Source: WPScan by the WPScan Team
If you’re using a WordPress site then you really should be using the WordPress Scanner WPScan. It’s SUPER simple to install and very user friendly.
I heard about it from ma.ttias.be’s website which I’ve been following for a while now since he’s pretty spot on when it comes to IT Security and does a good deal of work with Zabbix (Mobile Zabbix UI, if you haven’t checked it out, is pretty sweet).
Returning to the original subject, WPScan.
For me, installation was a simple series of commands (I’m running Ubuntu 14.04.2, LTS):
-
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
-
git clone https://github.com/wpscanteam/wpscan.git
-
cd wpscan
-
sudo gem install bundler && bundle install --without test
-
./wpscan.rb --update
-
./wpscan.rb --url http(s)://yourwebsite.whoa
Running the scan on my website revealed an HTML file that tells the WordPress version (not in and of itself a vulnerability, but still why give an attacker any information right off the bat), open Registration being enabled (I don’t mind, this isn’t a vulnerability it just results in me getting a LOT of spam), and directory listing being enabled (pretty significant in my book).
All in all, the process took about 15 minutes from install to secured.
This is highly recommended in my book.
Cheers,
-M