• 1)Scanning for Vulnerabilities

After successfully updating WPScan, apply to your WordPress website. With a few commands one can their website for vulnerable themes, plug-ins, and users.

This procedural scan will alert of any potential risk of infection to the website. This information will guide you in taking the necessary actions, either securing the website by updating or disabling the security problems.

The commands of WPScan always start with ruby wpscan.rb followed by your website URL

ruby wpscan.rb –url http://yourwebsite.com

Once you run the basic command stipulated above, a quick scan of the website will be performed to pinpoint the active theme and basic issues, such as exposed WordPress version numbers.

Specific vulnerabilities can be checked by including arguments to the end of this basic command.

  • a)Checking for Vulnerable Plugins

Including the –enumerate vp argument checks the WordPress website for vulnerable plugins.

ruby wpscan.rb –url http://yourwebsite.com --enumerate vp

Any vulnerable plug-ins will be indicated by red exclamation icons and references to further information. Such a plug-in should be replaced and removed if it cannot be updated to patch the vulnerability.

  • b)Checking for Vulnerable Themes

In the same manner, adding –enumerate vt to the command scans the WordPress website for vulnerable themes.

ruby wpscan.rb –url http://yourwebsite.com --enumerate vt

Like the plugins, observer for red exclamation icons and URLs with more information. Any vulnerable theme should be replaced and removed if it cannot be updated to patch the vulnerability.

  • c)Checking User Enumeration

A common ploy used by hackers is the usage of your WordPress usernames to lodge a successful attack to the Website. Once an attacker gains access to one of the users with sufficient permissions, they may colonise your WordPress installation.

To discover the login names of users on the WordPress website, we include this argument --enumerate u at the end of the command.

ruby wpscan.rb –url http://yourwebsite.com --enumerate u

In an ideal set up, one should not be able to list the login names of WordPress users.

A Website Firewall or a plug-in may interfere with the running of the WPScan, and an error like this may appear...

Like This 16
Previous Page
Next Page


Join the Discussion
Write something…
Recent messages
Lady May Premium
hummm sorry but haven't got much to say about this, unfathomable :(
Reply
OldMCSEGuy Premium
@Lady May
This may be too much to post at WA. One of my web guys used it and I thought It would be cool... It is not straight forward. Even the installation is very difficult. I may remove it.
Reply
BobBarr Premium
"Step 1

Open Terminal and change your directory to the wpscan folder downloaded during installation "

Two questions:

1. Is terminal access possible on WA-hosted sites? On siterubix subdomians? Is FTP access required? (If so, lack of FTP access will preclude doing this on siterubix subdomains.)

2. Step 1 says to change the directory to the folder downloaded during installation. During what installation? (There are no instructions for performing the installation.)
Reply
Yenomym Premium
Thanks for this information. None of us want to be hacked.
Marilyn
Reply
GeoffGS Premium
What a hassle (or worse) getting hacked would be.
Reply
Top