Automate WordPress Scanning with WPScan
Objective
Learn how to use WPScan, a WordPress vulnerability scanner, to identify security issues in WordPress installations. This lab guides you through installing WPScan, configuring it, and running scans to detect potential vulnerabilities.
Purpose
WordPress powers a significant percentage of websites globally, making it a frequent target for attackers. WPScan is a specialized tool for identifying vulnerabilities in WordPress sites, including:
- Outdated plugins and themes.
- Weak usernames and passwords.
- WordPress core vulnerabilities.
Tools Required
- Kali Linux (or any Linux distribution with WPScan installed).
- A WordPress site to test (ensure you have permission to scan the site).
Lab Topology
- Kali Linux: Running WPScan for vulnerability scanning.
- Target WordPress Site: A test WordPress site hosted locally or remotely.
Walkthrough
Task 1: Installing WPScan
- Update Your System:
- Ensure your system is up to date:
sudo apt update && sudo apt upgrade -y
- Ensure your system is up to date:
- Install WPScan:
- Install WPScan using the package manager:
sudo apt install wpscan -y
- Install WPScan using the package manager:
- Verify Installation:
- Check that WPScan is installed correctly:
wpscan --version
Example output:
WPScan 3.8.16
- Check that WPScan is installed correctly:
Task 2: Configuring WPScan
- API Token Setup:
- WPScan requires an API token for full functionality, including plugin and theme vulnerability detection.
- Sign up for an account at https://wpscan.com.
- Copy your API token from your account.
- Set the API Token:
- Use the following command to configure WPScan with your API token:
export WPSCAN_API_TOKEN=<your_api_token>
- Replace
<your_api_token>
with the token you copied from the WPScan website.
- Use the following command to configure WPScan with your API token:
Task 3: Running a Basic Scan
- Identify the Target:
- Determine the URL of the WordPress site to scan (e.g.,
http://testsite.local
).
- Determine the URL of the WordPress site to scan (e.g.,
- Run the Scan:
wpscan --url <target_url>
Example:
wpscan --url http://testsite.local
- Analyze Output:
- WPScan will enumerate basic information about the WordPress installation, including version details and vulnerabilities.
Task 4: Enumerating WordPress Users
- Enumerate Users:
- To list usernames for the WordPress site:
wpscan --url <target_url> --enumerate u
Example:
wpscan --url http://testsite.local --enumerate u
- To list usernames for the WordPress site:
- Analyze Output:
- Review the list of discovered usernames.
- Use this information to assess potential weak credentials.
Task 5: Enumerating Plugins and Themes
- Enumerate Plugins:
wpscan --url <target_url> --enumerate p
Example:
wpscan --url http://testsite.local --enumerate p
- Enumerate Themes:
wpscan --url <target_url> --enumerate t
Example:
wpscan --url http://testsite.local --enumerate t
- Analyze Vulnerabilities:
- WPScan will display outdated or vulnerable plugins/themes with associated CVEs (Common Vulnerabilities and Exposures).
Task 6: Testing for Weak Passwords
- Prepare a Wordlist:
- Use a pre-installed wordlist (e.g.,
/usr/share/wordlists/rockyou.txt
) or create your own.
- Use a pre-installed wordlist (e.g.,
- Run the Password Attack:
wpscan --url <target_url> --enumerate u --passwords <wordlist_path>
Example:
wpscan --url http://testsite.local --enumerate u --passwords /usr/share/wordlists/rockyou.txt
- Analyze Results:
- WPScan will attempt to log in with the discovered usernames and passwords from the wordlist.
- Review the output for any successful attempts.
Best Practices
- Use Authorized Targets:
- Only scan WordPress sites you own or have explicit permission to test.
- Update WPScan Regularly:
- Ensure WPScan and its vulnerability database are up to date:
sudo apt update && sudo apt upgrade -y
- Ensure WPScan and its vulnerability database are up to date:
- Prioritize Remediation:
- Address vulnerabilities in plugins, themes, and weak passwords first.
- Schedule Regular Scans:
- Automate scans to ensure ongoing security monitoring.
Key Takeaways
- WPScan is a specialized tool for identifying WordPress vulnerabilities.
- Enumerating plugins, themes, and users helps pinpoint specific security risks.
- Always follow ethical guidelines and perform scans in a controlled environment.
Troubleshooting Tips
- Connection Errors:
- Ensure the target URL is accessible from your machine.
- Verify network connectivity and resolve DNS issues if needed.
- Missing API Token:
- Ensure your API token is set correctly using:
echo $WPSCAN_API_TOKEN
- Ensure your API token is set correctly using:
- Incomplete Results:
- Check that the target WordPress site has public access to its
/wp-json
and other directories.
- Check that the target WordPress site has public access to its
- Permission Denied:
- Use
sudo
if encountering permission issues during installation or execution.
- Use