Listen to this Post
In a recent demonstration, a real hacker used WPScan to uncover vulnerabilities in WordPress websites. WPScan is a powerful tool designed to scan WordPress sites for security issues, including outdated plugins, themes, and weak passwords. Below, we’ll explore how to use WPScan effectively and provide practical commands and steps to secure your WordPress site.
You Should Know:
1. Installing WPScan
WPScan is a command-line tool that requires Ruby to be installed on your system. Here’s how to install it on a Linux-based system:
sudo apt update sudo apt install ruby-full sudo gem install wpscan
For Windows users, you can use the Windows Subsystem for Linux (WSL) to run Linux commands. Install WSL and follow the Linux instructions above.
2. Basic WPScan Commands
Once installed, you can start scanning a WordPress site. Here are some essential commands:
- Scan a WordPress Site:
wpscan --url https://example.com
This command scans the target website for vulnerabilities.
- Enumerate Plugins:
wpscan --url https://example.com --enumerate p
This command lists all installed plugins and checks for known vulnerabilities.
-
Enumerate Themes:
wpscan --url https://example.com --enumerate t
This command lists all installed themes and checks for known vulnerabilities.
-
Enumerate Users:
wpscan --url https://example.com --enumerate u
This command attempts to enumerate usernames on the WordPress site.
-
Password Attack:
wpscan --url https://example.com --passwords /path/to/password/list.txt
This command performs a brute-force attack using a list of passwords.
3. Securing Your WordPress Site
After identifying vulnerabilities, take the following steps to secure your site:
- Update Plugins and Themes:
Ensure all plugins and themes are updated to their latest versions. -
Remove Unused Plugins and Themes:
Delete any plugins or themes that are not in use. -
Use Strong Passwords:
Implement strong, unique passwords for all user accounts.
-
Enable Two-Factor Authentication (2FA):
Use a plugin like Wordfence or Google Authenticator to enable 2FA. -
Limit Login Attempts:
Install a plugin like Limit Login Attempts Reloaded to prevent brute-force attacks. -
Regular Backups:
Use a plugin like UpdraftPlus to schedule regular backups of your site.
What Undercode Say:
WPScan is an invaluable tool for identifying vulnerabilities in WordPress websites. By regularly scanning your site and addressing any issues, you can significantly reduce the risk of being hacked. Additionally, implementing strong security practices such as updating plugins, using strong passwords, and enabling 2FA can further protect your site from malicious attacks.
Expected Output:
- WPScan Installation: Commands to install WPScan on Linux and Windows.
- Basic WPScan Commands: Commands to scan a WordPress site, enumerate plugins, themes, and users, and perform a password attack.
- Security Measures: Steps to secure your WordPress site, including updating plugins, removing unused plugins, using strong passwords, enabling 2FA, limiting login attempts, and scheduling regular backups.
By following these steps and using WPScan effectively, you can ensure your WordPress site remains secure against potential threats.
References:
Reported By: Chuckkeith I – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
