WPScan is a vulnerability scanner for WordPress, written in ruby. It is able to find the vulnerabilities present on a WordPress website, list the plugins used and give you the associated security vulnerabilities. You can also brute force on the admin interface.
It is intended for both security professionals and administrators of WordPress sites.
The main features of WPscan
- Enumeration of users,
- multithreaded brute force password cracking,
- detection of the WordPress version,
- detection and enumeration of vulnerable plugins.
WPscan only works under Linux, if you have a Windows computer I advise you to use a virtual machine running Kali Linux. Just download VMware and an image of Kali Linux. WPScan is already pre-installed on it. And here how to install Kali Linux on a Windows machine with VMware.
Otherwise to install it on another distribution, see this page: https://github.com/wpscanteam/wpscan
How to use WPscan?
After the installation we will move on to serious matters, the most interesting part !
Easy to use:
To know the version of WordPress and the name of the theme used, open a terminal as root and type:
To list all users who have access to the blog, based on the author of the articles.
List vulnerable plugins
To list the plugins used on a site and display the related security vulnerabilities, run the following command:
You can see on the image that wpscan detected a vulnerable plugin (comment-rating) with a link to the SQL injection type flaw, this flaw can be exploited to have full control of the given database FunInformatique . Don't worry I have it off.
Crack administrator password
To get the administrator password, we are going to use brute force on the administration interface.
For that, there is no doubt that we will need what is called a dictionary. In the case of a bruteforce attack, the dictionary presents the list of possibilities that the generator will try to use to break into the remote system. In summary, this is the list of tested passwords.
Under Kali Linux, by default, a list exists but you are free to add other words. The dictionary present by default under Kali Linux is located under:
If you have a different distribution of Kali Linux, You can download the dictionary here and there.
In short, here is the command that calls on the dictionary in order to have the password of the wordpress administrator:
/pentest/passwords/wordlists/darkc0de.lst --username admin
Protect your WordPress site
To counter all of these techniques, you need to remove the readme.html at the root of WordPress, keep WordPress and plugins up to date, and use a long password with lots of different characters. We can also install a plugin like User Locker which makes it possible to limit the number of authentication attempts.