It’s pretty safe to say that all software has some kind of vulnerabilities. This does not necessarily mean that the software is bad or sub-standard – vulnerabilities can arise for all sorts of reasons – from failed QA processes to environmental incompatibilities or misconfigurations.
Vulnerabilities can be classified into two categories – known and unknown. Known vulnerabilities, such as XSS (Cross-site scripting) and SQL injection, are vulnerabilities that everyone knows of. Reputable software vendors will always check for these vulnerabilities and eliminate them during QA and testing processes.
On the other hand, unknown vulnerabilities are those vulnerabilities that are not known. These may be caused by bugs in the code or something in the environment. Thanks to WordPress having such a large user base, vulnerabilities don’t stay unknown for long. Once a vulnerability is discovered, it is called a zero-day vulnerability until a patch is released.
In this article, we will take a deep look at WordPress vulnerabilities, the different types of scanners available, and what you should be on the lookout for when looking to secure your WordPress.
Table of contents
- What is a WordPress vulnerability?
- Understanding the difference between a vulnerability scanner and a security scanner
- Understanding the difference between black box and white box testing
- Common WordPress vulnerabilities
- Why you should scan for vulnerabilities
- Top WordPress Vulnerability Scanners
- Secure your WordPress
- Frequently Asked Questions
What is a WordPress vulnerability?
A WordPress vulnerability is a software vulnerability in WordPress that may be known or unknown.
WPScan, a free open-source WordPress vulnerability scanner that we’ll discuss in more detail later in this article, has close to 40,000 WordPress vulnerabilities in its database. They also offer up some interesting statistics:
WPScan has found 4,069 premium plugins to have some sort of vulnerability. This figure shoots up to 98,241 for free plugins. This does not mean that free plugins are bad – premium plugins have more resources at their disposal to test and check plugins before they’re released – which is why they unsurprisingly cost money. Generally speaking, when paying for a plugin, you get additional safety and security in return (aside from the additional functionality).
Plugin vulnerabilities make the largest percentage of vulnerabilities at 92%, with theme vulnerabilities a distant second at 5% and WordPress itself last at 3%.
Understanding the difference between a vulnerability scanner and a security scanner
A WordPress vulnerability scanner is a dedicated tool that is able to scan for vulnerabilities – software bugs or misconfigurations that create a security hole.
Security scanner is a general term that may include vulnerabilities scans although strictly speaking, security scanners tend to check for misconfigurations, missed updates, weak passwords, malware, and so on.
This distinction is important as you need to know what you are scanning for and not scanning for. Since there is no law that tells vendors which term to use or not use, make sure you take the time to read the documentation that comes with any scanner you choose. This will help you ensure you’re getting the coverage you need.
Understanding the difference between black box and white box testing
When it comes to vulnerability testing, there are two main approaches: black box testing and white box testing. Both methods have their advantages and disadvantages. Understanding the differences between them is key as it will allow you to understand what is being covered and what isn’t by a particular vulnerability scanner.
Black box testing
WordPress black box vulnerability testing is a technique in which the person performing the test does not assume knowledge of WordPress’ internal workings. During testing, the tester only has access to the inputs and outputs and does not concern themselves with how the outputs are produced. In other words, the tester treats WordPress as a “black box” and tests it from the outside.
One advantage of black box testing is that it can be performed by testers who do not have any knowledge of programming or the software’s internal architecture. This makes black box testing accessible to a broader range of testers.
The main disadvantage of black box testing is that it may not be able to uncover certain types of vulnerabilities that are related to WordPress’ internal workings.
White box testing
WordPress white box testing is a testing technique in which the person performing the test has access to WordPress’ architecture, code, and design. This type of testing is also known as clear box testing or structural testing.
One advantage of white box testing is that it allows the tester to uncover bugs that are related to WordPress. It can also be used to test the software’s maintainability, and scalability – something WordPress developers and plugin developers can gain a lot from.
The main disadvantage of white box testing is that it requires testers to have knowledge of programming and the software’s internal architecture.
Common WordPress vulnerabilities
While WordPress vulnerabilities can come in all shapes and sizes, it is worth noting some of the more common ones – which, as we shall see, are easy to prevent. Others can only be solved by developers who have access to the code, as shown in the last example below:
Outdated WordPress Core
One of the most common vulnerabilities in WordPress is an outdated WordPress core. Updates for WordPress are regularly released to address security issues, fix bugs, and improve performance and functionality. Hackers can exploit known vulnerabilities if you do not update to the latest version.
What to do: Having a WordPress update policy can help you better manage WordPress updates and ensure you’re always running the latest version of WordPress.
Weak passwords can be another major WordPress security vulnerability. Many users tend to use weak passwords that are easy to guess or crack since they’re more likely to remember them. This can make it easy for hackers to gain unauthorized access to websites.
What to do: Use a WordPress password policy to ensure users use strong passwords and encourage the use of a password manager.
Vulnerable Plugins and Themes
WordPress themes and plugins can seriously enhance WordPress’ functionality and appearance. However, some of these plugins and themes may contain vulnerabilities that can be exploited by hackers.
What to do: Use plugins and themes from trusted vendors that release regular updates – and keep everything updated at all times.
Brute Force Attacks
Brute force attacks are a type of attack where malicious actors attempt to guess a user’s login credentials by trying different username and password combinations.
What to do: Add WordPress 2FA to stop brute force attacks in their tracks and limit the number of failed login attempts.
During SQL injection, hackers inject malicious code into a website’s database via user input fields such as search bar entries, forms, and comments. This can result in the exposure of sensitive data such as usernames, passwords, and credit card details.
What to do: Reputable plugin developers will eliminate this during development. If you do find this vulnerability, you should disable the component that’s causing it, if possible – until a fix is made available.
Why you should scan for vulnerabilities
As the statistics we shared at the beginning of the article show, vulnerabilities can be present in any software. If you have a strong WordPress update policy and limit yourself to themes and plugins from reputable developers, chances are you’re safe – however, this is not a guarantee. To this end, you might want to run a vulnerability scan.
A vulnerability scan can help you uncover issues that you might have overlooked and vulnerabilities that might have been introduced in an update or configuration change.
Top WordPress Vulnerability Scanners
In this section, we will be looking at some of the top WordPress vulnerability scanners available on the market today.
WPScan is a free security scanner specifically designed for WordPress. It does check for vulnerabilities, with close to 40,000 vulnerabilities in its database. New entries are added to its vulnerabilities database very consistently.
WPScan is available as a CLI (Command Line Interface) tool. This means there is no GUI, and has to be run from a terminal. WPScan used to be available as a free plugin however, this is no longer the case. You can also use JetPack, which leverages the WPScan API.
Among other things, WPScan scans for:
- Vulnerabilities associated with WordPress core, plugins, and themes
- Username and media file enumeration
- Weak passwords (through brute force attacks)
- Accessible wp-config files
- Database dumps
- Exposed error logs
WPSec is a WordPress Vulnerability Scanner. It’s managed through a dashboard from which you can run scans, set up notifications, and issue advanced reports. When it comes to scanning, WPSec uses what it calls Advanced Scan Technology, which uses WPScanner and proprietary custom technology.
Among other things, WPSec scans for:
- Known WordPress bugs
- Security issues
Well-known for its WAF (Web Application Firewall), Sucuri also offers a number of different scanners that scan for different things, providing for a broader scope that’s not necessarily as deep as what other scanners offer.
Among other things, Sucuri scans for:
- IOC (Indicators of Compromise)
- Phishing pages
- DDoS scripts
- SSL certificates
Acunetix is a Web Application Security Testing solution that can also be used as a WordPress Security Scanner. Since it is not WordPress-specific, it can be used on different websites, applications, and APIs. It can do both SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing).
Among other things, Acuntiex scans for:
- Out-of-date WordPress core and plugins
- Weak passwords
- Vulnerable WordPress user names
- XML-RPC vulnerabilities
Secure your WordPress
A WordPress security scanner may help you identify security threats to your WordPress website. However, taking proactive security measures remains important. While you should still address the results of a WordPress security scan, WordPress administrators and website owners should also understand that WordPress security is an iterative process that offers a huge ROI.
Keeping everything updated is one of the most accessible ways administrators have at their disposal to limit vulnerabilities. WordPress, themes, plugins, and PHP should be up to date at all times. Don’t forget to take backups and use a WordPress staging environment to limit risk.
WordPress security plugins can also offer protection and peace of mind. Firewalls are always a good option; however, having a WordPress activity log can help you achieve more. Similarly, securing your WordPress installation with 2FA can help you stay even more secure with minimal effort.
Frequently Asked Questions
A WordPress vulnerability scanner is one of the best tools you can use to scan for vulnerabilities. We covered a number of different scanners in the article. One important thing to note is that different scanners may scan for different things. Be sure to read the documentation to understand what you are and aren’t scanning for. This will help you avoid having a false sense of website security.
This depends on the vulnerability scanner you choose. Some scanners offer automated scans and will even send you a report of the results directly to your email inbox. Others may require a manual scan, in some instances through a CLI – Command Line Interface.