WordPress is one of the most popular open-source CMS nowadays having more than 100 million users.
WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 10,000 to 15,000 websites for malware and around 70,000 for phishing. If you are serious about your website, then you need to pay attention to WordPress security. In this article, we will share a beautiful WordPress security scanner named as WPSeku through which you can easily scan your WordPress site and find all the loopholes related to:
- Directory Listing
- Documentation Files
- Full Path Disclosure
- Htaccess file protection
- Theme and Plugin enumeration
- Username enumeration
Basically, WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
Installation of WPSeku in Kali Linux –
To install WPSeku, download the package from Github directly with the help of git clone command as shown below:
Command: git clone https://github.com/m4ll0k/WPSeku.git
After that you need to install one more package which is listed in requirements.txt file, and that you can easily install it through pip install command.
pip3 install -r requirements.txt
To run this tool, simply type
in your terminal which shows a basic help file.
The basic syntax of this tool is:
Command: python3 wpseku.py –url https://www.xxxxxxx.com –verbose
In the starting phase, it will scan files which are sitemap.xml, license.txt, robots.txt, crossdomain.xml, readme.html, .htaccess and xml-rpc service.
In the second phase, it will scan all database and backup related files along with directory listing scanning.
In the third phase, it will scan the HTTP headers along with an enumeration of themes and plugins and will list out all vulnerabilities along with exploit link as shown below:
The best thing about this tool is that you can even scan the major vulnerabilities like SQL Injection, Cross-site scripting, LFI injection and brute force etc.
For SQL Injection testing, use -s parameter,
For XSS testing, use -x parameter,
For LFI testing, use -l parameter etc
Feel free to leave a comment below or reach me on Instagram @iamshubhamkumar__.