LinuxCommandLibrary

wpscan

Scan WordPress sites for vulnerabilities

TLDR

Update the vulnerability database

$ wpscan --update
copy

Scan a WordPress website
$ wpscan --url [url]
copy

Scan a WordPress website, using random user agents and passive detection
$ wpscan --url [url] --stealthy
copy

Scan a WordPress website, checking for vulnerable plugins and specifying the path to the wp-content directory
$ wpscan --url [url] --enumerate [vp] --wp-content-dir [remote/path/to/wp-content]
copy

Scan a WordPress website through a proxy
$ wpscan --url [url] --proxy [protocol://ip:port] --proxy-auth [username:password]
copy

Perform user identifiers enumeration on a WordPress website
$ wpscan --url [url] --enumerate [u]
copy

Execute a password guessing attack on a WordPress website
$ wpscan --url [url] --usernames [username|path/to/usernames.txt] --passwords [path/to/passwords.txt] threads [20]
copy

Scan a WordPress website, collecting vulnerability data from the WPVulnDB ()
$ wpscan --url [url] --api-token [token]
copy

SYNOPSIS


wpscan --url <target_url> [options]
wpscan --update
wpscan --help

PARAMETERS

--url
    Specifies the target WordPress website URL to scan.
Example: https://www.example.com

--update
    Updates the WPScan vulnerability database to the latest version.

--enumerate
    Enumerates various items.
Common items include: u (users), vp (vulnerable plugins), ap (all plugins), vt (vulnerable themes), at (all themes), dbe (database exports). Can be combined, e.g., u,vp,vt.

--plugins-detection
    Sets the plugin detection mode.
Modes: passive (default, faster), aggressive (more thorough, slower).

--api-token
    Provides your WPScan API token for full vulnerability database access and higher rate limits.

--wp-content-dir
    Specifies a custom path for the wp-content directory if it's not in its default location.

--proxy
    Routes all requests through a specified proxy server.
Example: http://127.0.0.1:8080 or socks5://127.0.0.1:9050

--random-agent
    Uses a random User-Agent for each request to potentially evade detection.

--force
    Forces the scan to run even if WPScan cannot confidently identify the target as a WordPress site.

--verbose
    Displays verbose output, showing more details about the scanning process.

--format
    Specifies the output format for the scan results.
Formats: json, cli-no-color.

--output
    Saves the scan results to the specified file.

DESCRIPTION

wpscan is a powerful, free for non-commercial use, black-box WordPress security scanner designed for penetration testers and security professionals.
It helps identify security weaknesses in WordPress installations, including the core, plugins, and themes. wpscan operates by enumerating various components like users, installed plugins, and themes, and then cross-referencing their versions against a comprehensive database of known vulnerabilities. It can detect common misconfigurations, weak passwords, exposed debug files, and sensitive information disclosure, providing valuable insights into a WordPress site's security posture. It requires regular updates to its vulnerability database to remain effective.

CAVEATS

WPScan's free version is for non-commercial use only. Commercial use or full API access requires an API token, which may be subject to subscription or rate limits.
It is a black-box scanner, meaning it interacts with the web application externally without access to server logs or internal configurations, which limits its depth of analysis.
Scans can be detected by Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) if not performed carefully (e.g., without proxies or stealth options).
The effectiveness of WPScan heavily relies on its vulnerability database being up-to-date, requiring regular use of the --update option.

WPSCAN API TOKEN

To leverage WPScan's full potential, especially for up-to-date vulnerability detection, an API token is highly recommended. It grants access to the most comprehensive vulnerability database and increases the rate limits for scans. A free token is available for personal, non-commercial use, typically allowing a certain number of API requests per day. Users can register on the WPScan website to obtain their token.

INSTALLATION

WPScan is primarily distributed as a Ruby gem, making its installation straightforward on systems with Ruby installed. It can often be installed via package managers on various Linux distributions (e.g., apt install wpscan on Debian/Ubuntu or gem install wpscan). Ensuring the correct Ruby version and dependencies are met is crucial for a smooth setup.

HISTORY

WPScan was originally created around 2011 by a team of ethical hackers as an open-source project dedicated to enhancing WordPress security. Over the years, it gained significant popularity within the cybersecurity community for its effectiveness and regular updates. The project transitioned to be maintained by the WPScan team and eventually became part of Rapid7, a leading cybersecurity company. The introduction of the WPScan API token was a key development, allowing the project to fund the maintenance of its extensive vulnerability database and provide advanced features and higher rate limits to users, ensuring its continued development and reliability.

SEE ALSO

nmap(1), nikto(1), sqlmap(1), curl(1), gobuster(1)

Copied to clipboard