How to Use WPScan to Find Security Vulnerabilities on WordPress Sites

WordPress is the world‘s most popular content management system, powering over 35% of all websites on the Internet. This widespread adoption also makes WordPress a prime target for hackers, with sites facing over 90,000 attacks daily.

Content Navigation show

This guide will teach you how to utilize WPScan to proactively detect security issues in your WordPress site before they can be exploited in an attack. I‘ll cover:

  • What WPScan is and how it works
  • Ways to install and run WPScan scans
  • Customizing scans through different configuration options
  • Interpreting scan results and remediating discovered vulnerabilities
  • Overall best practices for securing WordPress sites

Let‘s dig in! This comprehensive guide will make you a WPScan power user in no time.

The Scale of WordPress Security Threats

With the pivotal role WordPress plays across over 41% of the web, the incentive for attackers is massive. Sites of all sizes face threats including:

  • Account Takeovers: Over 25 million brute force login attempts happen daily exploiting weak passwords.
  • Defacements: Highly-visible "website hacked" messages spread malware or political messages.
  • SEO Spam: Redirects insert backlinks improving search rankings for pharmaceuticals, gambling sites, etc.
  • Phishing: Fake login pages steal user credentials or credit card details.
  • Malware Infections: Drive-by-downloads through rigged themes and plugins install viruses, spyware, cryptojackers, and more.

The most common vulnerability utilized? Outdated software running known security issues.

WordPress core, plugins, and themes release thousands of security patches per year. Using outdated versions leaves you open to attack.

This is where WPScan comes in…

What is WPScan?

WPScan is a free, open source WordPress security scanner written in Ruby. Developed by ethical hackers, WPScan checks your WordPress site for:

✅ Known vulnerabilities
✅ Misconfigured settings
✅ Outdated software
✅ Suspicious files
✅ Weak user credentials
✅ Sensitive data exposures

By proactively finding security issues with WPScan, you can remediate them before hackers exploit any gaps.

Key WPScan Features

WPScan scans check WordPress sites for:

Outdated Software: Detect WordPress core, plugins, and themes requiring security updates for known vulnerabilities.

Misconfigurations: Find publicly accessible config backups, database exports, debug logs, etc. that leak sensitive data.

Suspicious Files: Identify the presence of common backdoor shells and suspicious PHP scripts.

User Enumeration: Attempt logins with common and custom username lists to uncover valid user accounts.

Password Attacks: Launch password guessing attacks via WordPress logins, XML-RPC, and more.

Stealth Scanning: Sneak past security solutions using randomized user-agents, passive detection, and other evasion techniques.

And much more! WPScan is extremely versatile.

Now let‘s explore ways to install and run it…

Installing and Running WPScan

WPScan works on Linux, Docker, cloud servers, Kali pen testing distributions, and more. Here are the most popular options:

1. Linux Installation

For frequent site scans, I recommend installing WPScan directly on a Linux server. This guide uses CentOS 7 specifically.

Here are the steps:

  1. Login as root

  2. Update repositories

    yum update -y

  3. Install Ruby and dependencies

    yum -y install curl gcc ruby ruby-devel rubygems

  4. Install bundler

    gem install bundler

  5. Install WPScan

    bundle config build.nokogiri --use-system-libraries
gem install wpscan

Once the installation completes, confirm WPScan is working:

wpscan --version

Now run your first scan:

wpscan --url yoursite.com

Easy as that! Going forward, you can schedule cron jobs for automated scanning too.

2. Docker Container

For quick tests, leverage the official WPScan Docker image without installing anything locally:

docker pull wpscanteam/wpscan  
docker run -it --rm wpscanteam/wpscan --url yoursite.com

However, the Docker container lacks persistent storage for scan history.

3. Kali Linux Pen Testing Distro

Kali Linux comes pre-installed with over 600 penetration testing and hacking tools including WPScan – ready for immediate use after booting up!

wpscan --url yoursite.com

But keep in mind Kali Linux prioritizes pen testing functions over performance and usability as a general OS.

4. Online Scanners

If unable to install locally, consider free online WPScan scanners like:

However, these cloud scanners provide less detailed scan information compared to running WPScan internally.

Customizing WPScan Scans

Now that WPScan is setup, let‘s discuss customizing scans for more effective results.

The most basic WPScan command is: 

wpscan --url yoursite.com

This scans the homepage to fingerprint details like WordPress versions, plugins, themes, etc.

But you can enable additional checks with these options:

--url                 The WordPress URL to scan  
--force               Scan the URL even if not seeming like WordPress
--enumerate [OPTS]    Enumerate plugins/themes/timthumbs/etc.
--detection-mode      Set to "passive" for stealthier scans
--verbose             Increase verbosity to print more info   
--plugins-list        Only check certain plugins
--exclude-content     Exclude HTTP responses from output  
--output              Output to JSON, CLI, HTML, etc.   
--user-agent          Spoof a custom browser user agent

Here‘s a stealthier scan checking only popular plugins: 

wpscan --url yoursite.com --detection-mode passive --enumerate p

And some other examples:

# Aggressive scan enabling all enumerations
wpscan --url yoursite.com --enumerate ap,at,tt,cb,dbe,u,m  

# Check a custom plugins list   
wpscan --url yoursite.com --plugins-list /home/wpscan/plugins.txt

# Password brute force attack 
wpscan --url yoursite.com -P /home/john/pass.txt -U admin

I suggest setting up automated recurring scans with cron, Jenkins, etc. to run checks daily rather than one-off tests.

For example:

# Daily WPScan at 5am
0 5 * * * wpscan --url yoursite.com

This allows detecting new threats and vulnerabilities that pop up over time.

Now let‘s move on to interpreting results…

Interpreting WPScan Results

Once a scan completes, the output identifies discovered:

  • Vulnerable software versions
  • Security misconfigurations
  • Accessible sensitive files
  • Valid user accounts
  • Guessed passwords
  • And more…

But what actions should you take to secure your WordPress site?

Remediating Vulnerable Software

If an outdated, vulnerable WordPress core version is found – upgrade ASAP. Sign up for WordPress security notifications for the latest vulnerability reports.

For outdated plugins and themes, determine the risk level of associated vulnerabilities:

  • Critical: Update or remove the plugin/theme immediately
  • High: Upgrade within a few days
  • Medium: Upgrade within 1-2 weeks
  • Low: Upgrade by next month

Check plugins for breaking changes before upgrading. Remove unused plugins entirely.

Securing Misconfigurations

Investigate misconfigurations exposing sensitive files like config backups, staging logs, etc. Then restrict access or remove them from public web spaces.

These files allow attackers to obtain credentials, database details, and more to gain an initial foothold for deeper compromise.

Hardening Credentials

Detected valid usernames enable attackers to launch more successful password guessing and password spraying attacks.

Mitigate this by disabling XML-RPC or restricting access to authentication systems like wp-login with firewall rules.

For any compromised passwords, force password resets across all accounts leveraging that credential. Then, implement stronger organizational password policies requiring passphrases over single words.

Preserving Remediation Efforts

While fixing immediate vulnerabilities is important, preserving security gains long-term is challenging unless fundamental insecure access points and weak defenses also get addressed holistically.

Here are key WordPress security steps to undertake:

  • Automatically patch WordPress core, plugins and themes
  • Restrict access to non-public locations like /wp-admin, XML-RPC, etc.
  • Limit login attempts to prevent brute force credential stuffing
  • Eliminate administrative file editing capabilities within WordPress
  • Enforce password passphrases, multi-factor auth (MFA) and single sign-on (SSO)
  • Setup a Web Application Firewall (WAF) for deep inspection and threat blocking
  • Harden filesystem permissions and ownership

Proactively implementing these security controls makes the vulnerabilities detected by WPScan less likely to turn into full site takeovers later on.

Conclusion

WPScan gives immense visibility into your WordPress site‘s security posture, detecting vulnerable software versions, data leaks, susceptible credentials, and misconfigured settings.

By installing WPScan and running recurring scans, you can identify and remediate security gaps before they lead to website defacements, malware infections, or complete site takeovers by attackers constantly targeting the platform.

Combining ongoing scans with continuous WordPress hardening enables sustaining security gains over the long-run – keeping your site safe from the over 90,000 daily attacks targeting the Internet‘s most popular CMS.

So don‘t wait any longer! Start embracing WPScan to lock down your online presence and sleep better at night knowing your site is secure.

Tags: