README
wpscan
wpscan is a Node.js CLI tool that allows you to quickly scan WordPress sites looking for known vulnerabilities, security issues and misconfigurations. wpscan
helps you secure and maintain your WordPress against hackers.
Features
- Preinstalled rules for a quick start.
- Custom rules increase the functionality.
- Selectively ignore default and custom rules.
- Multiple WordPress scans from a bulk file.
- Detection for
- WordPress directories (
wp-content
, ...). - WordPress installed in a subdirectory.
- WordPress directories (
- Changeable User-Agent string.
- Silent mode displays warnings only.
- Fix issues: WordPress security best practices.
- Beginner friendly, easy to install.
- Lightweight, cross plattform framework.
- Work in progress, see todos and changelog.
Install
npm install --global wpscan
Notes
Usage
wpscan <url> [url] [options]
url
→ WordPress site URL (e.g. https://ma.tt
)
Multiple URLs can be separated by spaces.
Options
Option | Shortcut | Description |
---|---|---|
--help |
-h |
Outputs supplied help text. |
--silent |
-s |
Disables success and info messages. Displays warnings only. |
--rules-dir |
-r |
Loads additional rules from a directory (see Custom rules). |
--bulk-file |
-b |
Reads additional WordPress site URLs from a text file (see Bulk scan). |
--ignore-rule |
-i |
Skips loading and execution of a specific rule (see Ignore rules). |
--user-agent |
-u |
Defines a custom User-Agent string. Default is wpscan . |
Quick examples
wpscan https://ma.tt
wpscan https://ma.tt --silent
wpscan https://ma.tt --rules-dir ~/path/to/custom/rules
wpscan https://ma.tt --bulk-file ~/path/to/sources.txt
wpscan https://ma.tt --user-agent "Netscape Gold"
wpscan https://ma.tt --ignore-rule wp-login.js
Default rules
wpscan
has a few rules that are enabled by default. Follow also our WordPress security best practices to fix vulnerabilities detected by wpscan
default rules.
1. Checks sensitive WordPress/Apache/Dot files for their availability
/wp-config.php
/wp-admin/maint/repair.php
/.htaccess
/.htpasswd
/.ssh
/.npmrc
/.gitconfig
/config.json
/wp-config-sample.php
/wp-content/debug.log
2. Scans WordPress login page for security issues
- Basic access authentication
- HTTPS protocol usage
3. Checks whether WordPress is affected by FPD vulnerability
4. Checks whether the Apache directory listing is activated
Custom rules
The power of wpscan
is the flexibility: You can expand the tool functionality by building their own rules, scans and checks. The option --rules-dir
allows loading of user-defined rules from a custom directory.
- The directory path
- can be absolute or relative to the
wpscan
folder
- can be absolute or relative to the
- The custom rules
- must be stored as
.js
files - can be a
Node.js
script - can be a
npm
package - must have an exported function named
fire
- must be stored as
exports.fire = ( data ) => {
// Play with data
// console.log( data )
}
wpscan
will run (technically require
) every custom rule file. The file naming does not matter, short and unique names are welcome. Feel free to create your own rules, enjoy!
Get inspired
Ignore rule(s)
wpscan
can skip certain default and custom rules. The CLI option --ignore-rule
takes a rule name, the rule name is the JavaScript file name of the rule without path. Multiple rule filtering is possible by a multiple use of the CLI option.
wpscan ma.tt --ignore-rule wp-login.js
wpscan ma.tt --ignore-rule wp-login.js --ignore-rule sensitive-files.js
wpscan ma.tt --rules-dir ./example/rules --ignore-rule custom-rule.js
Bulk scan
Multiple WordPress site URLs can be imported from a single file. This is a simple text file with one URL per line.
wpscan -b ~/path/to/sources.txt