In a previous post I spoke about how imperative it is to keep you WordPress (and for that matter, many other things) as up-to-date as possible to counter frequently emerging exploits.
Keep It Simple, Stupid
As with most things applications we run, with complexity comes vulnerabilities. A primary tool we have for keeping our services secure is to keep them as simple as possible. This means reducing and carefully curating the amount of plugins and themes we install on our WordPress site.
Out-of-the-box WordPress is good, but may not fit our requirements – and so we must install extensions to meet these demands. Again, discussed in the aforementioned post I cover how we should vet plugins. Here I would like to shine some light on how we can keep an eye on these plugins with a handy-dandy tool called WPScan.
The procedure doesn’t differ much between distributions.
First, update your package manager with
sudo apt update -y.
Then, install Ruby and Ruby development files, and cmake,
sudo apt install ruby-dev cmake -y.
Finally, use Ruby’s installer to install WPScan. Run
sudo gem install wpscan.
Download and install the latest stable version of Ruby Installer for Windows, at the time of writing this, this is
Ruby+Devkit 3.1.2-1 (x64).
Once you’ve worked your way though that, leaving everything as default. Open Command Prompt run
gem install wpscan to install WPScan.
WPScan is operated through command-line. Open your console, or command prompt, and do
wpscan. You should see some options, like
--help. Let’s try running WPScan on our website.
$ wp-scan --url https://www.your-website.com/ [i] Updating the Database ... [i] Update complete. [+] URL: https://www.your-website.com/ [127.0.0.1] [+] Started :Tue Jun 28 22:09:59 2022 (and so on) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
Whoops! Looks like WPScan requires an API Token, looks like we need to get that one sorted. Create an API Token by going to WPScan Register.
Once you’ve created an account, if you go to your profile page you should see your generated API Token available. Copy that down, let’s use that in WPScan.
$ wp-scan --url https://www.your-website.com/ --api-token yourverylongandrandomapitokenhere [+] URL: https://www.your-website.com/ [127.0.0.1] [+] Started: Tue Jun 28 22:16:29 2022 Interesting Finding(s): (and so on)
Once you’ve run that, you should notice that WPScan has detected things that you’re running on your WordPress site, on top of that, perhaps any vulnerabilities or old versions.
Warnings are fairly obvious, indicated in red with an exclamation mark