WPScan: web security scanner for WorpPress

(To Alessio Buttitta)
24/01/22

WordPress is an Open Source CMS (Content management system) software, i.e. a platform that allows you to create and manage a website and its contents in a simple and dynamic way. Today it is the most used method to create sites, it is estimated that 40% of websites are made with WordPress.

For this reason, numerous software, plugins and tools have been created that can be integrated or interacted with this CMS. Some have marketing, graphics or add-on oriented purposes
customizations to the site other tools instead have analysis functions such as for example WPScan which we are going to explain in detail.

Is WordPress functional for large websites?

Often, WordPress is mistakenly associated with micro-businesses or businesses with limited budgets. Instead, it is fair to point out how many websites with high traffic and company representatives
far from being economically limited to use this technology.

Here is a non-exhaustive list of some well-known brands that use WordPress:

- Spotify
-CNN
- TED
- Microsoft
- Vimeo
- Wikipedia
- The New York Times
- Skype
- NASA
- Sony Playstation
-Walt Disney

And the list goes on ...

What is WPScan?

WPScan it is a CLI tool, that is, usable only from the command line, it is a product open source in fact it is often associated with Linux distributions such as Kali Linux.

It is a web security scanner born in order to analyze the platform WordPress. As reported by the official documentation, it was created to be used during penetration tests. It is then used by many WordPress users to analyze the compliance of their website.

WPScan has the primary purpose of looking for security holes within the platform, it is able to test a site that adopts a WordPress CMS and check for vulnerabilities.

How to start using WPScan?

As with many CLI tools, the first command to use to approach the software is: wpscan -h
The output we will receive will look like this:

The options the tool is equipped with are listed and described.

The first basic option is --url which allows you to insert the link of an environment to be analyzed.

The command will then be: wpscan —Url www.sitename.com

The output will be the real analysis of the site with the evidence of any vulnerabilities or sensitive data exposed.

In the event that the analyzed website does not use WordPress or is not detectable, the operation will end with an error message.

The functionalities of this tool are articulated around this basic scan of the environment.

Some other parameters presented by the WPScan that we can use according to our needs are the following:
- --force performs all pre-established checks even if the site is offline.
- -—follow – redirection to find out if the site in question makes redirects maybe
also to other sites or social pages.
- –- verbose it is used to launch WPScan with a more detailed output then showing the percentage of progress of the operation.
- -– enumerated with this option it is possible to list the plugins, the theme used, the users and various other features of the site with the related problems.
It is also possible to carry out analyzes anonymously, leaving no trace.

Finally, there is the possibility to create a customized output by saving it also in a file. These listed options can also be combined to have a more detailed result.

Some technical details about WPScan

The tool contains a database that allows you to perform enumeration actions, that is, to check and list the most common vulnerabilities. It also allows for type attacks bruteforce,
then try all possible combinations of a password to access the site.

The database is updated very often, which is why the analysis on the same site can provide totally different results over a short period of time.

In conclusion, it is a good habit to stay informed about the security problems that the software we use can present and never skip the updates that are
released.
A website is never completely safe, many vulnerabilities are discovered every day, WordPress is a very used product always in the crosshairs of the bad guys.

I remind you that this article is for educational purposes only, the unauthorized use of the software in question is considered an attempt to gain unauthorized access to a computer system and is punishable by law.