WP-CLI » 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

In this post, I will be using 3 free tools to scan WordPress websites for vulnerabilities.

NAMEPLATFORMHOW TO USELIMITS
WPScanWindows & Linuxterminalfree plan: 25 reports daily
WPSECwebsiteonlinefree plan: 20 scans daily
Burp SuiteWindows & Linuxapplication

1. From the terminal: WPScan

If you have access to the terminal on your web hosting then you can install wpscan and run the following command to run a basic scan:

wpscan --url yourwebsite.com

This will give you information such as:

  • Headers to discover server information
  • If xmlrpc.php or wp-cron.php accessible
  • WordPress version and config backups
  • Active theme and its basic information
  • Active plugins and their basic information

But to identify vulnerable plugins, you need to create a free account on wpscan

image 1024x440 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

and add your unique API token to the command:

wpscan --url yourwebsite.com -e vp --api-token YOUR_TOKEN
image 1 1024x971 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

and to check for vulnerable themes replace vp with vt (vulnerable themes)

wpscan --url yourwebsite.com -e vt --api-token YOUR_TOKEN

2. From online service: WPSEC.COM

Unlike Burp Suite or WPScan which have to be downloaded to be used, WPSEC.COM is an online tool that has a free plan where you can scan up to 20 times per day. It uses the same database as WPScan but offers less information, forcing you to choose premium plans.

See also  🔴 FoxAuto WordPress malware

To scan your WordPress website for vulnerabilities using WPSEC.COM open the website, type in your domain name, check that you have permission to scan it, and then click on the START SCAN button.

image 2 1024x486 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

After a few minutes you will have basic report:

image 3 1024x493 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

3. From your computer: Burp Suite

Burp Suite is a penetration testing tool that has it’s own store with extensions, one of those extensions is WordPress Scanner – a WPScan like plugin for Burp by Kacper Szurek.

Step 1. Install Burp Suite to your device


Step 2. Download Jython and install it on your device

java -jar jython-installer-2.7.2.jar
install jython on windows - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

Step 3. Add the path where jython is installed to Extender > Options > Python

image 20 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

Step 4. Go to Extender > BApp Store and search for WordPress Scanner

image 21 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

Click on the Install button


Step 5. Browse WordPress sites through Burp proxy.

Vulnerable plugins and themes will appear on the issue list.

usage - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

Was this post helpful?

Leave a Comment

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.

Recommended