While WordPress’ core is designed with security in mind, the same cannot be said for the thousands of plugins which extend the WordPress ecosystem. Unfortunately, thousands of WordPress plugins contain high-severity vulnerabilities. Unless vulnerable plugins are updated or disabled, they could allow attackers to easily compromise the integrity and availability of the site, gain access to the WordPress administrative interface and the database, as well as deface the site and trick users into phishing attacks, or use the site to distribute malware.
Scan for Over 1200 Vulnerable WordPress Plugins & Other WordPress-specific Misconfigurations
Scan for Vulnerable WordPress Plugins
Acunetix Vulnerability Scanner identifies WordPress installations, and will launch security tests for over 1200 popular WordPress plugins, as well as several other vulnerability tests for WordPress core vulnerabilities. In addition, Acunetix Vulnerability Scanner will also conduct other WordPress-specific configuration tests such as weak WordPress admin passwords, WordPress username enumeration,
wp-config.php backup files, malware disguised as plugins and old versions of plugins.
The WordPress plugins detected, are listed in the WordPress plugins Knowledge Base including a description, version number detected and latest version of plugin to update to. Similar checks are also performed on other Content Management Systems such as Joomla! and Drupal.
WordPress Configuration File Disclosure
Although most of the common configuration settings are available through the WordPress admin interface, the WordPress administrator might need to alter certain settings from
wp-config.php directly. This is often done by first creating a backup of the known working configuration, before proceeding with manually altering the file in a text editor. However, the backed up file becomes available to whoever is able to guess the name of the backup file.
Username Enumeration and Weak Password Guessing
Acunetix Vulnerability Scanner runs tests for username enumeration of WordPress accounts. Enumerating usernames gives attackers a head-start when attacking your WordPress installation, since an attacker would have the necessary information to launch a password dictionary attack against the enumerated usernames.
Based on the users identified during the scan, Acunetix will also attempt to detect if the enumerated users are using weak passwords based on a password list, as well as other combinations, including the use of leetspeak.
Identify Malicious Plugins and Themes
WordPress has its own share of malware, which generally disguises itself either as a plugin or as a theme. The description of such malware tries to lure WordPress users into installing the malicious plugin or theme. Acunetix Vulnerability Scanner can also detect malicious URLs within pages based on the Google and Yandex safe-browsing databases.