26 September 2021

Identify Vulnerabilities in Your WordPress Site Using WPScan Plugin

WordPress is the most popular content management system and according to W3Techs, powers close to 43% of all websites on the internet. One of the reasons for WordPress's popularity is that it supports customisations through the use of themes and plugins. However, each theme and plugin that is installed has the potential to increase the attack surface due to vulnerabilities that may be present in these components. The WPScan plugin can be used to address this issue by regularly scanning your WordPress site for vulnerabilities. This plugin conducts scans of WordPress core, plugins, themes and also performs various security checks such as scanning for the use of weak passwords. This post will discuss how to configure the WPScan plugin so that it automatically scans your site for vulnerabilities while notifying you of any vulnerabilities that are found.

Configuring WPScan Plugin

  • Log into your WordPress site, navigate to Plugins > Add New, search for ‘wpscan’ then install and activate the plugin

  • Before you can use WPScan, you need to provide an API token. You can get a free API token from WPScan by registering an account

  • In WordPress, navigate to WPScan > Settings
  • Paste your API token in the ‘WPScan API token’ field and complete the rest of the fields for scheduling a scan then click ‘Save Changes’

  • Navigate to WPScan > Report
  • To perform a manual scan, select ‘Run All’:

  • Once the scan is complete, the results are returned. We can see here that WPScan detected that the WooCommerce plugin has two vulnerabilities:

  • No vulnerabilities were found in the installed themes:

  • The last section lists the Security Checks. Here we can see that WPScan detected that the site is not using HTTPS, is using a weak admin password and there is an issue where xml-rpc is enabled. To find out more about an issue including the remediations, select 'Click here for further details'

  • There is also a ‘Notification’ setting that can be configured so that you receive email alerts if new vulnerabilities are found on your site:

With the WPScan plugin installed and configured, you will be kept up to date with any new vulnerabilities in your WordPress site and can mitigate them accordingly using the provided remediations.

tags: security operations vulnerability management wordpress