A recent web application vulnerability report by Acunetix shows that around 30% of WordPress sites found vulnerable.

There is plenty of online security scanner to scan your website. However, if you are looking for software to install and scan from your server, then WPScan is your friend. It is useful if your website is on a private network or Intranet where the Internet is not available. Or, want to test multiple sites at multiple times. WPScan is free software, helps you to identify the security-related problems on your WordPress site. It does several things like:

Check if the site is using vulnerable WP version Check if a theme and plugin is up-to-date or known to be vulnerable Check Timthumbs Check for configuration backup, DB exports Brute force attack

and a lot more… There is several ways to use WPScan.

By installing on Linux servers Using Docker Using pre-installed Linux distro like Kali Linux, BackBox, Pentoo, BlackArch, etc. Online version

Using on CentOS

The following are tested on CentOS 7.x.

Login to CentOS with root Update the repository

Install latest Ruby and their dependencies

Install Ruby Nokogiri

Reboot the server and then install WPScan using gem command

It will take few seconds to install, and once done; you should see something like this. WPScan is installed and ready to use now. Execute wpscan and you should see it returns below. Here is the output of one of the site’s test. Note: if you need vulnerability data in output, then you need to use their API. If you are interested in testing specific metrics, then check out the help by executing wpscan with –help syntax.

Using WPScan on Kali Linux

The beauty of using Kali Linux is you don’t have to install anything. WPScan is pre-installed. Let’s find out how to run the scanner.

Login into Kali Linux with root and open terminal Run the scan using wpscan command

Using Docker

A Docker fan? Why not, it is easy to get it started. Ensure you have Docker installed.

Pull WPScan docker image

Once pulled, run it like below.

Easy?

WPScan powered Online Scanner

You can leverage the following tools powered by WPScan.

Geekflare

Geekflare WordPress Security Scanner let you quickly find out if given WordPress site is having vulnerable core version, theme, plugin, etc.

On top of WPScan metrics, it also checks the following.

Is the admin console exposed? If considered safe by Google Accessible over HTTPS If front-end JavaScript libraries are vulnerable

You don’t need to register an account; you can run the test on-demand in FREE.

Pentest-Tools

A tool by Pentest-Tools lets you test the WP site on-demand and produce the report.

What’s next? Well done! If your site is not vulnerable. However, if it does, then work on those risk items. If you are not sure how to mitigate them, then take professional help.

How to use WPScan to Find Security Vulnerability on WordPress Sites  - 28How to use WPScan to Find Security Vulnerability on WordPress Sites  - 32How to use WPScan to Find Security Vulnerability on WordPress Sites  - 74How to use WPScan to Find Security Vulnerability on WordPress Sites  - 55How to use WPScan to Find Security Vulnerability on WordPress Sites  - 33How to use WPScan to Find Security Vulnerability on WordPress Sites  - 8How to use WPScan to Find Security Vulnerability on WordPress Sites  - 62How to use WPScan to Find Security Vulnerability on WordPress Sites  - 46How to use WPScan to Find Security Vulnerability on WordPress Sites  - 89