp-content/plugins/qtranslate/readme.txt
 
[+][32m0m] wp-spamfree
| Location: http://www.redacted.com/wp-content/plugins/wp-spamfree/
| Last Updated: 2016-09-23T05:22:00.000Z
| [!][33m0m] The version is out of date, the latest version is 2.1.1.6
|
| Detected By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 2.1 (60% confidence)
| Detected By: Comment (Passive Detection)
|  - http://www.redacted.com/, Match: 'WP-SpamFree v2.1'
 
 
[i][34m0m] No Config Backups Found.
 
[!][33m0m] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!][33m0m] You can get a free API token with 50 daily requests by registering at
 https://wpvulndb.com/users/sign_up.
 
[+][32m0m] Finished: Fri Oct 18 21:02:01 2019
[+][32m0m] Requests Done: 89
[+][32m0m] Cached Requests: 8
[+][32m0m] Data Sent: 45.16 KB
[+][32m0m] Data Received: 288.769 KB
[+][32m0m] Memory used: 133.965 MB
[+][32m0m] Elapsed time: 00:03:07

To check for vulnerable plugins

To check for vulnerable plugins, you can add an options ‘–enumerate vp’ to your command. WPScan will show all the plugins used by your WordPress website, highlighting the vulnerable ones along with other details. Type the following

// --rua or --random-user-agent is used to randomly select the user agent
//to list all plugins, use ‘ap’ instead of ‘vp’
azad@kali:~$ wpscan --url http://www.redacted.com --rua --enumerate vp -o
 output-plugins.txt

To check for vulnerable Themes

To check for vulnerable plugins, add the option ‘–enumerate vt’ in your terminal command. WPScan will show you the vulnerabilities in your theme. Type the following

//To list all themes, use options ‘at’ instead of ‘vt’
azad@kali:~$ wpscan --url http://www.redacted.com --rua --enumerate vt

To enumerate users in WordPress site

When registered usernames in websites are found, it becomes easier for hackers to brute force their password and compromise the access. After compromising an admin or privileged account, it becomes more easy to gain access to the whole WordPress website. That’s why you should always disable username enumeration in your WordPress configuration.

WPScan can also enumerate registered users in your WordPress installation. Type the following to enumerate users using WPScan

// Using custom dictionary
azad@kali:~$ wpscan --url http://www.redacted.com --rua --enumerate
U /path/to/user-dictionary.txt
// Using default dictionary
azad@kali:~$ wpscan --url http://www.redacted.com --rua --enumerate u
...snip...
[i][34m0m] User(s) Identified:
[+][32m0m] Shani
| Detected By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+][32m0m] InterSkill
| Detected By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
...snip...

Brute forcing passwords using WPScan

After getting usernames from the above step, you can guess passwords for these users by brute forcing. Using this method, you can see which user of your website is using poor strength password.

WPScan will need a list of users and a password dictionary of commonly used passwords. Then it will try every combination of usernames and passwords for successful logins. You can download password dictionaries from github repositories but in this tutorial, we’re going to use “rockyou.txt” dictionary which is located by default in Kali Linux in “/usr/share/wordlists” directory.

To download dictionaries in your distro, type

ubuntu@ubuntu:~$ sudo apt install wordlists
ubuntu@ubuntu:~$ ls /usr/share/wordlists/
rockyou.txt.gz
ubuntu@ubuntu:~$ gzip -d rockyou.txt.gz
ubuntu@ubuntu:~$ ls -la /usr/share/wordlists/rockyou.txt
 -rw-r--r-- 1 root root 139921507 Jul 17 02:59 rockyou.txt

To run a brute force scan on website, type

azad@kali:~$ wpscan --url http://www.redacted.com --rua -P /usr/share/wordlists/rockyou.txt
 -U ‘Shani’,’InterSkill’

Conclusion

WPScan is a fantastic tool to add to your security toolbox. Its free, powerful and easy to use utility to discover security vulnerabilities and misconfigurations. Anyone having zero technical knowledge of security can easily install and use it for enhanced security of their website.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14