WordPress Security Scan
MediumScans WordPress sites for vulnerable plugins, themes, and core version issues using WPScan.
What is WPScan?
WPScan is a WordPress security scanner that checks for vulnerable plugins, themes, and core WordPress versions. It uses a comprehensive database of known WordPress vulnerabilities to identify security issues.
Security Impact
Severity: High
- Exploitation of known plugin/theme vulnerabilities
- Unauthorized admin access through weak credentials
- Cross-site scripting (XSS) through outdated components
- Remote code execution via vulnerable plugins
- Data breach through SQL injection in plugins
How to Fix
1. Update WordPress Core
Always keep WordPress core up to date:
# Via WP-CLI
wp core update
wp core update-db
2. Update All Plugins
# Update all plugins
wp plugin update --all
# Check for vulnerable plugins
wp plugin list --update=available
3. Update All Themes
# Update all themes
wp theme update --all
# Remove unused themes
wp theme delete twentytwenty
4. Remove Unused Plugins and Themes
# List inactive plugins
wp plugin list --status=inactive
# Delete inactive plugins
wp plugin delete plugin-name
5. Protect wp-login.php
# Nginx - restrict login access by IP
location = /wp-login.php {
allow YOUR_IP;
deny all;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
}
# Or add rate limiting
limit_req_zone $binary_remote_addr zone=wplogin:10m rate=1r/s;
location = /wp-login.php {
limit_req zone=wplogin burst=3 nodelay;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
}
6. Disable XML-RPC (if not needed)
# Nginx
location = /xmlrpc.php {
deny all;
return 404;
}
7. Hide WordPress Version
// functions.php
remove_action('wp_head', 'wp_generator');
// Remove version from scripts and styles
function remove_version_strings($src) {
if (strpos($src, 'ver=')) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter('style_loader_src', 'remove_version_strings');
add_filter('script_loader_src', 'remove_version_strings');
8. Secure wp-config.php
# Nginx - block direct access
location = /wp-config.php {
deny all;
return 404;
}
Note for Laravel Applications
If your Laravel application does not use WordPress, this scan may return no findings. WPScan is most relevant for sites that include a WordPress blog or CMS component alongside the Laravel application.
Verification
After applying fixes, WPScan should report no vulnerable plugins, themes, or core versions. User enumeration should be blocked and the login page should be rate-limited.
Related Issues
- Nikto Web Server Scan
- Technology Fingerprinting
- Directory Bruteforce Scan
Automatically detect this issue
StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.
Start Free Trial