Using the WPScan plugin to find vulnerabilities in your WordPress website

Last updated on September 15th, 2021 by Tom Rankin. Filed under WordPress Security Tutorials & Tips

Featured *Finding WordPress vulnerabilities using WPScan*

Looking after the security of your WordPress website involves a lot of different tasks. One of the tasks is to make sure that the plugins, themes and WordPress version that you are using on your website do not have any known vulnerabilities. Luckily, this task can be automated with WPScan, a free WordPress plugin.

The WPScan plugin can find out if the software you are running has vulnerabilities by carrying out regular scans. It checks the results against a dedicated up-to-date database of vulnerabilities, and informs you if there are any vulnerabilities on your website, such as SQL Injection. If you don’t know what SQL Injection is, you can read our glossary of WordPress security terminology and words, that provides you with concise explanations to help you stay at the top of your game.

This article explains how you can install and set up the WPScan plugin to scan your WordPress website for vulnerabilities. Before this, it highlights why WPScan can be vital for the security of your website.

Introducing WPScan

First, let’s explain what WPScan is. WPScan is a WordPress vulnerability scanner that can scan your WordPress core, themes and plugins for known vulnerabilities and security issues.

It is available as open source software, as a WordPress plugin, and as a paid online service. Note that this article focuses on how to set up and use the free WPScan WordPress plugin. To learn more about the open source scanner, read getting started with WPScan scanner.

WPScan plugin

How does the WPScan plugin work?

Once the plugin detects which plugins, themes and WordPress core version you are using on your website, it checks if any of the software that you are using has any vulnerabilities. It checks this by sending requests to a vulnerability database, which is maintained by the WPScan team.

This database contains thousands of known WordPress vulnerabilities. Before a vulnerability is added to the database, it is vetted by an expert. This means each entry is sourced, verified, and added to the database through human eyes.

What’s more, there is a constant cycle to find new vulnerabilities for the database. For example, in May 2021, over 70 new vulnerabilities found their way into the database.

WPScan database of known WordPress vulnerabilities

Once the website scan is complete, you get email notifications of a scan’s outcome. You can also receive PDF reports, and download them to share with your team.

The free WPScan plugin is enough to scan the average website every day. Though, if you need to scan multiple websites multiple times a date, you require a premium WPScan plan. Head to the WPScan website for more information on pricing and plans.

How WPScan helps you protect your website

WPScan helps you by automating the process of identifying vulnerable software on your website. You can configure the plugin to run daily or even hourly scans, and to send you an email notification with the scan results once it identifies any issues.

That is one less thing you have to worry about in your WordPress security program, allowing you more time to focus on your business.

The benefits of using the WPScan WordPress plugin

By now, you know what WPScan can do for your site. Here are a few benefits of running the WPScan plugin on your website:

  • The WPScan team is a fixture within the WordPress security community, so security researchers choose to submit vulnerabilities to their database. This keeps the list current, which means your website will always be checked for the latest known threats.
  • The WPScn vulnerability database itself is of immense value. As of today, it has more than 20,000 entries, all vetted and added through an expert team. There is no other collection of WordPress vulnerabilities like this available anywhere else.
  • You’ll be the first to know about a WordPress core, plugin or theme vulnerability. In lots of cases, you and WPScan beat malicious users to the punch. In other words, you protect your website before a vulnerability is exploited in the wild.

Of course, you can also get a notification if there’s an issue that needs your attention. Though, you can also use the database to check for vulnerabilities in plugins you want to install too.

This is invaluable, because you can protect your site in a proactive way. What’s more, you can prevent a vulnerability from affecting your site in the best possible way – keep the theme or plugin at arm’s reach until you know it’s safe to use.

You also have a flexible way to view the database and carry out a scan. The WordPress plugin offers the most accessible way to work.

Getting started with the WPScan plugin

In a nutshell, WPScan’s WordPress plugin is a basic ‘wrapper’ of sorts for the vulnerability database. Even so, we recommend you use it because of the experience it offers.

WPScan logo

Step 1: Install the plugin

The installation process is just the same as every other free WordPress plugin. Navigate to the Plugins page on your WordPress, search for the WPScan database and click Install. Once the plugin is installed, activate it.

Once activated, you’ll see a notification to grab an API token:

Installing the WPScan plugin

This is necessary for the plugin to send API requests to the vulnerability database. You can send up to 25 API requests per day for free. For the majority of websites this is enough, considering the average website has around 20 plugins.

Step 2: Get your API token

To get your API token, click on the link provided in the notification or head to the WPScan website and click Get Your Free API Token.

Getting your API token

Once you submit the form, you’ll need to confirm through your email address, then log into your account. Once logged in the WPScan dashboard will show your API token as the first piece of information:

Confirming your API token via email

Step 3: Activate the API key

Head back to your WPScan plugin settings page within WordPress, and paste the API token into the relevant field:

Activating the API key

Step 4: Set your automated scan settings

While you’re in the Settings, you can configure the frequency of the scans, and the time they should run:

Setting automated scan settings

You can set a scan for every day, twice every day, or by the hour. With the free API key, you can only run a scan per day, which is good enough to start with.

From the settings you can also disable the security checks, and exclude plugins or themes from the vulnerability scan, which is not recommended.

That’s all about it. Save the settings and the vulnerability scan will run when scheduled.

The WordPress website vulnerability scan results

The Reports screen gives you an insight of what the plugin identified on your website, and what issues there might be. For example, you can see your current WordPress version, and all of the plugins and themes you have installed:

WPScan reports

It’s here you’ll get to see all of the vulnerabilities a scan finds on your site. If you check out the top corner of the screen, you’ll see the Run All button. This carries out a full scan of your website:

Carrying a full scan of your website

If you’d like to receive an email notification, you can do that through the Notification meta box on the right-hand side:

Setting up email notifications

There are also lots more checks you can carry out on your site. In fact, there’s a handy list that lets you run each on an individual basis:

WPScan security checks

When you’re ready, you can also download a PDF report here. This is good for sharing with your team or clients, either as a proof of security or as a plan of action on how to improve a site.

Run a vulnerability-free WordPress website

Every action you can take to secure your WordPress website is vital. Whether your site itself or your users are at risk, it’s important to take every opportunity to run the most possible secure version of the software that you use.

One of the best ways to do this is to use the WPScan plugin, a full-featured vulnerability scanning plugin that can be set up within minutes and carries out automated scans, so one less thing you have to worry about.

Leave a Reply

Your email address will not be published. Required fields are marked *

Our other plugins