(Last Updated On: March 29, 2018)

It is not easy to get an easy to use and working free Wordpress Security Scanner. In this guide, I’ll introduce a free tool called WPSeku which is written in Python. This makes it portable to any system.

From Wikipedia, A vulnerability scanner is defined as a computer program that’s designed to assess computers, computer systems, networks or applications for known weaknesses.

A vulnerability scanner is used to discover the weak points or poorly constructed parts in a system e.g vulnerabilities relating to mis-configured assets or flawed software that resides on a network-based asset such as a firewall, router, web server, application server, etc.

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Install WordPress Vulnerability Scanner – WPSeku

The WPSeku Wordpress Security Scanner tool requires python 3. If you don’t have it make sure to get it installed first before you continue.

# which python3
/usr/bin/python3

Once you confirm python3 is installed, install WPSeku Wordpress Security Scanner from Github.

Clone repository:

$ git clone https://github.com/m4ll0k/WPSeku.git wpseku
Cloning into 'wpseku'...
remote: Counting objects: 310, done.
remote: Compressing objects: 100% (80/80), done.
remote: Total 310 (delta 34), reused 54 (delta 12), pack-reused 216
Receiving objects: 100% (310/310), 880.00 KiB | 528.00 KiB/s, done.
Resolving deltas: 100% (163/163), done.

Change to the wpseku directory.

$ cd wpseku

Install python dependencies using pip3.

Ensure you have pip3 installed. For Ubuntu and Debian, you can install it using:

$ sudo apt-get install python3-pip

Then:

sudo pip3 install -r requirements.txt

Run wpseku.py script.

$ python3 wpseku.py

WordPress Security Scanner – WPSeku usage

Some options which can be passed to the wpseku.py script is:

-u –url Target URL (e.g: http://site.com)
-b –brute Bruteforce login via xmlrpc
-U –user Set username for bruteforce, default “admin”
-s –scan Checking WordPress plugin code
-p –proxy Use a proxy, (host:port)
-c –cookie Set HTTP Cookie header value
-a –agent Set HTTP User-agent header value
-r –ragent Use random User-agent header value
-R –redirect Set redirect target URL False
-t –timeout Seconds to wait before timeout connection
-w –wordlist Set wordlist, default “db/wordlist.txt”
-v –verbose Print more information
-h –help Show this help and exit

Let’s look at some examples.

Generic WPSeku Scan

$ python3 wpseku.py --url https://www.xxxxxxx.com --verbose

Sample output.

----------------------------------------
 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)
----------------------------------------

[ + ] Target: https://www.xxxxxxx.com
[ + ] Starting: 02:38:51

[ + ] Server: Apache
[ + ] Uncommon header "X-Pingback" found, with contents: https://www.xxxxxxx.com/xmlrpc.php
[ i ] Checking Full Path Disclosure...
[ + ] Full Path Disclosure: /home/ehc/public_html/wp-includes/rss-functions.php
[ i ] Checking wp-config backup file...
[ + ] wp-config.php available at: https://www.xxxxxxx.com/wp-config.php
[ i ] Checking common files...
[ + ] robots.txt file was found at: https://www.xxxxxxx.com/robots.txt
[ + ] xmlrpc.php file was found at: https://www.xxxxxxx.com/xmlrpc.php
[ + ] readme.html file was found at: https://www.xxxxxxx.com/readme.html
[ i ] Checking directory listing...
[ + ] Dir "/wp-admin/css" listing enable at: https://www.xxxxxxx.com/wp-admin/css/
[ + ] Dir "/wp-admin/images" listing enable at: https://www.xxxxxxx.com/wp-admin/images/
[ + ] Dir "/wp-admin/includes" listing enable at: https://www.xxxxxxx.com/wp-admin/includes/
[ + ] Dir "/wp-admin/js" listing enable at: https://www.xxxxxxx.com/wp-admin/js/
[ + ] WordPress login is protected by WAF
[ i ] Checking robots paths...
[ i ] Checking WordPress version...

[ i ] Passive enumeration themes...
[ + ] Not found themes with passive enumeration
[ i ] Passive enumeration plugins...
[ + ] Not found plugins with passive enumeration
[ i ] Enumerating users...
[ + ] Not found usernames...
-------------------------
| ID | Username | Login |
-------------------------
-------------------------

Scan plugin, theme and WordPress code

You can as well do a scanning for plugins, themes and WordPress code. Type:

$ python3 wpseku.py --scan <dir/file> --verbose

Where /dir is the absolute path to your WordPress installation directory. Can be the parent, plugins or themes directory.

WPSeku Bruteforce Login

To perform brute-force login attempt, first, you need a dictionary list with passwords to try against. A sample file is available on db/wordlist.txt.

$ python3 wpseku.py --url https://www.xxxxxxx.com --brute --user test --wordlist wl.txt --verbose

Replace user with WordPress username to try against and wl.txt with your passwords wordlist.

Tags:

  1. Free Wordpress Security Scanner
    WordPress Vulnerability scanner
    Check for Vulnerabilities on WordPress
    Vulnerability checks on WordPress
    Wordpress Plugins and Themes vulnerability scanner | scanning