WPScan is a black box WordPress Security Scanner written in Ruby. Ideal for penetration testers, security professionals and WordPress administrators WPScan can find security weaknesses within a WordPress blog or website.
WPScan WordPress Security Scanner runs on Linux distributions only. Unfortunately it does not support and cannot run on a Windows operating system, yet. WPScan is also pre-installed on BackBox, BackTrack, Pentoo, SamuraiWTF and Kali Linux distributions.
WPScan WordPress security scanner features
Non intrusive WordPress security scan
You can use the WPScan WordPress Security Scanner to launch a non intrusive security scan against a WordPress blog or website. During the security scan WPScan tries to identify plugins and themes that have known vulnerabilities and also security weaknesses. For example it runs a number of checks such as:
- sensitive information disclosure (via directory listing and similar issues),
- scans the activated theme for vulnerabilities,
- checks the version of WordPress
- what version of TimThumb is installed.
WordPress username enumeration & weak password cracking (bruteforce attack)
WPScan can enumerate all of the WordPress users of the target blog or website. This is useful if you want to then launch a bruteforce attack against a target website; i.e. to check WordPress users are using strong passwords.
WordPress plugins security – enumeration and vulnerability detection
WPScan WordPress Security Scanner can also check if the installed WordPress plugins are vulnerable or not. By enabling the enumeration option during a scan, WPScan will enumerate the plugins installed on the target WordPress and advise you if a vulnerable WordPress plugin is detected. WPScan can also enumerate the WordPress themes on a target WordPress installation.
Run frequent WordPress security scans
Installing a WordPress security plugin and applying all security tweaks is one thing, keeping your WordPress blog or website hacker and malware free is another. As a WordPress administrator you should run frequent security scans with WPScan and also:
- enforce strong WordPress password policies,
- install a WordPress file integrity monitor,
- keep a record of all site changes in a WordPress audit trail (activity log).
The WPScan project official website is wpscan.org.