3 ways to Scan WordPress for Vulnerabilities

In this post, I will be using 3 free tools to scan WordPress websites for vulnerabilities.

WPScanWindows & Linuxterminalfree plan: 25 reports daily
WPSECwebsiteonlinefree plan: 20 scans daily
Burp SuiteWindows & Linuxapplication

If you have access to the terminal on your web hosting then you can install wpscan and run the following command to run a basic scan:

wpscan --url yourwebsite.com

This will give you information such as:

  • Headers to discover server information
  • If xmlrpc.php or wp-cron.php accessible
  • WordPress version and config backups
  • Active theme and its basic information
  • Active plugins and their basic information

But to identify vulnerable plugins, you need to create a free account on wpscan

and add your unique API token to the command:

wpscan --url yourwebsite.com -e vp --api-token YOUR_TOKEN

and to check for vulnerable themes replace vp with vt (vulnerable themes)

wpscan --url yourwebsite.com -e vt --api-token YOUR_TOKEN

Unlike Burp Suite or WPScan which have to be downloaded to be used, WPSEC.COM is an online tool that has a free plan where you can scan up to 20 times per day. It uses the same database as WPScan but offers less information, forcing you to choose premium plans.

To scan your WordPress website for vulnerabilities using WPSEC.COM open the website, type in your domain name, check that you have permission to scan it, and then click on the START SCAN button.

After a few minutes you will have basic report:

Burp Suite is a penetration testing tool that has it’s own store with extensions, one of those extensions is WordPress Scanner – a WPScan like plugin for Burp by Kacper Szurek.

Step 1. Install Burp Suite to your device

Step 2. Download Jython and install it on your device

java -jar jython-installer-2.7.2.jar

Step 3. Add the path where jython is installed to Extender > Options > Python

Step 4. Go to Extender > BApp Store and search for WordPress Scanner

Click on the Install button

Step 5. Browse WordPress sites through Burp proxy.

Vulnerable plugins and themes will appear on the issue list.

Was this post helpful?

Leave a Comment