Use WPScan to scan WordPress for vulnerabilities on Kali

Vulnerabilities in WordPress can be uncovered by the WPScan utility, which comes installed by default in Kali Linux. It’s also a great tool for gathering general reconnaissance information about a website that’s running WordPress.

Owners of WordPress sites would be wise to try running WPScan against their site, as it may reveal security issues that need patched. It can also reveal more general web server issues, such as directory listings that haven’t been turned off inside Apache or NGINX.

WPScan itself is not a tool that can be used maliciously while performing simple scans against a site, unless you consider the extra traffic itself to be malicious. But the information it reveals about a site can be leveraged by attackers to launch an attack. WPScan can also try username and password combinations to try and gain access to a WordPress site. For this reason, it’s advised that you only run WPScan against a site that you own or have permission to scan.

In this guide, we’ll see how to use WPScan and its various command line options on Kali Linux. Try out some of the examples below to test your own WordPress installation for security vulnerabilities.

In this tutorial you will learn:

  • How to use WPScan
  • How to scan for vulnerabilities with API token

Using WPScan on Kali Linux

Using WPScan on Kali Linux

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Kali Linux
Software WPScan
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

How to use WPScan

Although WPScan should already be installed on your system, you can ensure that it’s installed and up to date by typing the following commands in terminal.

$ sudo apt update
$ sudo apt install wpscan

We’ve setup a test server with Apache and WordPress installed. Follow along with our example commands below as we check the security of our test website.

Use the --url option and specify the URL of the WordPress site in order to scan it with WPScan.

$ wpscan --url

WPScan will then perform a scan against the website, which usually concludes in a few seconds. Since we have not specified any extra options, WPScan does a passive scan and gathers various information by crawling the site and examining the HTML code.

Some things revealed by the scan are as follows:

  • The server is running Apache 2.4.41 on Ubuntu Linux
  • WordPress version is 5.6 (some older versions have known vulnerabilities, any WPScan will notify you about that)
  • The WordPress theme being used is called Twenty Twenty-One, and is out of date
  • The site is using plugins called ‘Contact Form 7’ and ‘Yoast SEO’
  • The upload directory has listing enabled
  • XML-RPC and WP-Cron are enabled
  • The WordPress readme file has been found on the server
Findings from WPScan

Findings from WPScan

Some of this information can be helpful to attackers, but nothing has been revealed that is cause for major concern. However, directory listing should definitely be disabled in Apache, and XML-RPC should also be disabled if it’s not being used. The less attack surfaces available, the better.

WordPress version and theme revealed

WordPress version and theme revealed

Site admins can also take measures to disguise the theme, plugins, and versions of software that they’re running. That would be outside the scope of this guide, but there are WordPress plugins available that can make these changes to your site.

WordPress plugins that were found on the site

WordPress plugins that were found on the site

If a website has done a good enough job of obfuscating their WordPress information, WPScan may return saying that the site isn’t running WordPress at all. If you know this to be untrue, you can use the --force option to force WPScan to scan the site anyway.

$ wpscan --url --force

Some sites may also change their default plugins or wp-content directories. To help WPScan find these directories, you can specify them manually with the --wp-content-dir and --wp-plugins-dir options. We’ve filled in a couple example directories below, so be sure to replace them.

$ wpscan --url --force --wp-content-dir newcontentdir --wp-plugins-dir newcontentdir/apps

Scanning for vulnerabilities

In order to scan for vulnerabilities, you’ll have to obtain an API token from WPScan’s website. Sort of annoying, but the process is quite painless and it’s free. With the token, you’re allowed to perform 50 vulnerability scans per day. For more scans, you’ll have to pay a price.

Once you have your token, you can use the --api-token option to include it in your command. Vulnerability data is then displayed automatically after the scan.

$ wpscan --url --api-token TOKEN
Using API token allows vulnerability data to be shown

Using API token allows vulnerability data to be shown

To perform a more invasive scan, which will potentially reveal more vulnerabilities or information, you can specify a different detection type with the --detection-mode option. Options include passive, mixed, or aggressive.

$ wpscan --url --api-token TOKEN --detection-mode aggressive

Using the above commands should help you discover all the weak points of your WordPress site, and now you can take measures to increase your security. There’s even more that WPScan can do; check out its help page for a full list of options.

$ wpscan -h

WPScan also includes references underneath each section of its output. These are links to articles that help explain the information WPScan has reported. For example, there are two references that help explain how WP-Cron can be used for DDoS attacks. Check out those links to learn more.

Closing Thoughts

In this guide, we learned how to scan a WordPress site with WPScan on Kali Linux. We saw various options to specify with the command, which can help us scan websites that have obfuscated their configuration. We also saw how to uncover vulnerability information by obtaining an API token and using aggressive detection mode.

WordPress is a CMS with a lot of code, themes, and plugins, all from various authors. With so many moving parts, there’s bound to be security vulnerabilities at some point. That’s why it’s important to use WPScan to check your site for security issues, and always keeping your site’s software up to date by applying the latest security patches.