More than 2 million websites are powered by WordPress and
holding number one position with 67% of market share in CMS
Recent Vulnerability Report by Acunetix shows that around
8% of vulnerabilities found in websites are related to
Do you perform web
vulnerability scan regular to your website or blog? If you
aren’t then you should!
WPScan vulnerability scanner sponsored by SUCURI helps you to identify the
security-related problems on your WordPress website.
WPScan is not a plugin, so you need to use this either on UNIX
flavor (Ubuntu, CentOS, Debian, Fedora, Mac OSX) or
pre-installed Linux distributions like Kali
Linux , BackBox Linux, Pentoo, SamuraiWTF, BlackArch.
WPScan is useful if your website is on a private network or
Intranet where the Internet is not available.
If you are on Windows OS then sorry!
Let’s take a look at how to use WPScan on CentOS and Kali Linux
to search the security vulnerabilities.
Using WPScan on CentOS
- Login into CentOS with root and open Terminal
- Install GIT & pre-requisites components using yum
# yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build git
- Clone the WPScan repository from git
# git clone https://github.com/wpscanteam/wpscan.git
- It will create a new folder called “wpscan”. Go to wpscan
# cd wpscan
- It’s time it install using the following command
# gem install bundler && bundle install --without test
This will take few seconds to install and once done; you are
all set to perform the scan.
To run the scanner, you have to use ruby
wpscan.rb with URL parameter. Let’s take few examples.
To check the plugin vulnerabilities
# ruby wpscan.rb --url geekflare.com --enumerate vp
To check the theme vulnerabilities
# ruby wpscan.rb --url geekflare.com --enumerate vt
Using WPScan on Kali Linux
The beauty of using Kali Linux is you don’t have to install
anything. WPScan is pre-installed.
Let’s find out how to run the scanner.
- Login into Kali Linux with root and open Terminal
- Run the scan using wpscan command
# ruby wpscan.rb --url www.example.com --enumerate
Above command will run all the available tools. You may also
refer official site for more information.
Hosting your site on shared hosting and can’t install WPScan,
don’t worry. Test your site with
these online tools .
I hope this helps you to find a security flaw in your WordPress
site. To add complete and continuous security to your site, you
may consider using SUCURI WAF .