A recent web application vulnerability report by Acunetix shows that around 30% of WordPress sites found vulnerable.
There is plenty of online security scanner to scan your website. However, if you are looking for software to install and scan from your server, then WPScan is your friend. It is useful if your website is on a private network or Intranet where the Internet is not available. Or, want to test multiple sites at multiple times. WPScan is free software, helps you to identify the security-related problems on your WordPress site. It does several things like:
Check if the site is using vulnerable WP version Check if a theme and plugin is up-to-date or known to be vulnerable Check Timthumbs Check for configuration backup, DB exports Brute force attack
and a lot more… There is several ways to use WPScan.
By installing on Linux servers Using Docker Using pre-installed Linux distro like Kali Linux, BackBox, Pentoo, BlackArch, etc. Online version
Using on CentOS
The following are tested on CentOS 7.x.
Login to CentOS with root Update the repository
Install latest Ruby and their dependencies
Install Ruby Nokogiri
Reboot the server and then install WPScan using gem command
It will take few seconds to install, and once done; you should see something like this. WPScan is installed and ready to use now. Execute wpscan and you should see it returns below. Here is the output of one of the site’s test. Note: if you need vulnerability data in output, then you need to use their API. If you are interested in testing specific metrics, then check out the help by executing wpscan with –help syntax.
Using WPScan on Kali Linux
The beauty of using Kali Linux is you don’t have to install anything. WPScan is pre-installed. Let’s find out how to run the scanner.
Login into Kali Linux with root and open terminal Run the scan using wpscan command
Using Docker
A Docker fan? Why not, it is easy to get it started. Ensure you have Docker installed.
Pull WPScan docker image
Once pulled, run it like below.
Easy?
WPScan powered Online Scanner
You can leverage the following tools powered by WPScan.
Geekflare
Geekflare WordPress Security Scanner let you quickly find out if given WordPress site is having vulnerable core version, theme, plugin, etc.
On top of WPScan metrics, it also checks the following.
Is the admin console exposed? If considered safe by Google Accessible over HTTPS If front-end JavaScript libraries are vulnerable
You don’t need to register an account; you can run the test on-demand in FREE.
Pentest-Tools
A tool by Pentest-Tools lets you test the WP site on-demand and produce the report.
What’s next? Well done! If your site is not vulnerable. However, if it does, then work on those risk items. If you are not sure how to mitigate them, then take professional help.
