How confident are you with the security of your WordPress deployments? If you’re not 100% confident, you need to make use of the wpscan tool.
Image: Jack Wallen
Considering how prevalent the open source WordPress blogging platform installations are, chances are good that you have a deployment or two to manage. Generally speaking, this is a fairly easy task. However simple WordPress admin is, you probably aren’t quite as up to speed on the vulnerabilities to be found within your sites.
No matter how often you update WordPress and its plugins and themes, there might still be issues lurking underneath. You don’t want to leave those sites vulnerable. What do you do?
You make use of a simple scanning tool, called wpscan.
I’m going to walk you through the installation and usage of this tool. With it, you’ll know what needs to be addressed on your WordPress sites.
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
What you’ll need
I’ll be demonstrating the installation on Ubuntu Server 18.04. You can install wpscan on just about any Linux distribution that supports Ruby. With that in mind, you’ll need:
If you use a Linux distribution that isn’t based on Debian/Ubuntu, you’ll need to modify the installation instructions slightly.
How to install the necessary dependencies
The first thing to be done is the installation of the necessary dependencies. Log in to your server or open a terminal window on your desktop and issue the command:
sudo apt install curl git libcurl4-openssl-dev make zlib1g-dev gawk g++ gcc libreadline6-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 autoconf libgdbm-dev libncurses5-dev automake libtool bison pkg-config ruby ruby-bundler ruby-dev -y
Once that command completes, you can then use gem to install wpscan with the command:
sudo gem install wpscan
That command will take a minute or two to complete. Once it’s finished, you’re ready to scan.
How to scan sites
Before you scan that first site, you’ll want to update the wpscan database with the command:
wpscan --update
With the database updated, let’s scan a site. The scanning command looks like:
wpscan --url=http://ADDRESS
Where ADDRESS is either the domain or IP address of the server to be scanned.
You will see the output of the scan revealing:
-
Interesting findings;
-
Versions of each installed plugin (and if there are updates available);
-
Confidence of each installed plugin; and
-
Other, various discoveries.
It is important that you read through all of the findings listed, as you very well might find something that needs to be addressed. For instance, in a scan of one of my sites, I discovered I had listing enabled in the wp-content/uploads directory. To solve that problem I could install yet another third-party add-on, or if I have shell access to the hosting server, I could modify the .htaccess file for that directory and add the Options -Indexes entry to disable directory browsing.
You’ll probably find a number of issues to be resolved from the output of wpscan, so make sure you comb through the results carefully. If you don’t have time to check through the output at that moment, you can always send the output of the command to a file like so:
wpscan --url=http://ADDRESS > wpscan_output
Where ADDRESS is either the domain or IP address of the server to be scanned.
You can also use the wpscan to enumerate users on your site. You can use this to attempt to crack passwords, to make sure your users are not employing weak credentials. To do this, you’ll first need to have a dictionary file (such as the rockyou.txt dictionary).
To enumerate users, issues the command:
wpscan --url http://ADDRESS --enumerate u
Where ADDRESS is either the URL or IP address of your WordPress site.
This will give you a list of the registered users on your site. Now, say you want to check to see if those users’ passwords can be easily cracked. To do this, issue the command:
wpscan --url=http://ADDRESS --passwords FILE --usernames USER
Where ADDRESS is the URL or IP address of your WordPress site, FILE is the filename of your downloaded dictionary, and USER is the name or names of the users to be tested.
This scan will take a considerable amount of time, especially if you’re checking a number of users. But once it completes, you’ll see if any user password is easily cracked. If so, you should deal with that immediately. If you see No Valid Passwords Found, that user is good to go.
And that’s how you install and use the wpscan tool to check your WordPress sites for vulnerabilities. Make sure to use this tool regularly, so you are as up to date as possible on your WordPress security issues.
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays