It should come as no surprise that WordPress has a massive target on its back given how popular a platform it has become. To add fuel to the fire, anyone and everyone can create themes, plugins, or jump in the source code and make modifications. That’s part of what makes it such a huge success — it provides immense flexibility yet maintains its ease of use. That’s also what makes it a huge target for attacks. Attacks that come in all shapes and sizes, including the exploitation of WordPress vulnerabilities.
So if you’re running a WordPress website (or thinking of running one), how can you defend from such attacks?
There are a number of defense mechanisms, but in this post, we’re going to focus on finding known vulnerabilities in WordPress core, your theme, and the plugins you are running. Once those vulnerabilities are identified, you can fix them before they become exploited.
Let’s get started.
WordPress Vulnerabilities Databases
One of the first steps you can take requires no installations and nothing special. Simply pull up these databases of vulnerabilities and search for your plugins, themes, and WordPress version. You can filter for vulnerabilities by plugins/themes, and in some cases, you can even subscribe to email alerts.
For example, a very popular plugin used by many is called Elementor, and it helps you build web pages without having to type a single line of code. Version 2.8.4 (the latest version is 2.9.7, so not that long ago!) has a Cross-Site Scripting (XSS) vulnerability.
Once you’ve combed the databases for known vulnerabilities with your plugin, theme, and core versions, it’s time to run scans against your website.
There are a few ways of doing this. One way is to run online scanners, such as:
And another way is to run open source tools either manually or, preferably, automatically and frequently…
Finding WordPress Vulnerabilities with Open Source Tools
Kali Linux comes with a package named WPScan which is a WordPress vulnerability scanner that can be used to scan remote installations in order to find security issues, and hopefully fix them before someone else finds them.
Running this vulnerability scanner is super simple, so there really is no excuse not to!
If you don’t already have Kali Linux installed, this will take a few minutes to set up. You can either install Kali or run it live from the ISO in a virtual machine. See instructions here: run or install Kali Linux.
Once you have Kali running, find WPScan in the menu or run it via the command line ($wpscan –help)
Input the IP address or domain name, and start the scan. Sit back and relax, because it will take a while to run.
$ wpscan --url <domain>Code language: HTML, XML (xml)
Be sure to read the –help for more settings.
Another helpful tool in finding general vulnerabilities is OWASP ZAP.
Take a look around the ZAP website for more information, such as how to automate security checks via APIs.
If you installed Kali for the previous step, then I’ve got great news. ZAP also comes with the default Kali installation, so you can run it quickly and easily through a GUI interface.
Once you’ve run it, you will get a list of alerts categorized by severity (High, Medium, Low, Informational) with a bunch of extra information regarding the issue. For example, if it’s a potential SQL injection, then it will show you the page that it was found on, how it was found, how to fix it, and reference materials to help you understand the issue.
Next Steps and Final Thoughts
The fact that you read through this article shows that you’re on the right track to having a more secure WordPress website, and as a result, you’re helping make the world more secure.
Ultimately, keeping your WordPress core, plugins, and themes up-to-date is one of the best ways to combat vulnerabilities. But the reality of it is that we all get busy with conflicting priorities, and updates can break things. So it’s usually easier to put off updates until “a calmer day.” If this is the situation you find yourself in, at least follow the steps outlined in this post so that you can prioritize critical updates and fix those first.
The next step to take is to automatically run these kinds of scans within your development pipeline so that it catches issues before they even make it out to production.