How to use the command wpscan (with examples)
WordPress vulnerability scanner.
Use case 1: Update the vulnerability database
Code:
wpscan --update
Motivation: Updating the vulnerability database ensures that the latest known vulnerabilities are included in the scan, improving the accuracy of the results.
Explanation: The --update
flag instructs wpscan to update its vulnerability database with the latest information.
Example output:
[i] Update database.
[+] URL: https://wpvulndb.com/...[Success]
Use case 2: Scan a WordPress website
Code:
wpscan --url url
Motivation: Scanning a WordPress website helps identify potential vulnerabilities and security issues that could be exploited by attackers.
Explanation: The --url
flag followed by the URL of the WordPress website instructs wpscan to scan that specific website.
Example output:
[i] URL: http://example.com/
[i] Started: Mon Dec 21 13:08:37 2020
[+] Enumerating plugins from passive detection ...
[+] Finished: Mon Dec 21 13:08:44 2020
Use case 3: Scan a WordPress website, using random user agents and passive detection
Code:
wpscan --url url --stealthy
Motivation: By using random user agents and passive detection, the scan becomes less detectable by potential malicious actors, increasing the security of the assessment.
Explanation: The --stealthy
flag enables the scanning process to use random user agents and perform passive detection techniques, making it more stealthy and harder to detect.
Example output:
[i] Random User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3
Use case 4: Scan a WordPress website, checking for vulnerable plugins and specifying the path to the wp-content
directory
Code:
wpscan --url url --enumerate vp --wp-content-dir remote/path/to/wp-content
Motivation: By checking for vulnerable plugins and specifying the path to the wp-content
directory, the scan focuses on potential weak points that could be exploited.
Explanation: The --enumerate vp
flag tells wpscan to enumerate and check for vulnerable plugins. The --wp-content-dir
flag followed by the path specifies the location of the wp-content
directory.
Example output:
[i] WordPress plugins: 3,808 identified.
[+] Enumerating vulnerable plugins ...
Use case 5: Scan a WordPress website through a proxy
Code:
wpscan --url url --proxy protocol://ip:port --proxy-auth username:password
Motivation: Scanning through a proxy allows for the assessment to be conducted in a controlled and secure environment, enhancing privacy and bypassing potential network restrictions.
Explanation: The --proxy
flag followed by the protocol, IP address, and port specifies the proxy to be used. The --proxy-auth
flag followed by the username and password provides authentication credentials if required.
Example output:
[i] Using proxy: protocol://ip:port
Use case 6: Perform user identifiers enumeration on a WordPress website
Code:
wpscan --url url --enumerate u
Motivation: Enumerating user identifiers helps determine the available user accounts on a WordPress website, potentially exposing weak or unused accounts that could be compromised.
Explanation: The --enumerate u
flag instructs wpscan to enumerate and identify user accounts on the WordPress website.
Example output:
[i] Users: 7 identified.
[+] Enumerating usernames ...
Use case 7: Execute a password guessing attack on a WordPress website
Code:
wpscan --url url --usernames username|path/to/usernames.txt --passwords path/to/passwords.txt threads 20
Motivation: By conducting a password guessing attack, the scan can assess the strength of existing passwords and identify potential weak credentials that could be exploited.
Explanation: The --usernames
flag followed by the username or path to a file containing the usernames specifies which accounts to target. The --passwords
flag followed by the path to a file containing the passwords provides the password list. The threads
argument followed by the desired number determines the number of simultaneous connections to the target.
Example output:
[i] Usernames loaded: 5
[i] Starting password guesser ...
[+] WPVulnDB API token not found (https://wpvulndb.com/api_tokens)
Use case 8: Scan a WordPress website, collecting vulnerability data from the WPVulnDB
Code:
wpscan --url url --api-token token
Motivation: Collecting vulnerability data from the WPVulnDB enhances the accuracy and depth of the scan results, ensuring that the latest known vulnerabilities specific to WordPress are included.
Explanation: The --api-token
flag followed by the token allows wpscan to access vulnerability data from the WPVulnDB database.
Example output:
[i] WPVulnDB API token found: token
Conclusion:
The wpscan
command is a powerful tool for WordPress vulnerability scanning. It provides various options and flags to customize the scanning process, allowing users to identify and address security issues in their WordPress websites. Whether it is updating the vulnerability database, scanning for vulnerable plugins, performing password guessing attacks, or collecting vulnerability data from WPVulnDB, wpscan offers a comprehensive set of features to improve the security posture of WordPress websites.