How to Test WordPress Security using Open Source Security tool WP-SCAN
Before I dive in this post, I would like to say that everything here for educational purposes only! Now we can move on.
WordPress is exceptionally prevalent, on the grounds that is the most easy to use CMS (Content Management System) in the World. Numerous essential organizations or superstars are utilizing WordPress for their sites, for example, Ford, Sony PlayStation, CNN, The Rolling Stones, and UPS etc.
WordPress is in view of PHP and MySQL, with a huge number of Themes, Plugins and Widgets! All sites made with WordPress have a custom subject, different plugins and a few gadgets. Also, security issues, clearly.
Overall the WordPress platform does a good job at implementing security, but at the end of the day it is software and all software will have vulnerabilities. When you factor in the use of themes and plugins the rate of the risk increases quickly. For this reason, it is always a good idea to run a security scan and this is where WPScan can greatly help to protect your site. If you have not given this tool a look, then I highly recommend that you do so. You may find that there are steps you can take to harden your website and protect not only yourself, but also you visitors.
Throughout the years, a few security vulnerabilities have been found in WordPress. The WordPress Team has tackled the old issues, however it’s excessively troublesome for them, making it impossible to check all the new plugins and gadgets. The regular Web Attacks, for example, SQL infusion and Cross-webpage scripting (known as XSS) are still bad dreams. You have a WordPress site and now you’re perplexed about these vulnerabilities? Don’t freeze! You can utilize WPScan. WPScan is a WordPress defenselessness scanner written in Ruby.
To get started with WPScan you will need to install it. I am not going to cover installation because there are a number of different options you can take depending upon your scenario. I will however say that I prefer to use WPScan on Kali Linux because it not only saves time and effort surrounding the installation, but Kali has dozens upon dozens of tools that you may fine very useful on your journey of security.
WPScan is a WordPress specific security scanner. The scanner can
- Identify Plugins Installed
- Identify Themes Installed
- Enumerate User IDS
Identify Plugins Installed: Scan all the installed plugins with this command.
$ wpscan - -url http://domainname.com --enumerate plugins
Identify Themes Installed: Scan installed theme with this command.
$ wpscan - -url http://domainname.com --enumerate theme
Enumerate User IDS: Scan all the Users with this command.
$ wpscan - -url http://domainname.com --enumerate user
Full Scan: Scan all the installed plugins and themes also users with this command.
$ wpscan - -url http://domainname.com --enumerate user plugins theme