If you run a WordPress based website then you should sit up, pull out your notepad, and carefully consider the idea of running WPScan on your site in order to if you have any security vulnerabilities that may require your attention. This is not to say that WordPress is vulnerable per say, but the fact is all software contains some level of vulnerabilities and the more you know, the more you will understand and be able to better protect your site.
You may be surprised to learn that CVE has 177 documented vulnerabilities over the years concerning WordPress. If you are really interested in better protecting your site then you absolutely must take the time to read about hardening WordPress. For example, there are a number of excellent recommendations in the areas of securing wp-admin, securing wp-includes, securing wp-config.php, disable File Editing, and so much more.
It would be well worth the time and effort reviewing and possibly implementing these recommendations to better protect your site. In fact, as I was researching this article I found one recommendation that I had not considered and after reading that I could add a second layer of protection to my wp-includes folder structure by simply adding a simple block to the .htaccess file, I thought why not. The code in question is:
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
There are so many other things you can address in the .htaccess file and hardening WordPress will help immensely in this area. The following are a handful of options that you may also want to consider.
# disable directory browsing Options All -Indexes
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
Scan, scan, and scan
To get started with WPScan you will need to install it. I am not going to cover installation because there are a number of different options you can take depending upon your scenario. I will however say that I prefer to use WPScan on Kali Linux because it not only saves time and effort surrounding the installation, but Kali has dozens upon dozens of tools that you may fine very useful on your journey of security. If for any reason you want to review the source code then you’re in luck because WPScan is located on GitHub.
wpscan --url radicaldevelopment.net --enumerate
The basic command switches include:
--url | -u <target url> The WordPress URL/domain to scan. --force | -f Forces WPScan to not check if the remote site is running WordPress. --enumerate | -e [option(s)] Enumeration. option : u usernames from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must write  chars) p plugins vp only vulnerable plugins ap all plugins (can take a long time) tt timthumbs t themes vt only vulnerable themes at all themes (can take a long time) Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins If no option is supplied, the default is "vt,tt,u,vp"
For more detail on the command arguments be sure to review the WPScan documentation. Upon execution of the scan you will see something similar to the following:
WordPress Security Scanner by the WPScan Team Version v2.4.1 Sponsored by the RandomStorm Open Source Initiative @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ [+] URL: http://radicaldevelopment.net/ [+] Started: Tue Aug 12 20:18:28 2014 [+] robots.txt available under: 'http://radicaldevelopment.net/robots.txt' [!] Full Path Disclosure (FPD) in: 'http://radicaldevelopment.net/wp-includes/rss-functions.php' [+] Interesting header: SERVER: nginx/1.6.1 [+] XML-RPC Interface available under: http://radicaldevelopment.net/xmlrpc.php [+] WordPress version 3.9.2 identified from rss generator [+] WordPress theme in use: RadDev - v1.0 [+] Name: RadDev - v1.0 | Location: http://radicaldevelopment.net/wp-content/themes/RadDev/ | Style URL: http://radicaldevelopment.net/wp-content/themes/RadDev/style.css | Theme Name: RadDev | Theme URI: http://radicaldevelopment.net | Description: A modern two-column blog theme. A responsive layout optimizes the theme for mobile devices like t... | Author: Steven M. Swafford | Author URI: http://radicaldevelopment.net [+] Enumerating installed plugins (only vulnerable ones) ...
If you running a multi-author WordPress site then you may find running dictionary attacks useful to ensure your authors are using strong passwords. The command for do so is:
wpscan –url www.somedomain.com –wordlist passwords.txt –username admin
It is also important to note that if your target WordPress site allows visitors to register, a password brute force attack may take a great deal of time or even impact the performance of the website. Because of this, you may want to first enumerate the users and target a smaller subset.
Overall the WordPress platform does a good job at implementing security, but at the end of the day it is software and all software will have vulnerabilities. When you factor in the use of themes and plugins the rate of the risk increases quickly. For this reason, it is always a good idea to run a security scan and this is where WPScan can greatly help to protect your site. If you have not given this tool a look, then I highly recommend that you do so. You may find that there are steps you can take to harden your website and protect not only yourself, but also you visitors.