Friday, June 17, 2011

WordPress Security Scanner

Wordpress users should think about their system's security more carefully. It's not only because Wordpress is getting a lot of attacks lately, but also due to the introduction of Wordpress Security Scanner (WPScan) which is developed by Ryan Dewhurstand hosted at Google Code.

WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.

Features include:

  • Username enumeration (from ?author)
  • Weak password cracking (multithreaded)
  • Version enumeration (from generator meta tag)
  • Vulnerability enumeration (based on version)
  • Plugin enumeration (todo)
  • Plugin vulnerability enumeration (based on version) (todo)
  • Other miscellaneous checks