This scanner has two options available, the first is a passive (safe) scan that downloads a few pages from the website and performs analysis on the raw HTML code. The second option is a more intrusive scan that attempts to enumerate plugins and users, this uses the popular open source WordPress security auditing tool WPscan.
Begin WordPress Security Scan
Access to scanning is restricted.
- Review the security configuration of a site from an external point of view.
- Find known security vulnerabilities and configuration mistakes with a WordPress installation.
- Perform a deeper black box security assessment, including plugin and theme brute forcing with WP Scan (requires membership).
About the WordPress Security Scan
This security scan will check a WordPress installation for common security related mis-configurations. When using the passive scan option the test uses regular web requests to download a handful of pages from the target site and then performs analysis on the resulting html source.
The Active scan option includes more aggressive tests using WPscan that can provide a deeper level of security related plugin information and other checks.
Checks in Passive scan include:
- WordPress Version Check
- Site Reputation from Google, Norton and MyWot
- Default admin account enabled
- Directory Indexing on plugins
- htaccess readable
- robots.txt present
- Sites Externally linked from main page (reputation checks)
- List WordPress Plugins detected through basic HTML analysis (use the Active WPscan for more aggressive testing of plugins).
- iframes present
- internal site links
- Hosting Reputation and Geolocation information
- IP address sharing and reputation of sites sharing the IP address
Additional checks included when using the advanced Active Scanner:
Note the active scan option requires a silver level membership.
- Brute force installed plug-ins (over 2200 in current database)
- Enumerate usernames
- Test for vulnerable timthumb files (a heavily attacked known exploit)
WordPress is the worlds leading content management system. This makes it a popular target for attackers.
Analysis of compromised WordPress installations, shows that exploitation most often occurs due to simple configuration errors or through plugins and themes that have not had security fixes applied.
The checks performed by our WordPress security scan will point out any obvious security failures in the WordPress installation. As well as providing recommended security related configuration improvements to enhance the security of the website against future attacks.