More than 2 million websites are powered by WordPress and holding number one position with 67% of market share in CMS world.
Recent Vulnerability Report by Acunetix shows that around 8% of vulnerabilities found in websites are related to WordPress.
Do you perform web vulnerability scan regular to your website or blog? If you aren’t then you should!
WPScan vulnerability scanner sponsored by SUCURI helps you to identify the security-related problems on your WordPress website.
WPScan is not a plugin, so you need to use this either on UNIX flavor (Ubuntu, CentOS, Debian, Fedora, Mac OSX) or pre-installed Linux distributions like Kali Linux, BackBox Linux, Pentoo, SamuraiWTF, BlackArch.
WPScan is useful if your website is on a private network or Intranet where the Internet is not available.
If you are on Windows OS then sorry!
Let’s take a look at how to use WPScan on CentOS and Kali Linux to search the security vulnerabilities.
Using WPScan on CentOS
- Login into CentOS with root and open Terminal
- Install GIT & pre-requisites components using yum commands
# yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build git
- Clone the WPScan repository from git
# git clone https://github.com/wpscanteam/wpscan.git
- It will create a new folder called “wpscan”. Go to wpscan folder
# cd wpscan
- It’s time it install using the following command
# gem install bundler && bundle install --without test
This will take few seconds to install and once done; you are all set to perform the scan.
To run the scanner, you have to use ruby wpscan.rb with URL parameter. Let’s take few examples.
To check the plugin vulnerabilities
# ruby wpscan.rb --url geekflare.com --enumerate vp
To check the theme vulnerabilities
# ruby wpscan.rb --url geekflare.com --enumerate vt
Using WPScan on Kali Linux
The beauty of using Kali Linux is you don’t have to install anything. WPScan is pre-installed.
Let’s find out how to run the scanner.
- Login into Kali Linux with root and open Terminal
- Run the scan using wpscan command
# ruby wpscan.rb --url www.example.com --enumerate
Above command will run all the available tools. You may also refer official site for more information.
Hosting your site on shared hosting and can’t install WPScan, don’t worry. Test your site with these online tools.
I hope this helps you to find a security flaw in your WordPress site. To add complete and continuous security to your site, you may consider using SUCURI WAF.