As a WordPress security professional, identifying vulnerabilities within WordPress websites is a critical task. WPScan stands out as a powerful, command-line tool, often considered a “sniper hacker tool” in the arsenal of security experts. This tool is specifically designed for in-depth WordPress security scanning, enabling penetration testers and website owners to pinpoint weaknesses and fortify their sites against potential attacks.
WPScan is pre-installed on Kali Linux, making it readily accessible for security audits and penetration testing. It is engineered to scan remote WordPress installations, meticulously seeking out a wide range of security issues.
Installation and Setup
If WPScan is not already on your system, installing it is straightforward, especially on Debian-based systems like Kali Linux. Use the following command in your terminal:
sudo apt install wpscan
This command fetches and installs WPScan along with its necessary dependencies, including curl
, ruby
, and other Ruby libraries essential for its operation.
Getting Started with WPScan: Basic Usage
To begin using WPScan and explore its capabilities, the help command is your first point of contact. Executing wpscan -h
provides a concise overview of the tool’s options and usage. For a more detailed and comprehensive guide, wpscan --hh
displays the full help menu, revealing the extensive features WPScan offers.
wpscan -h
_______________________________________________________________
__ _______ _____
/ / __ / ____|
/ / /| |__) | (___ ___ __ _ _ __ ®
/ / / | ___/ ___ / __|/ _` | '_
/ / | | ____) | (__| (_| | | | |
/ / |_| |_____/ ___|__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.27
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
Usage: wpscan [options] --url URL
The URL of the blog to scan
Allowed Protocols: http, https
Default Protocol if none provided: http
This option is mandatory unless update or help or hh or version is/are supplied
-h, --help Display the simple help and exit
--hh Display the full help and exit
--version Display the version and exit
-v, --verbose Verbose mode
--[no-]banner Whether or not to display the banner
Default: true
-o, --output FILE Output to FILE
-f, --format FORMAT Output results in the format supplied
Available choices: cli-no-colour, cli-no-color, cli, json
--detection-mode MODE Default: mixed
Available choices: mixed, passive, aggressive
--user-agent, --ua VALUE
--random-user-agent, --rua Use a random user-agent for each scan
--http-auth login:password
-t, --max-threads VALUE The max threads to use
Default: 5
--throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.
--request-timeout SECONDS The request timeout in seconds
Default: 60
--connect-timeout SECONDS The connection timeout in seconds
Default: 30
--disable-tls-checks Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)
--proxy protocol://IP:port Supported protocols depend on the cURL installed
--proxy-auth login:password
--cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]
--cookie-jar FILE-PATH File to read and write cookies
Default: /tmp/wpscan/cookie_jar.txt
--force Do not check if the target is running WordPress or returns a 403
--[no-]update Whether or not to update the Database
--api-token TOKEN The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile
--wp-content-dir DIR The wp-content directory if custom or not detected, such as "wp-content"
--wp-plugins-dir DIR The plugins directory if custom or not detected, such as "wp-content/plugins"
-e, --enumerate [OPTS] Enumeration Process
Available Choices:
vp Vulnerable plugins
ap All plugins
p Popular plugins
vt Vulnerable themes
at All themes
t Popular themes
tt Timthumbs
cb Config backups
dbe Db exports
u User IDs range. e.g: u1-5
Range separator to use: '-'
Value if no argument supplied: 1-10
m Media IDs range. e.g m1-15
Note: Permalink setting must be set to "Plain" for those to be detected
Range separator to use: '-'
Value if no argument supplied: 1-100
Separator to use between the values: ','
Default: All Plugins, Config Backups
Value if no argument supplied: vp,vt,tt,cb,dbe,u,m
Incompatible choices (only one of each group/s can be used):
- vp, ap, p
- vt, at, t
--exclude-content-based REGEXP_OR_STRING
Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.
Both the headers and body are checked. Regexp delimiters are not required.
--plugins-detection MODE Use the supplied mode to enumerate Plugins.
Default: passive
Available choices: mixed, passive, aggressive
--plugins-version-detection MODE
Use the supplied mode to check plugins' versions.
Default: mixed
Available choices: mixed, passive, aggressive
--exclude-usernames REGEXP_OR_STRING
Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.
-P, --passwords FILE-PATH List of passwords to use during the password attack. If no --username/s option supplied, user enumeration will be run.
-U, --usernames LIST List of usernames to use during the password attack. Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
--multicall-max-passwords MAX_PWD
Maximum number of passwords to send by request with XMLRPC multicall
Default: 500
--password-attack ATTACK Force the supplied attack to be used rather than automatically determining one. Multicall will only work against WP
The output from wpscan -h
displays essential usage instructions and a list of available options. This includes options for specifying the target URL, controlling scan verbosity, output format, and various enumeration techniques.
Key Features and Options
WPScan’s strength lies in its extensive feature set, allowing for granular control over the scanning process. Some notable options include:
--url
: This mandatory option specifies the target WordPress site URL.-e, --enumerate
: This is crucial for enumeration, allowing you to discover vulnerable plugins (vp
), themes (vt
), user IDs (u
), and more. It’s a primary feature that positions WPScan as a powerful “sniper hacker tool” for WordPress.--update
: Ensures WPScan’s vulnerability database is up-to-date, which is vital for accurate and effective scanning.--api-token
: Leverages the WPScan API for enhanced vulnerability data, requiring a token obtained from the WPScan website.
Conclusion
WPScan is an indispensable “sniper hacker tool” for anyone serious about WordPress security. Its ability to deeply scan and identify vulnerabilities makes it essential for security audits, penetration testing, and proactively securing WordPress websites. By understanding its basic commands and options, you can begin to harness the power of WPScan to safeguard your WordPress projects.