In this post, we look at how to use WPScan. The tool provides you a better understanding of your WordPress website and its vulnerabilities. Be sure to check out our post on installing WPScan to get started with the software.
Big Threats Come from Unexpected Places
Imagine for a second that you’re a survivor in a zombie apocalypse.
You’ve holed up in a grocery store, barricading windows and checking door locks. Things seem pretty quiet and secure. But just as you sit down to enjoy an oversized can of chocolate pudding, a thought crosses your mind. A bunch of thoughts, really.
You remember all the times you’ve seen this exact scenario in zombie movies. You start thinking about all the unknown possibilities that could still expose you to the horde:
- Faulty window fittings that’ll give with too much pressure
- A nasty gang that grabs supplies from this spot every couple weeks
- A fire alarm that erratically triggers and draws zombies from miles around
- A very-real dumpster fire that’s growing outside and could set the whole place ablaze
- A backroom freezer where previous inhabitants locked a dozen very-hungry zombies
Wouldn’t it be nice if you could scan the entire grocery store in a way that would reveal if those potential problems were real problems?
Well, a double-sized helping of good news:
- You’re not living in a zombie apocalypse.
- WPScan does exactly this for your WordPress sites.
Get the Lowdown on Your WordPress Site’s Security
WPScan examines your site in the same way most attackers do: It enumerates details and checks them against its database of vulnerabilities and exploits.
Having this information in your own hands, you can more precisely address issues that might not be readily apparent.
How to Start Using WPScan
A command line will, of course, be your base of operations.
If you’ve installed WPScan, always begin with an update. After all, if everyone knows about a potential issue but you, you’re ripe for an attack.
Use this command:
gem update wpscan
If you installed on Mac with the Homebrew approach, use this instead:
brew upgrade wpscan
Running a Basic Scan with WPScan
When using WPScan, your command will always start with wpscan, and then it’ll point the tool to your URL.
wpscan --url yourwebsite.com
Running the command above will perform a basic scan of your site. After a few minutes, you’ll have a whole bunch of “Interesting Findings” that WPScan discovered from your site’s code. That could include information like:
- Headers to discover server information
- Accessibility of xmlrpc.php
- Accessibility of wp-cron.php
- WordPress version
- Active theme and its basic information
- Active plugins and their basic information
- Discoverable Config backups
Different site and server configurations might reveal different information.
If your site runs behind a firewall, you can try the same command with an additional option added to the end:
wpscan --url yourwebsite.com --random-user-agent
Identifying Vulnerable Themes & Plugins with WPScan
While a basic scan will show you if a theme or plugin version is out of date, it won’t tell you if there are specific vulnerabilities with that version.
To get that info, you’ll need to utilize the WPScan Vulnerability Database API.
In our WPScan installation guide, we had you register to use the API. You’ll now insert your unique API token into a scan in order to access this specialized information.
You’ll also add some additional flags based on the specific information you want to get. The most important one in this case is -e (which stands for “enumerate”) and the choice of vp (which, you guessed it, stands for “vulnerable plugins”).
Here’s the most-common command to search for vulnerable plugins:
wpscan --url yourwebsite.com -e vp --api-token YOUR_TOKEN
Keep in mind that this will take a lot longer than the basic scan. Our five-minute basic scan became a 25-minute vulnerability scan.
Here’s the same detected plugin from the scan above, but using the vulnerability database:
To check your site for a vulnerable theme, replace the vp with vt (“vulnerable themes”). Everything else can stay the same.
wpscan --url yourwebsite.com -e vt --api-token YOUR_TOKEN
On top of the theme or plugin vulnerabilities, WPScan will also report any vulnerabilities with the version of WordPress your site is running.
Checking User Enumeration with WPScan
Don’t stop at vulnerable plugins and themes, though. Password attacks pose another big threat to your site’s security. And WordPress can provide attackers with the critical access and information they look for.
With WPScan, you can determine what usernames are discoverable from the outside.
To run this enumeration scan, we’ll use this command:
wpscan --url yourwebsite.com -e u
You can probably guess what the “u” stands for.
WPScan will use a few different techniques to do its own guessing: determining usernames based on the information available publicly on your site (i.e. author names). WordPress will tip its hands in some subtle ways as WPScan probes those guesses. (The blacked out content below are discovered user IDs.)
Ideally, you don’t want any usernames to be discoverable with these techniques. The easiest way to prevent that is by using different publicly visible nicknames than your user IDs.
Testing a Password Attack with WPScan
How does an attacker follow up discovering a username? By attempting to access its account, of course.
WPScan actually allows you to simulate this. And this will be especially helpful if the site you’re managing has a lot of contributors: corporate sites, collaborative blogs, and the like.
First, you’ll need to get or create a list of passwords. With a quick Google search, you can find a number of lists of the most commonly used passwords, including the often-used rockyou wordlist. Keep in mind these lists are long, and this step does amount to a brute-force attack on the scanned site. So, plan appropriately before running this scan: e.g. Prepare your server/admin, shorten the list, clone the site in a staging environment, run during visitor downtime, etc.
To initiate the scan, the command will be:
wpscan --url yourwebsite.com -passwords file/path/passwords.txt
If you put your wordlist into the current directory, you’ll just need the name of the file. But if you place it anywhere else, you’ll need to provide the full path.
In the scan above, we ran a short list of the 5 most common passwords against a site with one enumerated user. Because that user wasn’t using any of these passwords, WPScan reports “No Valid Passwords Found.”
Managing Fewer Security Threats with WPScan
In the end, the preventative measures you take to ensure the security of your WordPress sites upfront reduce the potential – and potential impact – of problems down the line.
The more thoroughly you incorporate tools like WPScan or even our own firewall into your site building process, the easier it will be to find and fix new vulnerabilities as they arise.
And even if your site’s been around for a long time, there’s no better time to start than now in assessing its risks and getting caught up in securing it. The last thing you want is to be 64-ounces deep in a can of pudding and have a zombie grab the spoon out of your hand.