{"id":1902,"date":"2022-07-01T13:37:46","date_gmt":"2022-07-01T11:37:46","guid":{"rendered":"https:\/\/www.dsecbypass.com\/?p=1902"},"modified":"2024-02-07T10:50:52","modified_gmt":"2024-02-07T09:50:52","slug":"test-the-security-of-your-wordpress-website","status":"publish","type":"post","link":"https:\/\/www.dsecbypass.com\/en\/test-the-security-of-your-wordpress-website\/","title":{"rendered":"Test the security of your WordPress website"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/06\/WordPress-logotype-wmark.png” alt=”Check the security of your WordPress site” title_text=”WordPress-logotype-wmark” _builder_version=”4.17.4″ _module_preset=”default” width=”50%” module_alignment=”center” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

WordPress is a free, open-source, and free content management system (CMS). It allows the editing of rich and dynamic websites, and benefits from an important ecosystem of plugins and themes. According to wordpress.org<\/a>, 43% of websites are based on the WordPress CMS.<\/p>\n

It is therefore no surprise that WordPress is a prime target for hackers<\/strong>: poorly configured websites and servers, vulnerable plugins, delayed updates.<\/p>\n

This article focuses on quick and easy techniques to test yourself if your WordPress site can be attacked by newbies. Above all, it does not replace a hardening of the security<\/a> of your website.<\/p>\n

These tests are intrusive and should be run on systems that you own or for which you have been given explicit permission.<\/p>\n

 <\/p>\n

[\/et_pb_text][et_pb_text module_id=”wpscan” _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

1. Using wpscan<\/h2>\n

The wpscan <\/a>tool is an easy-to-use WordPress configuration flaw and vulnerability scanner. It is included in the Kali Linux <\/a>distribution but can also be easily used separately thanks to its docker image<\/a>.<\/p>\n

In order to benefit from all the functionalities of wpscan it is preferable to create an API key<\/a> on WPScan.com<\/em>. This step is optional but allows you to benefit from the WordPress vulnerabilities database.<\/p>\n

Here are some examples of wpscan commands to detect a maximum of WordPress vulnerabilities and misconfigurations:<\/p>\n

\n

# Default scan of https:\/\/your.site.wordpress\/ with a random User-Agent<\/em> and no HTTPS certificate verification (in case you haven’t installed it yet)<\/p>\n

wpscan –rua –api-token {TOKEN} –disable-tls-checks –url https:\/\/your.website.wordpress\/<\/strong><\/p>\n<\/blockquote>\n

\n

# More comprehensive scan: Lists top 50 WordPress users, all known themes and plugins, configuration backups, timthumbs and exports. Random User-Agent<\/em> and no HTTPS certificate verification.<\/p>\n

wpscan –rua –api-token {TOKEN} –disable-tls-checks -e u1-50,m,vp,vt,tt,cb,dbe –url https:\/\/your.website.wordpress\/<\/strong><\/p>\n<\/blockquote>\n

The wpscan results are composed of different categories and offer links to documentation each time:<\/p>\n