WordPress is one of the most popular open source CMS now a days having more than 60 million users. Recently they released a new version of wordpress i.e. v4.8 in WordCamp Europe 2017 event. You can easily create the beautiful websites with the help of WordPress.
WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 10,000 to 15,000 websites for malware and around 70,000 for phishing. If you are serious about your website, then you need to pay attention to the WordPress security. In this article, we will share a beautiful wordpress security scanner named as WPSeku through which you can easily scan your WordPress site and find all the loopholes related to:
- Directory Listing
- Documentation Files
- Full Path Disclosure
- Htaccess file protection
- Theme and Plugin enumeration
- Username enumeration
Basically WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
Installation of WPSeku in Kali Linux –
To install WPSeku, download the package from Github directly with the help of git clone command as shown below:
Command: git clone https://github.com/m4ll0k/WPSeku.git
After that you need to install one more package which is listed in requirements.txt file, and that you can easily install it through pip install command.
Command: pip install -r requirements.txt
To run this tool, simply type python wpseku.py in your terminal which shows a basic help file.
The basic syntax of this tool is:
Command: python wpseku.py –target http://example.com/
In starting phase, it will scan files which are sitemap.xml, license.txt, robots.txt, crossdomain.xml, readme.html, .htaccess and xml-rpc service.
In second phase, it will scan all database and backup related files along with directory listing scanning.
In third phase, it will scan the HTTP headers along with enumeration of themes and plugins and will list out all vulnerabilities along with exploit link as shown below:
The best thing about this tool is that, you can even scan the major vulnerabilities like SQL Injection, Cross site scripting, LFI injection and bruteforce etc.
For SQL Injection testing, use -s parameter,
For XSS testing, use -x parameter,
For LFI testing, use -l parameter etc