Vulnerabilities in WordPress can be uncovered by the WPScan utility, which comes installed by default in Kali Linux. It’s also a great tool for gathering general reconnaissance information about a website that’s running WordPress.
Owners of WordPress sites would be wise to try running WPScan against their site, as it may reveal security issues that need patched. It can also reveal more general web server issues, such as directory listings that haven’t been turned off inside Apache or NGINX.
WPScan itself is not a tool that can be used maliciously while performing simple scans against a site, unless you consider the extra traffic itself to be malicious. But the information it reveals about a site can be leveraged by attackers to launch an attack. WPScan can also try username and password combinations to try and gain access to a WordPress site. For this reason, it’s advised that you only run WPScan against a site that you own or have permission to scan.
In this guide, we’ll see how to use WPScan and its various command line options on Kali Linux. Try out some of the examples below to test your own WordPress installation for security vulnerabilities.
In this tutorial you will learn:
- How to use WPScan
- How to scan for vulnerabilities with API token
|Category||Requirements, Conventions or Software Version Used|
|Other||Privileged access to your Linux system as root or via the
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
How to use WPScan
Although WPScan should already be installed on your system, you can ensure that it’s installed and up to date by typing the following commands in terminal.
$ sudo apt update $ sudo apt install wpscan
We’ve setup a test server with Apache and WordPress installed. Follow along with our example commands below as we check the security of our test website.
--url option and specify the URL of the WordPress site in order to scan it with WPScan.
$ wpscan --url http://example.com
WPScan will then perform a scan against the website, which usually concludes in a few seconds. Since we have not specified any extra options, WPScan does a passive scan and gathers various information by crawling the site and examining the HTML code.
Some things revealed by the scan are as follows:
- The server is running Apache 2.4.41 on Ubuntu Linux
- WordPress version is 5.6 (some older versions have known vulnerabilities, any WPScan will notify you about that)
- The WordPress theme being used is called Twenty Twenty-One, and is out of date
- The site is using plugins called ‘Contact Form 7’ and ‘Yoast SEO’
- The upload directory has listing enabled
- XML-RPC and WP-Cron are enabled
- The WordPress readme file has been found on the server
Some of this information can be helpful to attackers, but nothing has been revealed that is cause for major concern. However, directory listing should definitely be disabled in Apache, and XML-RPC should also be disabled if it’s not being used. The less attack surfaces available, the better.
Site admins can also take measures to disguise the theme, plugins, and versions of software that they’re running. That would be outside the scope of this guide, but there are WordPress plugins available that can make these changes to your site.
If a website has done a good enough job of obfuscating their WordPress information, WPScan may return saying that the site isn’t running WordPress at all. If you know this to be untrue, you can use the
--force option to force WPScan to scan the site anyway.
$ wpscan --url http://example.com --force
Some sites may also change their default plugins or wp-content directories. To help WPScan find these directories, you can specify them manually with the
--wp-plugins-dir options. We’ve filled in a couple example directories below, so be sure to replace them.
$ wpscan --url http://example.com --force --wp-content-dir newcontentdir --wp-plugins-dir newcontentdir/apps
Scanning for vulnerabilities
In order to scan for vulnerabilities, you’ll have to obtain an API token from WPScan’s website. Sort of annoying, but the process is quite painless and it’s free. With the token, you’re allowed to perform 50 vulnerability scans per day. For more scans, you’ll have to pay a price.
Once you have your token, you can use the
--api-token option to include it in your command. Vulnerability data is then displayed automatically after the scan.
$ wpscan --url http://example.com --api-token TOKEN
To perform a more invasive scan, which will potentially reveal more vulnerabilities or information, you can specify a different detection type with the
--detection-mode option. Options include passive, mixed, or aggressive.
$ wpscan --url http://example.com --api-token TOKEN --detection-mode aggressive
Using the above commands should help you discover all the weak points of your WordPress site, and now you can take measures to increase your security. There’s even more that WPScan can do; check out its help page for a full list of options.
$ wpscan -h
WPScan also includes references underneath each section of its output. These are links to articles that help explain the information WPScan has reported. For example, there are two references that help explain how WP-Cron can be used for DDoS attacks. Check out those links to learn more.
In this guide, we learned how to scan a WordPress site with WPScan on Kali Linux. We saw various options to specify with the command, which can help us scan websites that have obfuscated their configuration. We also saw how to uncover vulnerability information by obtaining an API token and using aggressive detection mode.
WordPress is a CMS with a lot of code, themes, and plugins, all from various authors. With so many moving parts, there’s bound to be security vulnerabilities at some point. That’s why it’s important to use WPScan to check your site for security issues, and always keeping your site’s software up to date by applying the latest security patches.