WpScan - useful tool for security audit of WordPress
WPScan is a very good tool for checking any WordPress website for known vulnerabilities. The good fellas behind the project even made a wordpress plugin called WPScan WordPress plugin which can regularly scan you wordpress website for know exploits and thus let the site owner take adequate measures in the so vital timely manner. With the wordpress plugin anyone can merely check his website for exploits after completing a registration and getting his free api key for the plugin. Some reporting over email is also available which is convenient when the site admin is not around. There are zero day exploits and also well known public exploits. WPScan won’t do much about the zero days but at least alerting the webmasters for known exploits for free is a must have feature. The wpscan team have a neat github page. It basically contains more technical but important info on getting wpscan to run on your system correctly.
Installation is pretty much a straight forward process. The prerequisites also known as dependencies/requirements that must be installed before wpscan are: rvm (ruby version manager), ruby, curl, rubygems and nokogiri. After having all these beautifully installed with no issues you have 2 options to install wpscan: 1. (recommended): gem install wpscan and 2. (not recommended): git clone https://github.com/wpscanteam/wpscan && cd wpscan/ && bundle install && rake install. Once wpscan is installed then it’s up to you how to check websites. Getting to know basic usage examples, understanding of publicly known wordpress flaws are good starting points for wpscan. If you have ever used metasploit framework console then you can consider wpscan to be something like the metasploit tool but specifically targeting the wordpress software. Good luck auditing websites for vulnerabilities.