WordPress is the world’s favorite content management system used to power millions of websites, ecommerce stores, blogs, and web applications.
Its ease of use and ability to launch beautiful websites with minimal effort has made WordPress a standard in modern web design, powering nearly 30 percent of the internet. But because of its popularity, WordPress has also become a common target for hackers.
Securing and understanding the flaws of a WordPress website is a task often overlooked by website owners. However, with a handy tool called WPScan, entrepreneurs and web developers can easily evaluate their installation’s security and keep their prized website safer.
What is WPScan?
WPScan is a black box vulnerability scanner. Written in the Ruby programming language, WPScan helps detect problems with security configurations, themes, plugins, and user permissions. On Kali, Pentoo, and Samurai WTF WPScan is pre-installed. But the application can easily be installed on a Linux machine such as Ubuntu, Fedora, and Debian – the screenshots for this article were taken on a personal computer running on Ubuntu 16.04.
Before we started looking at examples, I thought we should get a better understanding of the benefits and features of WPScan.
Creating a modern WordPress website, in most cases, involves trying out a few themes and installing a series of plugins to enhance your website’s functionality. Once you get the hang of it, it becomes second nature and you will often find yourself with more themes and plugins than you need. However, uploading all that software can leave your website vulnerable, especially when updates are ignored, and when the software does not come from reliable sources to begin with.
When WPScan performs a scan, the application will make a list of all your themes and plugins, evaluate their version number and then check if there are any known vulnerabilities present.
Beyond providing crucial information about your WordPress version, themes, and plugins, WPScan can also compile a list of users. Which we can then test to see if anyone is using a weak password. And the beauty of the application is that also this information can be acquired remotely without having administrator access!
Instructions on setting up WPScan can be found on the website’s homepage. If you have Ubuntu installed (like me), you can run these commands.
First, we’ll want to install Git. Git is a tool that allows easy access for installation and updates to a code repository.
apt-get install git
Then a few prerequisites.
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
Now to use git you clone the main branch of WPScan code, this will create a folder on your system with the code.
git clone https://github.com/wpscanteam/wpscan.git cd wpscan sudo gem install bundler && bundle install --without test development
Then launch it with ruby.
Working with WPScan
To run a simple scan, use the following command:
ruby wpscan.rb --url www.example.com
You will also want to consider using an HTTP proxy, you don’t want your hosting provider to flag your IP as suspicious.
ruby wpscan.rb --url www.example.com --proxy <[protocol://]host:port>
If your scan is being blocked, you can use the application’s built in random user-agent feature:
ruby wpscan.rb --url www.example.com -r
Running a basic scan will reveal plenty of useful information about the installation. Vulnerabilities are highlighted in red.
Now you can start digging a little deeper by enumerating users, themes and plugins.
The idea is to collect a list of valid usernames. Once we have a list of usernames, we can test to see if anyone of our users is using a weak password.
WPScan iterates through user ids by appending them to your site’s URL.
For example, www.yourwebsite.com/?author=1, adding 2, and 3 etc… in the URL, will reveal the user’s login id.
ruby wpscan.rb --url www.example.com --enumerate u
By default, this will look for ids 1 to 10. For more usernames, you will want to use the following command: u[10-20].
Now that we have compiled our list of usernames we can test to see if any of our users are using weak passwords by running a brute force test:
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin --threads 50
In others target the website www.example.com and test to see if admin’s password is in our darkc0de list and limit our connection to 50 threads.
Most WordPress websites have plenty of plugins installed. In many cases, more than needed. If you want to find which plugins are running on the site, use the following command:
ruby wpscan.rb --url www.example.com --enumerate p
WPScan maintains a huge database containing many of the known vulnerable plugins and their version numbers. To find the find the vulnerable plugins you can run the following command:
ruby wpscan.rb --url www.example.com --enumerate vp
If WPScan is not able to determine the plugin version, it will list all the past vulnerabilities and when they were fixed.
A WordPress website comes with many default themes and often webmasters like to experiment with their website’s design by installing a few more themes from trusted and untrusted sources. Like the plugin command, we can compile a list of themes like this:
ruby wpscan.rb --url www.example.com --enumerate t
Likewise, for vulnerable themes:
ruby wpscan.rb --url www.example.com --eunumerate vt
As you can see WPscan is a great tool to evaluate the overall security of your WordPress installation and patch security weaknesses before they are exploited by a hacker.
Moving forward to keep your WordPress website safe you should try to:
- Stay up to date.
- Keep your themes and plugins up to date.
- Delete unnecessary themes and plugins (especially if they have not been updated in a while).
- Delete the default admin user.
- Naturally, use strong passwords.
- Configure a security plugin to limit login attempts and thwart away malicious requests.
- Host with a reliable company!
On a positive note, the overwhelming majority of raids on sites are made by automated bots. So, in many cases, it’s not a person who enters your site and spends many hours trying to break it, but rather, software that is surfing the net looking for vulnerable websites. So if your website is carefully set up and well configured, you should have no problem!