It is not easy to get an easy to use and working free Wordpress Security Scanner. In this guide, I’ll introduce a free tool called WPSeku which is written in Python. This makes it portable to any system.
From Wikipedia, A vulnerability scanner is defined as a computer program that’s designed to assess computers, computer systems, networks or applications for known weaknesses.
A vulnerability scanner is used to discover the weak points or poorly constructed parts in a system e.g vulnerabilities relating to mis-configured assets or flawed software that resides on a network-based asset such as a firewall, router, web server, application server, etc.
WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
Install WordPress Vulnerability Scanner – WPSeku
The WPSeku Wordpress Security Scanner tool requires python 3. If you don’t have it make sure to get it installed first before you continue.
# which python3 /usr/bin/python3
Once you confirm python3 is installed, install WPSeku Wordpress Security Scanner from Github.
Change to the wpseku directory.
Install python dependencies using pip3.
Ensure you have pip3 installed. For Ubuntu and Debian, you can install it using:
Run wpseku.py script.
WordPress Security Scanner – WPSeku usage
Some options which can be passed to the wpseku.py script is:
-u –url Target URL (e.g: http://site.com)
-b –brute Bruteforce login via xmlrpc
-U –user Set username for bruteforce, default “admin”
-s –scan Checking WordPress plugin code
-p –proxy Use a proxy, (host:port)
-c –cookie Set HTTP Cookie header value
-a –agent Set HTTP User-agent header value
-r –ragent Use random User-agent header value
-R –redirect Set redirect target URL False
-t –timeout Seconds to wait before timeout connection
-w –wordlist Set wordlist, default “db/wordlist.txt”
-v –verbose Print more information
-h –help Show this help and exit
Let’s look at some examples.
Generic WPSeku Scan
Scan plugin, theme and WordPress code
You can as well do a scanning for plugins, themes and WordPress code. Type:
$ python3 wpseku.py --scan <dir/file> --verbose
Where /dir is the absolute path to your WordPress installation directory. Can be the parent, plugins or themes directory.
WPSeku Bruteforce Login
To perform brute-force login attempt, first, you need a dictionary list with passwords to try against. A sample file is available on db/wordlist.txt.
Replace user with WordPress username to try against and wl.txt with your passwords wordlist.
- Free Wordpress Security Scanner
WordPress Vulnerability scanner
Check for Vulnerabilities on WordPress
Vulnerability checks on WordPress
Wordpress Plugins and Themes vulnerability scanner | scanning