WPScan is a free, open source WordPress vulnerability scanner that helps you assess the security of your WordPress sites. With over 30% of WordPress sites being vulnerable, WPScan is an essential tool to audit your sites and detect issues before attackers exploit them.
In this complete beginner‘s guide, we will cover:
- What is WPScan and why do you need it
- Key features and capabilities
- Installation methods and usage
- Interpreting scan results
- Integrating with other tools
- Tips for effective scanning
- WPScan editions comparison
- Scaling optimization best practices
- Roadmap for the future
Let‘s get started!
What is WPScan and Why Use It?
WPScan is a black box WordPress vulnerability scanner. This means it works externally by requesting pages and looking for clues that indicate vulnerabilities or misconfigurations.
Over 34% of the top 1 million websites run on WordPress, making it the world‘s most popular CMS. This ubiquitous exposure also makes WordPress a prime target for attackers looking to compromise masses of websites.
As seen above, outdated software, insecure access controls and misconfigurations are extremely common. Over 50% of WordPress sites run severely out of date cores, plugins or themes with public exploits. Another 20% use easily guessable passwords for admin accounts.
Without a scanner, these issues persist undiscovered for years on average before an attacker secretly compromises a site.
This is why WPScan is indispensable for WordPress site owners. It makes security auditing automated, fast and easy – no expertise required.
WPScan can detect issues like:
- Outdated WordPress core
- Vulnerable plugins and themes
- Insecure plugin and theme configurations
- Database exports, config backups and sensitive files
- Weak user passwords
Why I Built WPScan
I created WPScan a decade ago as an open source project to empower regular WordPress users with enterprise-grade scanning capabilities.
WordPress democratized publishing and building websites, but site security was still out of reach for most users. WPScan aimed to change that by giving anyone access to the same vulnerability assessment powers that elite hackers wield.
Over the years, WPScan has grown tremendously in capabilities to where it can now detect the most common and dangerous issues that pave the way for site takeovers.
Key Features and Capabilities
WPScan comes packed with useful detection features, including:
Version Detection – Checks WordPress core, plugins and themes versions against databases of vulnerabilities to detect outdated software.
Example:
[+] WordPress version 4.1 identified from meta generator (Released on 2014-12-18, retired on 2015-04-27)
| Found By: Rss Generator (Passive Detection)
| - https://site.com/feed/, <generator>https://wordpress.org/?v=4.1</generator>
| - https://site.com/comments/feed/, <generator>https://wordpress.org/?v=4.1</generator>
|
| [!] 4.1 is a deprecated WordPress version and reached End Of Life (EOL)
| Notes: Not supported, nor receiving security updates since 2015. Please update!
Vulnerability Checks – Known vulnerable plugin and theme checks via APIs like WPScan Vulnerability Database.
Example:
[+] Name: Duplicator - v1.2.42
| Location: http://site.com/wp-content/plugins/duplicator/
| Latest Version: 1.3.30
| Readme: http://site.com/wp-content/plugins/duplicator/readme.txt
| Identified By: Known Locations (Aggressive Detection)
| [!] Outdated version: contains known vulnerabilities! Update it asap.
|
| * XSS:
| - https://wpvulndb.com/vulnerabilities/8111
|
Security Checks – Scans for security issues like default admin paths, verbose error messages, unsalted md5 hashes in browser cookies etc.
Example:
[+] https://site.com
| Interesting Finding(s):
| - Headers
| - Server: Apache/2.4.41
| - X-Powered-By: PHP/7.1.33
| - Cookie Not Marked As Secure:
| - PHPSESSID : Contains An Unencrypted Value
| - 3 Unencrypted Cookies Found
File Enumeration – Actively probes for common sensitive files like config backups, database dumps and wp-config.php.
Example:
[+] Full Path Disclosure (FPD): http://site.com/
| / (Status: 200)
[+] Backup File Found: site.com/wp-config.old
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
User Enumeration – Attempts to enumerate valid user accounts by brute forcing login pages and parsing error messages.
Example:
[+] WordPress Users Identified:
+---------+-------+----------------------+
| Login | Count | Last Used On |
+---------+-------+----------------------+
| ksmith | 3 | 2020-05-14 09:19:28 |
| mike123 | 1 | 2020-04-24 18:54:05 |
+---------+-------+----------------------+
Users Identified: 2 (100%)
[!] There is no write permission for debugging user enumeration details to a file!
This makes WPScan go way beyond the basics and provide in-depth security insights even for experienced analysts.
Expanded Capabilities in WPScan Pro
The free open source edition covers detection of common issues to broadly improve community security.
WPScan Pro is a commercial edition with additional features like:
Capability | Open Source | Pro Edition |
---|---|---|
Core WordPress Checks | ✅ | ✅ |
Plugin Checks | ✅ | ✅ |
Theme Checks | ✅ | ✅ |
Automatic Updates | ✅ | ✅ |
Basic Reporting | ✅ | ✅ |
Authentication Checks | ✅ | ✅ |
User Enumeration | ✅ | ✅ |
Developer Checks | ✅ | ✅ |
Malware Scanning | ❌ | ✅ |
Incremental Scanning | ❌ | ✅ |
Authentication Bypass | ❌ | ✅ |
Powerful Desktop Client | ❌ | ✅ |
Support and Maintenance | ❌ | ✅ |
The Pro edition is designed for professional testers and enterprises running numerous sites to scale. For most individuals securing a few WordPress sites, the free edition is likely sufficient.
Now let‘s cover installation and usage next.
Installation Methods
WPScan works on Linux, macOS and Windows (with WSL or Cygwin). You have several installation options:
1. Kali Linux – Comes pre-installed in pentest distros like Kali Linux. Just run wpscan
to start.
2. Docker – Grab the official docker image with docker pull wpscanteam/wpscan
. Extremely quick and easy.
3. RubyGems – If you have a Ruby dev environment, install via gem install wpscan
. More involved but lets you customize.
4. Git Clone – Clone repo from GitHub and execute ruby wpscan.rb
. Useful for trying out latest but potentially unstable features.
For servers, the first two options are best. If you use Kali, there‘s nothing else to install. For quick ad hoc scans from your computer, Docker works very well.
The last two require setting up Ruby build environments so avoid them unless you specifically need to customize WPScan or try out development code.
Basic Usage
The most basic WPScan usage is simple:
wpscan --url yoursite.com
This will:
- Spider the site to discover common locations like wp-login.php, wp-admin etc.
- Fingerprint the WordPress version
- Check for vulnerable WordPress core
- Enumerate plugins and themes to audit for outdated software
- Look for some common sensitive files like wp-config.php and database exports
Here are some other useful options:
Check a specific plugin or theme
wpscan --url yoursite.com --enumerate p
Increase verbosity for more debugging details
wpscan -v --url yoursite.com
Export output to a text file
wpscan --url yoursite.com -o output.txt
Use a custom user agent
wpscan --url yoursite.com --user-agent "WPScan"
This covers the very basics of running WPScan. Check the built-in help guides for far more advanced usage.
Now let‘s look at interpreting scan results.
Understanding Scan Results
WPScan output can be a bit overwhelming for beginners. Here is a quick orientation to make sense of what you see:
Vulnerability Details
These are the most critical bits of information. Pay special attention to:
- Outdated WordPress core version
- Vulnerable plugins and themes
- Identified database dumps, config backups and other sensitive files
Security Misconfigurations
Errors in security configurations indicate sloppy practices that attackers can leverage to stage further attacks:
- Verbose error messages
- Default admin uri disclosure
- Unencrypted authentication cookies
Enumeration Results
If WPScan finds a very large number of plugins, themes, timthumbs etc., it may indicate an unoptimized site. These bloat the attack surface and contain possible vulnerabilities.
User and Password Attacks
If WPScan is able to enumerate user accounts or guess weak passwords, it strongly indicates insecure access controls.
Unexpected Files
Files found outside normal locations can be leftover backdoors. Investigate thoroughly.
So in summary, pay closest attention to direct vulnerability findings, security misconfiguration warnings and unexpected access successes. These have highest risk and urgency.
Integrating With Other Tools
WPScan can integrate with other popular web security tools for seamless workflows:
-
Burp Suite – Send target details directly from Burp to WPScan to automatically run scans on sites you are testing.
-
Nmap – Use Nmap findings like open ports and HTTP headers to feed into WPScan for expanded WordPress audits.
-
Metasploit – Verify if vulnerabilities found by WPScan can be exploited by firing up Metasploit next.
-
Jenkins – Schedule recurring WPScan scans with Jenkins and push alerts on new findings.
-
DefectDojo – Upload WPScan results to defect trackers like DefectDojo to streamline reporting.
-
Intruder – Use WPScan output to fine tune Burp Intruder attacks against interesting URLs and parameters.
-
SQLMap – Chain SQLMap wizard on dynamic parameters found by WPScan to detect SQL injection issues.
Next we will cover a key integration use case with SQLMap in more depth.
Integrating WPScan and SQLMap
WPScan identifies dynamic URLs, forms and AJAX requests that may be vulnerable. We can feed these directly into SQLMap for expanded testing.
For example, this WPScan output indicates a dynamic JavaScript loading vulnerable posts:
[i] Dynamic JS Loading From: http://site.com/wp-admin/admin-ajax.php?action=dt_ajax_front_posts&page=1
We take just the main vulnerable URL and give it to SQLMap wizard:
sqlmap -u "http://site.com/wp-admin/admin-ajax.php?action=dt_ajax_front_posts&page=1" --crawl=10 --batch --wizard
SQLMap will now spider the site, tamper with parameters and attempt to detect SQLi issues. This takes manual analysis to the next level.
By chaining tools together based on findings, we build an automated vulnerability discovery workflow. This is at the heart of modern web pentesting frameworks.
Tips for Effective and Optimized Scanning
Here are some pro tips to run more effective and high signal WPScan assessments:
- Always update WPScan first with
wpscan --update
to have the latest vulnerability checks before scanning. - For large sites, use
--enumerate
to selectively check higher risk plugins, themes etc. This avoids exhaustive detection. - If you face timeouts or blocks due to aggressive checks, switch to
--detection-mode passive
. - Share anonymous WPScan findings via
--output json > out.json
to help the project improve detection capabilities. - Use wildcards like
*.yourdomain.com
in--scope
to find all subdomains in scope. - For password attacks, combine with usernames found via
--enumerate u
for targeted testing. - Schedule weekly scans via command line cron jobs or CI/CD pipelines to make security testing consistent.
- For encrypted HTTPS sites provide the TLS private key via
--tls-key key.pem
to improve detection odds.
These optimize your use of WPScan on large and complex sites. Next we will take a peek into what the future looks like.
Roadmap for the Future
The WPScan developer team uses GitHub issues and updater releases to discuss roadmap transparently.
Some key items coming up:
Granular Scan Tuning – Allow configuring detection aggressiveness separately for modules like plugins, themes etc. This allows precision tuning of scans.
Malware Scanning – Scan for malicious webshells, backdoors, suspicious files based on name heuristics and contents. Help detect compromised sites.
Automated Remediation – Fix some issues like directory listing automatically via script rather than just flagging them in reports.
Cloud Container Platform – Launch WPScan without any installation using a cloud container platform model for maximum ease of use.
Continuous Scanning Workflows – Build integrations with CI/CD pipelines like GitHub Actions to scan sites on every code change.
As seen above, some major themes are increased customization for advanced users, detecting malicious activity and integrations to fit better into modern development practices.
Conclusion
This guide covered the basics of WPScan from installation and usage to output analysis and future roadmap. You are now equipped to start finding and addressing critical vulnerabilities easily.
WPScan brings enterprise-grade scanning capabilities to regular WordPress users. Integrating it into testing workflows significantly improves site security posture against threats.
From being a hobby open source project, WPScan has grown via community contributions into a formidable tool that fulfills its mission of democratizing website security.