How to use the command 'wpscan' (with examples)
WPScan is a popular WordPress security scanner that is specifically designed to help website administrators and security professionals identify vulnerabilities associated with WordPress websites. By leveraging an extensive vulnerability database, WPScan allows users to detect security weaknesses in WordPress sites, including outdated plugins and themes, insecure settings, and vulnerable user accounts.
Update the vulnerability database
Code:
wpscan --update
Motivation:
Regular updates to the vulnerability database are critical for WPScan to remain effective in detecting the latest vulnerabilities. The vulnerability landscape is dynamic, with new weaknesses discovered frequently. An up-to-date database ensures that the scanner can detect and report the newest threats to your WordPress site.
Explanation:
--update
: This command updates WPScan’s local vulnerability database. With each update, WPScan fetches fresh data from the official WPScan repository to ensure it has the latest information on WordPress vulnerabilities.
Example output:
[i] Updating the Database ...
[i] Update Complete
Scan a WordPress website
Code:
wpscan --url url
Motivation:
Conducting regular scans of your WordPress website is crucial for maintaining security. This command is the simplest way to check for known vulnerabilities without additional configurations. It helps identify weaknesses that need immediate attention to prevent unauthorized access or data breaches.
Explanation:
--url url
: This argument specifies the URL of the WordPress site you want to scan. WPScan will analyze the target website, retrieving information about its WordPress version, themes, and plugins to identify vulnerabilities.
Example output:
[+] URL: http://example.com/
[+] Started: Wed Oct 18 10:50:34 2023
...
[+] The version is 5.8 (80%)
Scan a WordPress website, using random user agents and passive detection
Code:
wpscan --url url --stealthy
Motivation:
Using the --stealthy
mode is particularly useful when you want to avoid attracting attention during a vulnerability scan. This approach minimizes the footprint on the web server by simulating requests from different browsers, making it less likely to trigger web application firewalls or intrusion detection systems.
Explanation:
--url url
: Specifies the target WordPress site.--stealthy
: This option enables stealth mode by randomizing user-agents and using passive detection techniques. It helps reduce the likelihood of being detected by security measures such as rate limiting or anomaly detection systems.
Example output:
[i] URL: http://example.com/
[i] Stealth Mode Enabled
...
[+] Scan finished.
Scan a WordPress website, checking for vulnerable plugins and specifying the path to the wp-content
directory
Code:
wpscan --url url --enumerate vp --wp-content-dir remote/path/to/wp-content
Motivation:
Ensuring that plugins are free of vulnerabilities is vital, as they are a common source of security issues in WordPress sites. Specifying the path to the wp-content
directory is useful when it’s been moved from the default location, which can occur for custom installations or to enhance security through obscurity.
Explanation:
--url url
: Sets the URL of the site to scan.--enumerate vp
: This option directs WPScan to enumerate and check for vulnerabilities in plugins.--wp-content-dir remote/path/to/wp-content
: Indicates the non-standard location of thewp-content
directory, ensuring WPScan looks in the correct location for installed plugins and themes.
Example output:
[+] Target URL: http://example.com/
[+] Detected Plugins:
- vulnerable-plugin (1.0.0)
Scan a WordPress website through a proxy
Code:
wpscan --url url --proxy protocol://ip:port --proxy-auth username:password
Motivation:
Using a proxy is beneficial when scanning environments that only allow internal access or when testing the security of websites from specific geographical locations. It can also help bypass certain blocking mechanisms based on the IP address.
Explanation:
--url url
: The target website’s URL.--proxy protocol://ip:port
: Specifies the proxy server that WPScan will route its requests through. The protocol could be HTTP, HTTPS, or SOCKS, depending on your setup.--proxy-auth username:password
: Allows authentication with the proxy server using provided credentials, necessary for accessing proxies that require login.
Example output:
[i] Proxy: http://proxy.example.com:8080
[i] Proxy Authentication: Enabled
...
Perform user identifiers enumeration on a WordPress website
Code:
wpscan --url url --enumerate u
Motivation:
User enumeration can reveal usernames that can be targeted for brute-force attacks. Identifying existing users is a crucial step in strengthening a site’s defense, as simple usernames can be replaced or protected by stronger authentication systems.
Explanation:
--url url
: The target WordPress site’s URL.--enumerate u
: Directs WPScan to enumerate user IDs and names listed by WordPress. This action builds a list of valid usernames which are often targeted for password attacks.
Example output:
[+] Performing User Enumeration ...
[+] Found User: admin
Execute a password guessing attack on a WordPress website
Code:
wpscan --url url --usernames username|path/to/usernames.txt --passwords path/to/passwords.txt threads 20
Motivation:
Password strength is critical for protecting user accounts. This command is used to verify the robustness of a site’s passwords by attempting to authenticate using a list of common passwords. It helps identify users with weak passwords so they can be prompted to strengthen them.
Explanation:
--url url
: Specifies the site to attack.--usernames username|path/to/usernames.txt
: Provides the username(s) for the attack, either directly or via a file with multiple usernames.--passwords path/to/passwords.txt
: Indicates the file containing a list of passwords to test.threads 20
: Sets the number of concurrent threads to speed up the attack. Caution is advised when increasing this number to avoid server crashing or being blocked.
Example output:
[!] Starting password guessing attack ...
[+] Username: admin | Password: 123456
Scan a WordPress website, collecting vulnerability data from the WPVulnDB
Code:
wpscan --url url --api-token token
Motivation:
Accessing the WPVulnDB API allows WPScan to obtain the most comprehensive and up-to-date vulnerability information. This is essential for detecting vulnerabilities that may not be listed in the local database, providing an additional layer of security analysis.
Explanation:
--url url
: The WordPress site to scan.--api-token token
: Utilizes an API token for authentication to retrieve information from WPVulnDB, ensuring enhanced vulnerability detection by accessing the latest data directly from the source.
Example output:
[i] API Token: Valid
[+] Checking vulnerabilities from WPVulnDB ...
Conclusion:
Mastering the use of WPScan requires familiarity with various scanning techniques and options, each serving different aspects of WordPress security evaluation. By understanding and applying these examples, web administrators and security professionals can more effectively identify and mitigate potential vulnerabilities, ensuring their WordPress websites remain secure against evolving cyber threats. Regular updates and targeted scans of plugins, themes, and users are indispensable practices in safeguarding your digital assets.