tools osint

SecurityTrails Blog · Jul 24 · SecurityTrails team

Top 5 Wordpress Vulnerability Scanners

In the past blog posts we've been writing about OSINT Tools, and also about how to prevent DNS attacks when you are running your own DNS servers, and today we are focusing on Wordpress Security.

When we talk about security, we talk about services, and a lot of those are public websites.

According to the latest W3Techs report as of July 2018, Wordpress is used by 31% of the existing websites. That's a lot.

Latest Sucuri hacked websites report for the past 2017 also revealed WordPress infections rose from 74% in 2016 Q3 to 83% in 2017 — that's not good at all. It is without any doubt one of the most attacked CMS platforms.

Wordpress is easy to use, has a fast learning curve, and can be installed by almost anybody without any programming or technical skills. But, it can become your worst nightmare if you don't know how to keep it secure.

So, how can you test whether your Wordpress installation is secure? Keep reading.

Most popular Wordpress Vulnerability Scanners

Website owners often tend to install Wordpress, choose a theme, configure the needed plugins, but completely forget about hardening Wordpress, which include keeping your WP core, themes, and plugins updated, among other things.

Is your Wordpress installation really secure against external attacks? How can you find vulnerabilities and weaknesses in your current Wordpress site?

Let's answer these questions by exploring the finest Wordpress vulnerability scanners in order to find and fix any security flaws in your WordPress website today.

WPScan

WPScan is one of the best vulnerability scanners for Wordpress and works like a charm from the terminal, where you can run remote vulnerability tests against your WP installations.

Using WPScan allows you to analyze the security of your current WordPress website to:

  • Detect known vulnerabilities in the WP core, as well as themes and plugins
  • Detect if any registered user is using weak passwords
  • Check overall WP security configuration
  • Run brute force penetration testings
  • Wordpress Version enumeration (from generator meta tag)
  • Full server headers scanning
  • Miscellaneous WordPress checks, such as directory used, theme names, custom dirs, etc.

This WP security tool works by using the wpvulndb.com database to keep the vulnerability database up to date. It also has a very extended documentation for developers to improve the security scanning against Wordpress installations.

Installing WPScan

Note: WPScan comes pre-installed on the most popular penetration and security-based Linux distributions like Kali Linux, BackBox Linux, Pentoo, and BlackArch.

Let's solve the required dependencies first for the most popular Linux distributions.

Ubuntu requirements:

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev

Debian requirements:

sudo apt-get install gcc git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev

Fedora requirements:

sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build

Let's clone the WPScan GitHub repo, and then install the app in our test box, use the following commands:

git clone https://github.com/wpscanteam/wpscan.git  
cd wpscan  
sudo gem install bundler && bundle install --without test

Let's see if it was installed ok. Run this command and it should display the WPScan banner and version:

ruby wpscan.rb --version

[research@securitytrails wpscan]# ruby wpscan.rb --version
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.5-dev
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

Current version: 2.9.5-dev
[research@securitytrails wpscan]# 

If you see that, then it was installed OK. Now let's see the most popular arguments you can use:

--update                            Update the database to the latest version.  
--url       | -u        The WordPress URL/domain to scan.  
--force     | -f                    Forces WPScan to not check if the remote site is running WordPress.  

For the full list of arguments, try:

ruby wpscan.rb --help

Running our first WPScan against Wordpress

Now that you have WPScan installed and working, let's begin with the fun stuff.

First things first, let's update the WPScan vulnerability database:

ruby wpscan.rb --update

Now, launch your first scan:

ruby wpscan.rb --url yourwordpress.com

Replace "yourwordpress.com" with the URL of your website.

You should get something like this:

[i] The remote host tried to redirect to: https://wpsecuritytesting.com/
[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N] >Y
[+] URL: https://www.wpsecuritytesting.com/
[+] Started: Fri Jul 13 15:26:24 2018
[+] Interesting header: CONTENT-SECURITY-POLICY: default-src https: data: 'unsafe-inline' 'unsafe-eval'
[+] Interesting header: EXPECT-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
[+] Interesting header: LINK: <https://www.wpsecuritytesting.com/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: cloudflare
[+] Interesting header: STRICT-TRANSPORT-SECURITY: max-age=15724800; includeSubdomains; preload
[+] Interesting header: X-CONTENT-TYPE-OPTIONS: nosniff
[+] Interesting header: X-FRAME-OPTIONS: DENY
[+] Interesting header: X-XSS-PROTECTION: 1; mode=block
[+] This site has 'Must Use Plugins' (http://codex.wordpress.org/Must_Use_Plugins)
[+] XML-RPC Interface available under: https://www.wpsecuritytesting.com/xmlrpc.php [HTTP 405]
[+] API exposed: https://www.wpsecuritytesting.com/wp-json/ [HTTP 200]
[!] 1 user exposed via API: https://www.wpsecuritytesting.com/wp-json/wp/v2/users
+----+----------------+---------------------------------------------------------+
| ID | Name | URL |
+----+----------------+---------------------------------------------------------+
| 1 | John Smith | https://www.wpsecuritytesting.com/author/johnsmith/ |
+----+----------------+---------------------------------------------------------+
[+] Found an RSS Feed: https://www.wpsecuritytesting.com/feed/ [HTTP 200]
[!] Detected 1 user from RSS feed:
+----------------+
| Name |
+----------------+
| John Smith |
+----------------+

[+] Enumerating WordPress version ...

[+] WordPress version 4.9.7 (Released on 2018-07-05) identified from meta generator, links opml

[+] WordPress theme in use: mts_clear - v1.30

[+] Name: mts_clear - v1.30
| Latest version: 1.29 (up to date)
| Last updated: 2018-02-22T00:00:00.000Z
| Location: https://www.wpsecuritytesting.com/wp-content/themes/mts_clear/
| Readme: https://www.wpsecuritytesting.com/wp-content/themes/mts_clear/readme.txt
| Style URL: https://www.wpsecuritytesting.com/wp-content/themes/mts_clear/style.css
| Theme Name: mts_clear
| Theme URI: https://www.competethemes.com/mts_clear/
| Description: mts_clear is designed for publishers who want readers. That's why mts_clear is fast, responsive, access...
| mts_clear: Compete Themes
| mts_clear URI: https://www.competethemes.com

[+] Enumerating plugins from passive detection ...
| 3 plugins found:

[+] Name: easy-social-share-buttons3
| Location: https://www.wpsecuritytesting.com/wp-content/plugins/easy-social-share-buttons3/

[+] Name: fancy-lightbox - v1.0.0
| Latest version: 1.0.0 (up to date)
| Last updated: 2016-08-20T23:26:00.000Z
| Location: https://www.wpsecuritytesting.com/wp-content/plugins/fancy-lightbox/
| Readme: https://www.wpsecuritytesting.com/wp-content/plugins/fancy-lightbox/readme.txt

[+] Name: wp-to-twitter - v3.3.6
| Latest version: 3.3.6 (up to date)
| Last updated: 2018-05-21T16:32:00.000Z
| Location: https://www.wpsecuritytesting.com/wp-content/plugins/wp-to-twitter/
| Readme: https://www.wpsecuritytesting.com/wp-content/plugins/wp-to-twitter/readme.txt
| Changelog: https://www.wpsecuritytesting.com/wp-content/plugins/wp-to-twitter/changelog.txt

[+] Finished: Fri Jul 13 15:30:52 2018
[+] Elapsed time: 00:04:28
[+] Requests made: 401
[+] Memory used: 111.953 MB
[root@securitytrails wpscan]#

As you see, the scan was able to detect WP usernames, plugin versions, theme name & version, as well as WP core version, and detect if you are running the latest version or not.

Other popular command line arguments you can use are brute force testings using word lists, as you see below:

Brute force on enumerated users using 25 threads - Replace "mylist.lst" with your own word list.

ruby wpscan.rb --url www.example.com --wordlist mylist.lst --threads 25

Same example, but only against the "admin" username:

ruby wpscan.rb --url www.example.com --wordlist mylist.lst --username admin

The number of tests you can run with WPScan is really huge, explore the rest reading the online documentation from the README file on Github, or run the --help option.

2. Sucuri

Sucuri is one of the leading anti-malware services for Wordpress, they became very popular years ago, and now the service is part of Godaddy.

They offer a free security scan for Wordpress that lets you check your WP installation to detect any kind of issues like malware infections, blacklisting, outdated software or general website errors.

How can you test your site using Sucuri?

If your site is not vulnerable, you should see something like this output:

3. WP SCANS

WPScans, with "S" at the end is not the same as WPScan. These are two different scanners.

WPScans is another great alternative to scan your WP installation against known vulnerabilities.

It allows you to run a full security analysis against your WP core, theme and plugins, checking against their + 6k vulnerabilities database, and reporting all the findings to you right away.

For registered users, they also allow you to set up automatic scans on a daily or monthly basis in order to keep track of the security status of all your WP websites.

They also offer full advanced reports and solutions so you can not only detect, but know how to fix all security issues found on your WP installation.

How can I test it?

Just browse over wpscans.com to have a quick check and know if your WP is vulnerable or not.

Results will appear as you see below if your site is OK:

Or if it detects any issues, as you see below:

Click the "Show/Hide the full list of Wordpress core vulnerabilities found on your website" link to