WPScan: Your Go-To Sniper Hacker Tool for WordPress Security – A Comprehensive Guide

As a WordPress security professional, identifying vulnerabilities within WordPress websites is a critical task. WPScan stands out as a powerful, command-line tool, often considered a “sniper hacker tool” in the arsenal of security experts. This tool is specifically designed for in-depth WordPress security scanning, enabling penetration testers and website owners to pinpoint weaknesses and fortify their sites against potential attacks.

WPScan is pre-installed on Kali Linux, making it readily accessible for security audits and penetration testing. It is engineered to scan remote WordPress installations, meticulously seeking out a wide range of security issues.

Installation and Setup

If WPScan is not already on your system, installing it is straightforward, especially on Debian-based systems like Kali Linux. Use the following command in your terminal:

sudo apt install wpscan

This command fetches and installs WPScan along with its necessary dependencies, including curl, ruby, and other Ruby libraries essential for its operation.

Getting Started with WPScan: Basic Usage

To begin using WPScan and explore its capabilities, the help command is your first point of contact. Executing wpscan -h provides a concise overview of the tool’s options and usage. For a more detailed and comprehensive guide, wpscan --hh displays the full help menu, revealing the extensive features WPScan offers.

wpscan -h
_______________________________________________________________
 __ _______ _____
   / / __  / ____|
    / / /| |__) | (___ ___ __ _ _ __ ®
    / / / | ___/ ___  / __|/ _` | '_ 
     / / | | ____) | (__| (_| | | | |
     / / |_| |_____/ ___|__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.27
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

Usage: wpscan [options] --url URL

The URL of the blog to scan
Allowed Protocols: http, https
Default Protocol if none provided: http

This option is mandatory unless update or help or hh or version is/are supplied

-h, --help                       Display the simple help and exit
--hh                             Display the full help and exit
--version                        Display the version and exit
-v, --verbose                    Verbose mode
--[no-]banner                    Whether or not to display the banner
                                   Default: true
-o, --output FILE                Output to FILE
-f, --format FORMAT              Output results in the format supplied
                                   Available choices: cli-no-colour, cli-no-color, cli, json
--detection-mode MODE            Default: mixed
                                   Available choices: mixed, passive, aggressive
--user-agent, --ua VALUE
--random-user-agent, --rua      Use a random user-agent for each scan
--http-auth login:password
-t, --max-threads VALUE          The max threads to use
                                   Default: 5
--throttle MilliSeconds          Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.
--request-timeout SECONDS        The request timeout in seconds
                                   Default: 60
--connect-timeout SECONDS        The connection timeout in seconds
                                   Default: 30
--disable-tls-checks             Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)
--proxy protocol://IP:port       Supported protocols depend on the cURL installed
--proxy-auth login:password
--cookie-string COOKIE           Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]
--cookie-jar FILE-PATH           File to read and write cookies
                                   Default: /tmp/wpscan/cookie_jar.txt
--force                          Do not check if the target is running WordPress or returns a 403
--[no-]update                    Whether or not to update the Database
--api-token TOKEN                The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile
--wp-content-dir DIR             The wp-content directory if custom or not detected, such as "wp-content"
--wp-plugins-dir DIR             The plugins directory if custom or not detected, such as "wp-content/plugins"
-e, --enumerate [OPTS]           Enumeration Process
                                   Available Choices:
                                     vp  Vulnerable plugins
                                     ap  All plugins
                                     p   Popular plugins
                                     vt  Vulnerable themes
                                     at  All themes
                                     t   Popular themes
                                     tt  Timthumbs
                                     cb  Config backups
                                     dbe Db exports
                                     u   User IDs range. e.g: u1-5
                                         Range separator to use: '-'
                                         Value if no argument supplied: 1-10
                                     m   Media IDs range. e.g m1-15
                                         Note: Permalink setting must be set to "Plain" for those to be detected
                                         Range separator to use: '-'
                                         Value if no argument supplied: 1-100
                                         Separator to use between the values: ','
                                   Default: All Plugins, Config Backups
                                   Value if no argument supplied: vp,vt,tt,cb,dbe,u,m
                                   Incompatible choices (only one of each group/s can be used):
                                     - vp, ap, p
                                     - vt, at, t
--exclude-content-based REGEXP_OR_STRING
                                   Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.
                                   Both the headers and body are checked. Regexp delimiters are not required.
--plugins-detection MODE         Use the supplied mode to enumerate Plugins.
                                   Default: passive
                                   Available choices: mixed, passive, aggressive
--plugins-version-detection MODE
                                   Use the supplied mode to check plugins' versions.
                                   Default: mixed
                                   Available choices: mixed, passive, aggressive
--exclude-usernames REGEXP_OR_STRING
                                   Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.
-P, --passwords FILE-PATH        List of passwords to use during the password attack. If no --username/s option supplied, user enumeration will be run.
-U, --usernames LIST             List of usernames to use during the password attack. Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
--multicall-max-passwords MAX_PWD
                                   Maximum number of passwords to send by request with XMLRPC multicall
                                   Default: 500
--password-attack ATTACK         Force the supplied attack to be used rather than automatically determining one. Multicall will only work against WP

The output from wpscan -h displays essential usage instructions and a list of available options. This includes options for specifying the target URL, controlling scan verbosity, output format, and various enumeration techniques.

Key Features and Options

WPScan’s strength lies in its extensive feature set, allowing for granular control over the scanning process. Some notable options include:

  • --url: This mandatory option specifies the target WordPress site URL.
  • -e, --enumerate: This is crucial for enumeration, allowing you to discover vulnerable plugins (vp), themes (vt), user IDs (u), and more. It’s a primary feature that positions WPScan as a powerful “sniper hacker tool” for WordPress.
  • --update: Ensures WPScan’s vulnerability database is up-to-date, which is vital for accurate and effective scanning.
  • --api-token: Leverages the WPScan API for enhanced vulnerability data, requiring a token obtained from the WPScan website.

Conclusion

WPScan is an indispensable “sniper hacker tool” for anyone serious about WordPress security. Its ability to deeply scan and identify vulnerabilities makes it essential for security audits, penetration testing, and proactively securing WordPress websites. By understanding its basic commands and options, you can begin to harness the power of WPScan to safeguard your WordPress projects.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *