Scan WordPress for Vulnerabilities with WPScan

WPScan is a black box vulnerability scanner specifically for WordPress. It is a stark reminder why it is so important to minimize the number of plugins you use, delete the ones you have deactivated, and make sure you are keeping your software up-to-date. One simple little command: sudo wpscan example.com -u will list all the WordPress usernames, plugins installed, whether active or not, as well as all published vulnerabilities for the plugins, whether they have been fixed, as well as how to exploit them.

WPScan also peeks at the robots.txt file to discover “interesting” content that the author wants hidden from search engines. Many people errantly use the robots.txt file thinking that it would be a good idea to list the directories they don’t want indexed only to learn later this is a key source of information gathering.

WPScan can be used to search for TimThumb (tt) files (another exploit) and it can be used to enumerate usernames and brute force passwords.

TimThumb is a tool used by WordPress themes and plugins to resize images. Old versions of TimThumb have a security vulnerability that lets attackers upload malicious (“bad”) files from another website. The first bad file then lets the attacker upload more malicious files to the hosting account.

Great utility, powerful, and simple to use.

Controls

It would be a good idea to install a WordPress plugin that forces users to use sufficiently complex passwords and blacklists IP addresses after a certain number of failed login attempts–essentially nullifying the efficacy of bruteforce attacks.

For the offensive penetration tester it would also be a good idea to install the Tor proxy so the web host cannot block the IP using WPScan–just a simple technique to hide footprints.

We use our blog to share our latest thinking on WordPress security and to contribute back to the broader community working to make the Internet more secure. Much of our work documented here helps us to provide better service to our customers.