WordPress provides a great way to build a complete and perfect website without any coding and designing skills. You can select themes and plugins to give your WordPress website desired look and functionality. But the plugins and themes you use, comes with many vulnerabilities and back doors which can be exposed to hack your WordPress website. In this article we are going to show you how to find WordPress security vulnerabilities and threats.
There are many WordPress vulnerability scanners or WordPress website scanner available. All these methods focus on different types of threats and many of them scan WordPress site for vulnerabilities to secure WordPress site from hackers. We are going to help you use wpscan on Kali Linux to find WordPress Vulnerabilities.
What you’ll need?
- A WordPress website with themes and plugins
- Kali Linux OS
- VMware if you want to run Kali Linux on top of windows operating system
Step By Step Procedure
If you are running Kali Linux with VMware, the first thing you need to do is open VMware, select Kali Linux and start you virtual machine. If you are running Kali Linux as primary operating system then ignore this step
Wait for kali Linux to load. Then open Applications>Website Applications Analysis>Wpscan. Wpscan among many other WordPress security tools provides both penetration testing and brute force attacks on WordPress sites. Wpsan also provide details and error codes about each vulnerability. You can use these details to research more about it and take corrective actions. We will let you know how to do this in coming steps.
Type wpscan –url http://www.yourwordpresssite.com to get general information about your WordPress site. You will not get any vulnerability here as it will give you most basic info about your website which may help you in later stages.
Wpscan will prompt you to update it database. Make sure to press Y and Enter.
If the previous step provides no vulnerability information, type wpscan –url http://www.yourwordpresswebsite.com –enumerate p. This command will focus on plugins only and performs more aggressive penetration tests to find out all WordPress Vulnerability with plugins.
The above step will take some time to scan all the plugins. Once it completes it will show the vulnerable plugins and all the related details. All the plugins indicated by [ ! ] symbol are vulnerable.
Now you have complete list of all the vulnerable plugins in your WordPress site. It’s time to take corrective actions by removing the vulnerable plugins with secure one or you can investigate more about the vulnerability by visiting the links provided by WPscan WordPress security tool, for each of the vulnerability. You can also view latest WordPress vulnerabilities in online WordPress vulnerability database