As the popularity of WordPress continues to grow, so does the need for robust security measures to protect your website from potential vulnerabilities. Fortunately, there are free tools available that can scan your WordPress site and identify security weaknesses.
In this blog post, we will explore four powerful tools that can help you fortify your WordPress fortress. Each tool is accompanied by an explanation, link, and screenshots, providing you with a comprehensive overview of their features and capabilities.
Table of Contents
Let’s dive in and ensure the safety of your WordPress website!
WPScan
WPScan is a widely acclaimed WordPress vulnerability scanner that checks your website for security loopholes, outdated plugins, and themes. It is a command-line tool built on Ruby that performs comprehensive security checks, including scanning for known vulnerabilities, weak passwords, and outdated software versions. WPScan is regularly updated to keep up with the latest threats and is trusted by security professionals worldwide.
$ wpscan --url https://example_website.com --random-user-agent --enumerate vp,u,vt,tt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: https://example_website.com/ [162.159.135.42]
[+] Started: Mon Jul 10 13:40:49 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - cf-ray: 7e4b47c21c12b6eb-QRO
| - cf-cache-status: BYPASS
| - ki-cache-type: Edge
| - ki-cf-cache-status: BYPASS
| - ki-edge: v=20.0.0;mv=2.0.4
| - permissions-policy: geolocation 'self'; autoplay 'self'; camera 'self'; accelerometer 'none'; gyroscope 'none'; magnetometer 'none'; midi 'none'; speaker 'none'; microphone 'none'; payment 'none'; usb 'none'; picture-in-picture 'none'; ambient-light-sensor 'none'; vr 'none'
| - referrer-policy: strict-origin-when-cross-origin
| - x-edge-location-klb: 1
| - x-kinsta-cache: MISS
| - report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2hQ9xX1KgjLZTCrrXZ%2BG1GXc4HvNMywt7cAYU9IaQzNC8le9qr7XeVU5lWfAWnn2lUHP6xq02AdTJsrl91NyZmYJZhJCJGmaa8tm%2BzIOrgxxM5Gv%2F%2Bb7ms79Xsm0op0WxQ%3D%3D"}],"group":"cf-nel","max_age":604800}
| - nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
| - server: cloudflare
| - alt-svc: h3=":443"; ma=86400
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: https://example_website.com/robots.txt
| Interesting Entries:
| - /?s=
| - /page/*/?s=
| - /search/
| - /wp-json/
| - /?rest_route=
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://example_website.com/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 30%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] This site has 'Must Use Plugins': https://example_website.com/wp-content/mu-plugins/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 80%
| Reference: http://codex.wordpress.org/Must_Use_Plugins
[+] Registration is enabled: https://example_website.com/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://example_website.com/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.2.2 identified (Latest, released on 2023-05-20).
| Found By: Query Parameter In Upgrade Page (Aggressive Detection)
| - https://example_website.com/wp-includes/css/dashicons.min.css?ver=6.2.2
| - https://example_website.com/wp-includes/css/buttons.min.css?ver=6.2.2
| - https://example_website.com/wp-admin/css/forms.min.css?ver=6.2.2
| - https://example_website.com/wp-admin/css/l10n.min.css?ver=6.2.2
| - https://example_website.com/wp-admin/css/install.min.css?ver=6.2.2
[+] WordPress theme in use: Divi
| Location: https://example_website.com/wp-content/themes/Divi/
| Latest Version: 4.21.1 (up to date)
| Readme: https://example_website.com/wp-content/themes/Divi/README.md
| Style URL: https://example_website.com/wp-content/themes/Divi/style.css
| Style Name: Divi
| Style URI: http://www.elegantthemes.com/gallery/divi/
| Description: Smart. Flexible. Beautiful. Divi is the most powerful theme in our collection....
| Author: Elegant Themes
| Author URI: http://www.elegantthemes.com
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 4.21.1 (80% confidence)
| Found By: Style (Passive Detection)
| - https://example_website.com/wp-content/themes/Divi/style.css, Match: 'Version: 4.21.1'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:36 <=============================================> (504 / 504) 100.00% Time: 00:00:36
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:01:10 <===========================================> (2575 / 2575) 100.00% Time: 00:01:10
[i] No Timthumbs Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] John Doe
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Rss Generator (Aggressive Detection)
[+] johndoe
| Found By: Yoast Seo Author Sitemap (Aggressive Detection)
| - https://example_website.com/author-sitemap.xml
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Jul 10 13:43:05 2023
[+] Requests Done: 3160
[+] Cached Requests: 15
[+] Data Sent: 909.226 KB
[+] Data Received: 6.568 MB
[+] Memory used: 170.984 MB
[+] Elapsed time: 00:02:16
Link: WPScan
Screenshot:
Nessus
Nessus is a comprehensive vulnerability scanner widely used in the cybersecurity industry. While it is not WordPress-specific, it can be utilized to scan your WordPress website for vulnerabilities. Nessus performs in-depth checks, scanning for outdated software, weak configurations, and known security flaws. It offers detailed reports and prioritizes vulnerabilities based on their severity, helping you focus on the most critical issues.
Link: Nessus
Screenshot:
OpenVAS
OpenVAS (Open Vulnerability Assessment System) is an open-source vulnerability scanner that can be utilized to scan your WordPress site for potential security issues. It performs various checks, including network vulnerability scanning, web application scanning, and configuration auditing. OpenVAS offers extensive reporting capabilities and can be customized to meet your specific requirements.
Link: OpenVAS
Screenshot:
Vega
Vega is a free and open-source web vulnerability scanner that can be used to scan your WordPress site for potential security weaknesses. It performs comprehensive tests, including SQL injection, cross-site scripting, and directory traversal. Vega offers an intuitive graphical interface and provides detailed reports to help you identify and address vulnerabilities effectively.
Link: Vega
Screenshot
Conclusion: Securing your WordPress website is a top priority, and these four free tools can significantly contribute to your efforts. WPScan, Sucuri Security, Wordfence, and Nessus provide comprehensive scanning capabilities, identifying vulnerabilities, malware, and outdated software versions. By utilizing these tools, you can proactively address security weaknesses and ensure the robustness of your WordPress fortress. Take advantage of these free resources, strengthen your website’s security, and gain peace of mind in an increasingly interconnected world.