Getting to Know WPScan Automated Blackbox Security Scanner for WordPress

Last updated on October 18th, 2014 by Robert Abela. Filed under WordPress Security Readings

WPScan WordPress Security ScannerWPScan is a black box WordPress Security Scanner written in Ruby. Ideal for penetration testers, security professionals and WordPress administrators WPScan can find security weaknesses within a WordPress blog or website.

WPScan WordPress Security Scanner runs on Linux distributions only. Unfortunately it does not support and cannot run on a Windows operating system, yet. It is pre-installed on the following Linux distributions; BackBox, BackTrack, Pentoo, SamuraiWTF and Kali Linux.

WPScan WordPress Security Scanner Features

WordPress Non Intrusive Security Scan

WPScan WordPress Security Scanner can be used to launch a non intrusive security scan against a WordPress blog or website. During a non intrusive WordPress security scan WPScan will try to identify security issues that might be exploited or used by hackers to hack your WordPress blog or website. For example it will check if the WordPress file readme.html was deleted. It will also check which WordPress theme is activated and if it is vulnerable, what version of WordPress is installed, what version of TimThumb is installed, if directory listing is enabled etc.

WordPress Username Enumeration

WPScan can enumerate all of the WordPress users of the target blog or website. The list of WordPress users is obtained from the author querystring and location header.

WordPress Weak Passwords Cracking – Bruteforce Attack

Ideal for multi user WordPress installations, WPScan WordPress Security Scanner can be used to launch a bruteforce attack against all WordPress users and check that all of the users on the blog are using strong passwords.

 WordPress Plugins Security – Enumaration and Vulnerability Enumaration

WPScan WordPress Security Scanner can also check if the installed WordPress plugins are vulnerable or not.  By enabling the enumeration option during a scan, WPScan will enumerate the plugins installed on the target WordPress and advise you if a vulnerable WordPress plugin is detected. WPScan can also enumerate the WordPress themes on a target WordPress installation.

Run Frequent WordPress Security Scans with WPScan

Installing a WordPress security plugin and applying all security tweaks is one thing, keeping your WordPress blog or website hacker and malware free is another. Since from time to time new WordPress security issues are discovered, and since typically websites frequently change (installing a new plugin, changing the theme, adding new users etc), as a WordPress administrator you should launch frequent security scans against the WordPress installations you administer with WPScan WordPress Security Scanner. By doing so, you ensure that the themes and WordPress plugins installed are not vulnerable, customizations do not expose your WordPress and all WordPress users are using strong passwords.

The WPScan project official website is wpscan.org.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

Leave a Reply

Your email address will not be published. Required fields are marked *