In this post, I will be using 3 free tools to scan WordPress websites for vulnerabilities.
|NAME||PLATFORM||HOW TO USE||LIMITS|
|WPScan||Windows & Linux||terminal||free plan: 25 reports daily|
|WPSEC||website||online||free plan: 20 scans daily|
|Burp Suite||Windows & Linux||application||∞|
1. From the terminal: WPScan
If you have access to the terminal on your web hosting then you can install wpscan and run the following command to run a basic scan:
wpscan --url yourwebsite.com
This will give you information such as:
- Headers to discover server information
- If xmlrpc.php or wp-cron.php accessible
- WordPress version and config backups
- Active theme and its basic information
- Active plugins and their basic information
But to identify vulnerable plugins, you need to create a free account on wpscan
and add your unique API token to the command:
wpscan --url yourwebsite.com -e vp --api-token YOUR_TOKEN
and to check for vulnerable themes replace vp with vt (vulnerable themes)
wpscan --url yourwebsite.com -e vt --api-token YOUR_TOKEN
2. From online service: WPSEC.COM
Unlike Burp Suite or WPScan which have to be downloaded to be used, WPSEC.COM is an online tool that has a free plan where you can scan up to 20 times per day. It uses the same database as WPScan but offers less information, forcing you to choose premium plans.
To scan your WordPress website for vulnerabilities using WPSEC.COM open the website, type in your domain name, check that you have permission to scan it, and then click on the START SCAN button.
After a few minutes you will have basic report:
3. From your computer: Burp Suite
Step 2. Download Jython and install it on your device
java -jar jython-installer-2.7.2.jar
Step 3. Add the path where jython is installed to Extender > Options > Python
Step 4. Go to Extender > BApp Store and search for WordPress Scanner
Click on the Install button
Step 5. Browse WordPress sites through Burp proxy.
Vulnerable plugins and themes will appear on the issue list.