Skip to content

Checking your WordPress Server’s Security with WPScan

In a previous post I spoke about how imperative it is to keep you WordPress (and for that matter, many other things) as up-to-date as possible to counter frequently emerging exploits.

Keep It Simple, Stupid

As with most things applications we run, with complexity comes vulnerabilities. A primary tool we have for keeping our services secure is to keep them as simple as possible. This means reducing and carefully curating the amount of plugins and themes we install on our WordPress site.

Out-of-the-box WordPress is good, but may not fit our requirements – and so we must install extensions to meet these demands. Again, discussed in the aforementioned post I cover how we should vet plugins. Here I would like to shine some light on how we can keep an eye on these plugins with a handy-dandy tool called WPScan.

Installing WPScan

Linux

The procedure doesn’t differ much between distributions.

First, update your package manager with sudo apt update -y.

Then, install Ruby and Ruby development files, and cmake, sudo apt install ruby-dev cmake -y.

Finally, use Ruby’s installer to install WPScan. Run sudo gem install wpscan.

Windows

Download and install the latest stable version of Ruby Installer for Windows, at the time of writing this, this is Ruby+Devkit 3.1.2-1 (x64).

Once you’ve worked your way though that, leaving everything as default. Open Command Prompt run gem install wpscan to install WPScan.

Using WPScan

WPScan is operated through command-line. Open your console, or command prompt, and do wpscan. You should see some options, like --url, --update, --help. Let’s try running WPScan on our website.

$ wp-scan --url https://www.your-website.com/
[i] Updating the Database ...
[i] Update complete.

[+] URL: https://www.your-website.com/ [127.0.0.1]
[+] Started :Tue Jun 28 22:09:59 2022
(and so on)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

Whoops! Looks like WPScan requires an API Token, looks like we need to get that one sorted. Create an API Token by going to WPScan Register.

Once you’ve created an account, if you go to your profile page you should see your generated API Token available. Copy that down, let’s use that in WPScan.

$ wp-scan --url https://www.your-website.com/ --api-token yourverylongandrandomapitokenhere
[+] URL: https://www.your-website.com/ [127.0.0.1]
[+] Started: Tue Jun 28 22:16:29 2022

Interesting Finding(s):
(and so on)

Once you’ve run that, you should notice that WPScan has detected things that you’re running on your WordPress site, on top of that, perhaps any vulnerabilities or old versions.

Warnings are fairly obvious, indicated in red with an exclamation mark [!].

Leave a Reply

Your email address will not be published. Required fields are marked *