3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

In this post, I will be using 3 free tools to scan WordPress websites for vulnerabilities.

NAME	PLATFORM	HOW TO USE	LIMITS
WPScan	Windows & Linux	terminal	free plan: 25 reports daily
WPSEC	website	online	free plan: 20 scans daily
Burp Suite	Windows & Linux	application	∞

1. From the terminal: WPScan

If you have access to the terminal on your web hosting then you can install wpscan and run the following command to run a basic scan:

wpscan --url yourwebsite.com

This will give you information such as:

Headers to discover server information
If xmlrpc.php or wp-cron.php accessible
WordPress version and config backups
Active theme and its basic information
Active plugins and their basic information

But to identify vulnerable plugins, you need to create a free account on wpscan

image 1024x440 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

and add your unique API token to the command:

wpscan --url yourwebsite.com -e vp --api-token YOUR_TOKEN

image 1 1024x971 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

and to check for vulnerable themes replace vp with vt (vulnerable themes)

wpscan --url yourwebsite.com -e vt --api-token YOUR_TOKEN

2. From online service: WPSEC.COM

Unlike Burp Suite or WPScan which have to be downloaded to be used, WPSEC.COM is an online tool that has a free plan where you can scan up to 20 times per day. It uses the same database as WPScan but offers less information, forcing you to choose premium plans.

To scan your WordPress website for vulnerabilities using WPSEC.COM open the website, type in your domain name, check that you have permission to scan it, and then click on the START SCAN button.

image 2 1024x486 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

After a few minutes you will have basic report:

image 3 1024x493 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

3. From your computer: Burp Suite

Burp Suite is a penetration testing tool that has it’s own store with extensions, one of those extensions is WordPress Scanner – a WPScan like plugin for Burp by Kacper Szurek.

Step 1. Install Burp Suite to your device

Step 2. Download Jython and install it on your device

java -jar jython-installer-2.7.2.jar

install jython on windows - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

Step 3. Add the path where jython is installed to Extender > Options > Python

image 20 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

Step 4. Go to Extender > BApp Store and search for WordPress Scanner

image 21 - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

Click on the Install button

Step 5. Browse WordPress sites through Burp proxy.

Vulnerable plugins and themes will appear on the issue list.

usage - 3 ways to Scan 🕵️‍♂️ WordPress for Vulnerabilities

Was this post helpful?

Let me know if you liked the post. That’s the only way I can improve. 🙂

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

1. From the terminal: WPScan

2. From online service: WPSEC.COM

3. From your computer: Burp Suite

Was this post helpful?

Leave a Comment Cancel reply