How to use the command 'wpscan' (with examples)

How to use the command 'wpscan' (with examples)

WPScan is a popular WordPress security scanner that is specifically designed to help website administrators and security professionals identify vulnerabilities associated with WordPress websites. By leveraging an extensive vulnerability database, WPScan allows users to detect security weaknesses in WordPress sites, including outdated plugins and themes, insecure settings, and vulnerable user accounts.

Update the vulnerability database

Code:

wpscan --update

Motivation:

Regular updates to the vulnerability database are critical for WPScan to remain effective in detecting the latest vulnerabilities. The vulnerability landscape is dynamic, with new weaknesses discovered frequently. An up-to-date database ensures that the scanner can detect and report the newest threats to your WordPress site.

Explanation:

  • --update: This command updates WPScan’s local vulnerability database. With each update, WPScan fetches fresh data from the official WPScan repository to ensure it has the latest information on WordPress vulnerabilities.

Example output:

[i] Updating the Database ...
[i] Update Complete

Scan a WordPress website

Code:

wpscan --url url

Motivation:

Conducting regular scans of your WordPress website is crucial for maintaining security. This command is the simplest way to check for known vulnerabilities without additional configurations. It helps identify weaknesses that need immediate attention to prevent unauthorized access or data breaches.

Explanation:

  • --url url: This argument specifies the URL of the WordPress site you want to scan. WPScan will analyze the target website, retrieving information about its WordPress version, themes, and plugins to identify vulnerabilities.

Example output:

[+] URL: http://example.com/
[+] Started: Wed Oct 18 10:50:34 2023
...
[+] The version is 5.8 (80%)

Scan a WordPress website, using random user agents and passive detection

Code:

wpscan --url url --stealthy

Motivation:

Using the --stealthy mode is particularly useful when you want to avoid attracting attention during a vulnerability scan. This approach minimizes the footprint on the web server by simulating requests from different browsers, making it less likely to trigger web application firewalls or intrusion detection systems.

Explanation:

  • --url url: Specifies the target WordPress site.
  • --stealthy: This option enables stealth mode by randomizing user-agents and using passive detection techniques. It helps reduce the likelihood of being detected by security measures such as rate limiting or anomaly detection systems.

Example output:

[i] URL: http://example.com/
[i] Stealth Mode Enabled
...
[+] Scan finished.

Scan a WordPress website, checking for vulnerable plugins and specifying the path to the wp-content directory

Code:

wpscan --url url --enumerate vp --wp-content-dir remote/path/to/wp-content

Motivation:

Ensuring that plugins are free of vulnerabilities is vital, as they are a common source of security issues in WordPress sites. Specifying the path to the wp-content directory is useful when it’s been moved from the default location, which can occur for custom installations or to enhance security through obscurity.

Explanation:

  • --url url: Sets the URL of the site to scan.
  • --enumerate vp: This option directs WPScan to enumerate and check for vulnerabilities in plugins.
  • --wp-content-dir remote/path/to/wp-content: Indicates the non-standard location of the wp-content directory, ensuring WPScan looks in the correct location for installed plugins and themes.

Example output:

[+] Target URL: http://example.com/
[+] Detected Plugins:
     - vulnerable-plugin (1.0.0)

Scan a WordPress website through a proxy

Code:

wpscan --url url --proxy protocol://ip:port --proxy-auth username:password

Motivation:

Using a proxy is beneficial when scanning environments that only allow internal access or when testing the security of websites from specific geographical locations. It can also help bypass certain blocking mechanisms based on the IP address.

Explanation:

  • --url url: The target website’s URL.
  • --proxy protocol://ip:port: Specifies the proxy server that WPScan will route its requests through. The protocol could be HTTP, HTTPS, or SOCKS, depending on your setup.
  • --proxy-auth username:password: Allows authentication with the proxy server using provided credentials, necessary for accessing proxies that require login.

Example output:

[i] Proxy: http://proxy.example.com:8080
[i] Proxy Authentication: Enabled
...

Perform user identifiers enumeration on a WordPress website

Code:

wpscan --url url --enumerate u

Motivation:

User enumeration can reveal usernames that can be targeted for brute-force attacks. Identifying existing users is a crucial step in strengthening a site’s defense, as simple usernames can be replaced or protected by stronger authentication systems.

Explanation:

  • --url url: The target WordPress site’s URL.
  • --enumerate u: Directs WPScan to enumerate user IDs and names listed by WordPress. This action builds a list of valid usernames which are often targeted for password attacks.

Example output:

[+] Performing User Enumeration ...
[+] Found User: admin

Execute a password guessing attack on a WordPress website

Code:

wpscan --url url --usernames username|path/to/usernames.txt --passwords path/to/passwords.txt threads 20

Motivation:

Password strength is critical for protecting user accounts. This command is used to verify the robustness of a site’s passwords by attempting to authenticate using a list of common passwords. It helps identify users with weak passwords so they can be prompted to strengthen them.

Explanation:

  • --url url: Specifies the site to attack.
  • --usernames username|path/to/usernames.txt: Provides the username(s) for the attack, either directly or via a file with multiple usernames.
  • --passwords path/to/passwords.txt: Indicates the file containing a list of passwords to test.
  • threads 20: Sets the number of concurrent threads to speed up the attack. Caution is advised when increasing this number to avoid server crashing or being blocked.

Example output:

[!] Starting password guessing attack ...
[+] Username: admin | Password: 123456

Scan a WordPress website, collecting vulnerability data from the WPVulnDB

Code:

wpscan --url url --api-token token

Motivation:

Accessing the WPVulnDB API allows WPScan to obtain the most comprehensive and up-to-date vulnerability information. This is essential for detecting vulnerabilities that may not be listed in the local database, providing an additional layer of security analysis.

Explanation:

  • --url url: The WordPress site to scan.
  • --api-token token: Utilizes an API token for authentication to retrieve information from WPVulnDB, ensuring enhanced vulnerability detection by accessing the latest data directly from the source.

Example output:

[i] API Token: Valid
[+] Checking vulnerabilities from WPVulnDB ...

Conclusion:

Mastering the use of WPScan requires familiarity with various scanning techniques and options, each serving different aspects of WordPress security evaluation. By understanding and applying these examples, web administrators and security professionals can more effectively identify and mitigate potential vulnerabilities, ensuring their WordPress websites remain secure against evolving cyber threats. Regular updates and targeted scans of plugins, themes, and users are indispensable practices in safeguarding your digital assets.

Related Posts

How to Rename Git Tags Using 'git rename-tag' (with examples)

How to Rename Git Tags Using 'git rename-tag' (with examples)

The git rename-tag command is a utility that allows users to rename existing Git tags.

Read More
How to use the command 'audit2allow' (with examples)

How to use the command 'audit2allow' (with examples)

SELinux, or Security-Enhanced Linux, is a mandatory access control (MAC) security mechanism integrated into the Linux kernel.

Read More
How to Use the Command 'nixpkgs-review' (with examples)

How to Use the Command 'nixpkgs-review' (with examples)

The nixpkgs-review command is an essential tool for developers working within the NixOS ecosystem.

Read More