- Aggressively test the security configuration of a site from an external point of view with the Open Source WPScan.
- Find known security vulnerabilities and configuration mistakes with a WordPress installation.
About the WordPress Security Scans
The basic security check will review a WordPress installation for common security related mis-configurations. Testing with the basic check option uses regular web requests. The system downloads a handful of pages from the target site, then performs analysis on the resulting html source.
The more advanced WPScan option performs more aggressive tests . The excellent WPScan tool will probe plugins, usernames and other vulnerabilities. This tests thousands of URL’s and will generate many
404 not found errors in the Web Server log file.
Comparing the Options
Option 1: Security checks in Passive scan:
- WordPress Version Check
- Site Reputation from Google
- Default admin account enabled
- Directory Indexing on plugins
- Sites Externally linked from main page (reputation checks)
- List WordPress Plugins detected through basic HTML analysis (use the Active WPscan for more aggressive testing of plugins).
- iframes present
- Hosting Reputation and Geolocation information
Option 2: Advanced WPScan
: The active WPScan option requires a SILVER membership.
- Uses the WPScan tool to test the following
- Identify known vulnerabilities in WordPress Core
- Brute force installed plug-ins (over 2200 in current database)
- Discover all installed themes, and list known vulnerabilities
- Enumerate usernames
- Test for vulnerable timthumb files (a heavily attacked known exploit)
WordPress is the worlds leading content management system
. This makes it a popular target for attackers.
Analysis of compromised WordPress installations, shows that exploitation most often occurs due to simple configuration errors or through plugins and themes that have not had security fixes applied.
The checks performed by our WordPress security scan will point out any obvious security failures in the WordPress installation. As well as providing recommended security related configuration improvements to enhance the security of the website against future attacks.
Related WordPress Security articles: