WPScan is a black box WordPress Security Scanner written in Ruby. Ideal for penetration testers, security professionals and WordPress administrators WPScan can find security weaknesses within a WordPress blog or website.
WPScan WordPress Security Scanner runs on Linux distributions only. Unfortunately it does not support and cannot run on a Windows operating system, yet. It is pre-installed on the following Linux distributions; BackBox, BackTrack, Pentoo, SamuraiWTF and Kali Linux.
WPScan WordPress Security Scanner Features
WordPress Non Intrusive Security Scan
WPScan WordPress Security Scanner can be used to launch a non intrusive security scan against a WordPress blog or website. During a non intrusive WordPress security scan WPScan will try to identify security issues that might be exploited or used by hackers to hack your WordPress blog or website. For example it will check if the WordPress file readme.html was deleted. It will also check which WordPress theme is activated and if it is vulnerable, what version of WordPress is installed, what version of TimThumb is installed, if directory listing is enabled etc.
WordPress Username Enumeration
WPScan can enumerate all of the WordPress users of the target blog or website. The list of WordPress users is obtained from the author querystring and location header.
WordPress Weak Passwords Cracking – Bruteforce Attack
Ideal for multi user WordPress installations, WPScan WordPress Security Scanner can be used to launch a bruteforce attack against all WordPress users and check that all of the users on the blog are using strong passwords.
WordPress Plugins Security – Enumaration and Vulnerability Enumaration
WPScan WordPress Security Scanner can also check if the installed WordPress plugins are vulnerable or not. By enabling the enumeration option during a scan, WPScan will enumerate the plugins installed on the target WordPress and advise you if a vulnerable WordPress plugin is detected. WPScan can also enumerate the WordPress themes on a target WordPress installation.
Run Frequent WordPress Security Scans with WPScan
Installing a WordPress security plugin and applying all security tweaks is one thing, keeping your WordPress blog or website hacker and malware free is another. Since from time to time new WordPress security issues are discovered, and since typically websites frequently change (installing a new plugin, changing the theme, adding new users etc), as a WordPress administrator you should launch frequent security scans against the WordPress installations you administer with WPScan WordPress Security Scanner. By doing so, you ensure that the themes and WordPress plugins installed are not vulnerable, customizations do not expose your WordPress and all WordPress users are using strong passwords.
The WPScan project official website is wpscan.org.