Checking WordPress with WPScan
If you use WordPress regularly, you know that it is often the target of hacking attempts, and rightfully so. It accounts for nearly a quarter of all websites! Why wouldn’t a hacker want to target WordPress? That, plus the plethora of amateur developers releasing plug-ins and themes with gaping security flaws, makes WordPress an easy win for someone with malicious intent.
You probably already know about the vast list of security plug-ins, that you shouldn’t write down your passwords, that you should use different passwords on every site, etc. I’m not going to list all of those things, because it’s boring and repetitive. I am going to tell you about WPScan though. WPScan does exactly what it sounds like. Scans your WordPress site. Boom. That simple. It’s backed by the guys over at Sucuri so you know it’s legit.
Do yourself a favor and check out WPScan either on their website or just go to the Github repo and clone it. It doesn’t work on Windows, so sorry about that. But it should work with a Mac or Linux machine. The install is pretty simple too. Here’s what I did:
sudo apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
sudo gem install bundler && bundle install --without test
Also, it’s nice to set an alias so you don’t have to be in that directory to run it all the time:
alias wpscan="ruby /home/USERNAMEHERE/Documents/wpscan/wpscan.rb"
That way, you just run wpscan —update or whatever command you want and it works. It’ll give you a nice big list of things that you should look into, and tell you a few things you probably didn’t know.