Uncovering WordPress Vulnerabilities with Ease

By Charles Costa

As a developer or design professional, one of the biggest benefits of building your sites on WordPress is that in most cases you are building your code on a proven platform which has been fortified over time. Unfortunately when it comes to security, there’s no such thing as a fully hack-proof system. Fortunately though when it comes to securing both yours and your clients systems, there are a few WordPress vulnerability scanners which can help you spot errors before they get out of hand.

It is important to note that while this guide is primarily intended for WordPress.org users, the techniques can still be applied to WordPress.com users. For those unfamiliar with the differences between the two offerings, Sitepoint has a guide to clarify the differences. WordPress.com users will have less power when using the tools, but they technically will still work.

Although trusting generic online scanners is questionable at best, a new breed of Open Source security tools allow developers and other tech savvy professionals to test their code against exploits with ease. While these tools have a bit of a learning curve, learning the basics of penetration testing tools can help keep you ahead of most digital threats.

WordPress Specific Tools

WP Scan

WP Scan

WP Scan is an Open Source tool for Linux and Mac OSX which is a Swiss Army Knife for attacking virtually any WordPress install. Key features include the ability to pull user names from the WordPress database, scan the plugins which are being used by a specified website, and also see which themes are installed on a server. WP Scan also integrates with known vulnerability databases so that the software can filter results to only show code which is susceptible to attack.

Although WP Scan is a powerful tool, the installation process can be difficult if you don’t already have Ruby installed on your system. This applies greatly to CentOS systems – the default Linux distro of many hosts – due to the operating system not having all the required libraries. Fortunately by using Ubuntu or MacOSX you can greatly simplify the process. If you are a complete Linux novice, WP Scan comes pre-installed on multiple security centric Linux distributions, a listing can be found on the project website.



Plecost is an Open Source WordPress fingerprinting tool which can analyze the plugins installed on a specified WordPress system along with the common WordPress vulnerabilities and exposures (CVE) codes if applicable. Since Plecost is a Python script, installing it is as simple as adding the files to your server and then following the instructions on the project website.

Although this tool is limited to only showing vulnerabilities in installed plugins, the CVE code integration makes Plecost a notable tool because it provides the users with instant feedback as to how to exploit outdated software on the server.

Since Plecost is a collection of Python scripts, installation is fairly simple, and you can run the utility on Windows, Mac OSX and Linux/Unix systems as long as they have Python installed and configured.

General Vulnerability Tools

While this guide is primarily focused around your WordPress installs, as WordPress is only a single component of your server, knowing how to use general purpose penetration testing tools is also vital to protecting your system from hackers.



Nikto is a general purpose vulnerability scanner which scans for outdated software, configuration files, hidden directories and much more. By default, Nikto is intended for testing your own servers as the tool runs rapidly and would likely trigger red flags with many intrusion detection systems. If needed, an extension is available to make it stealthier, however for basic tests of your own servers, this likely isn’t necessary.

Aside from just gathering information, Nikto also can brute force authentication sections of the targeted website, allowing you to ensure your website users are following security best practices. Since the tool can run on any system which supports Perl, it works on virtually any Linux and Unix system along with MacOSX. Nikto also can be configured to run on Windows, however, those systems need to have ActiveState Perl or Strawberry Perl installed.



Wikto is a tool primarily intended for Windows environments, which stands out from most of the tools on this list because of its ease of use. While the program is for Windows systems, it still includes powerful features such as: fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.

The killer feature of this tool is centralized Google Hacking integration. While this is technically nothing more than using Google searches to uncover sensitive information, Wikto simplifies the process by allowing you to import databases of known queries into the program. From there you can automatically run queries against sites and view the results with minimal effort on your end.

Staying On Top of Security Best Practices

Although security is a vast and complex field, you can protect your websites from tools such as the vulnerability scanners mentioned in this guide by following trends from the SANS Institute and by following the advice from the WordPress Codex.

  • Thanks Charles.

    “Although trusting generic online scanners is questionable at best”

    Would that include the free Sucuri site scanner ? ..

    That can a very useful online scanner to check your site for a range of different security “issues”.

    By the way, in the second paragraph for the Nikto scanner you start referrering to it as “Nikito”.. I’m guessing that’s a typo. ?

    • Thanks for the feedback!

      As far as Securi goes – personally I think it’s a great tool from a solid company. In fact I use them quite often as one layer of my security checks for my site. That being said the reason I don’t recommend relying on it alone is because nothing is 100% accurate and ultimately the level of detail provided by Securi is going to be a bit less than what you can get from dedicated pen testing tools. If you’re doing a quick checkup, they really are my go-to scanner.

      In general Securi is good for diagnosing infections and things of that sort – it’s not 100% accurate though and I recently had it miss a blatant pharma hack on a clients Joomla website – but if you’re trying to view your website from the view of a potential attacker, you’ll want to use pen testing tools as those are also what your attackers are probably using.

      Regarding the typo – I’ll look into that, thanks I’ll get on that right away.

  • Abdi Haikal

    Nice article…
    Thank you

  • Badr

    Thank you for this article. It’s really helpful.

  • phys

    This is a helpful article but you forgot to mention one of the most important things which are:
    1- changing wp-admin.php name and directory
    2- changing database prefix wp_ to something more complicated

    These are the most common vulnerabilities in wordpress

Get the latest in WordPress, once a week, for free.