Online WordPress Security Scanner to test vulnerabilities of a WordPress installation. Checks include application security, WordPress plugins, hosting environment and web server.
This scanner has two options available, the first is a passive (safe) scan that downloads a few pages from the website and performs analysis on the raw HTML code. The second option is a more intrusive active scan that attempts to enumerate vulnerable plugins and users, this uses the popular open source WordPress security auditing tool WPscan.
About the WordPress Security Scan
With the more advanced Active Scan option, all checks from the Passive Scan are performed in addition the system will use the excellent WPScan tool to probe plugins, usernames and other vulnerabilities. This scan tests thousands of URL’s and will generate
404 not found errors in the Web Server log file.
- WordPress Version Check
- Site Reputation from Google
- Default admin account enabled
- Directory Indexing on plugins
- Sites Externally linked from main page (reputation checks)
- List WordPress Plugins detected through basic HTML analysis (use the Active WPscan for more aggressive testing of plugins).
- iframes present
- Hosting Reputation and Geolocation information
The active WPScan option requires a SILVER membership.
- Uses the WPScan tool to test the following
- Brute force installed plug-ins (over 2200 in current database)
- Enumerate usernames
- Test for vulnerable timthumb files (a heavily attacked known exploit)