Interview From Ryan Dewhurst (WPScan) & Mark from WordFence on securing your WordPress website

/0 Comments/in

Ryan Dewhurst is the creator and founder of WPScan, in this interesting interview with WordFence he explains what WPScan can do and what that means for WordPress security.

What is WPScan?

WPScan is a program that runs in Linux (Currently installed by default in Kali Linux) that allows you to test the security of your WordPress website.

WPScan allows you to perform the following security tests that reveal both information and vulnerabilities:

  • User accounts
    WPScan will attempt to extract usernames/accounts.
    A username is 50% of the required login details to get into the WordPress administration panel.
  • Brute force testing on passwords
    With a large glossary, WPScan fires all passwords on the website. When the correct password is guessed you will see this result.
  • Checking the active plugins
    Both the plugins and the version of the plugin + the known vulnerabilities for that version are displayed.
  • WordPress leaks
    The current version of WordPress is searched for in 6 ways.
    If there are leaks in the relevant version, they will be displayed immediately.
  • And more..

With WPScan you find out where your website is leaking and what steps you need to take to make your website more secure.

WPScan is called a pen test. This is an abbreviation of “penetration test”. In short: how far does a hacker or hackbot get into your website.

The beginning of WPScan

WPScan was founded in 2011 as a tool to test WordPress websites for their security.

In 2014, the website wpvulndb.com was added, a public website where everyone can easily see which plugins, themes or WordPress core contains leaks (exploits) .

WordFence and WPScan

WordFence, who developed a renowned security plugin for WordPress, has long been using WPScan to improve WordFence. They look at the so-called exploits (weaknesses that can be exploited) that WPScan indicates.
They also use the information from wpvulndb.com to see which plugins are leaking.

Tips from a security expert

You can protect yourself against hackbots and hackers who use various methods to hack your website.
Ryan Dewhurst lists the 3 most important in the interview:

  1. Limit the number of administrators who can manage your website
  2. Use good passwords
  3. Install a security plugin such as WordFence

Addition: using a security plugin ensures that hackers get little information from your website. Hackbots’ requests are blocked based on patterns, the specific queries, and based on the number of requests.

We ourselves use iThemes Security PRO, but we recommend everyone who is not yet a customer of ours: put at least 1 security plugin in your website and properly configure that security plugin. Without a security plugin, your WordPress website is an open door that can be rattled until a hacker can get into the admin with and malware can places with all the consequences.

The interview

If you master the English language you can watch the full interview.

https://youtu.be/uiN1j3BvqIc

Is the video no longer available? Let us know info[a]wpbeveiligen.nl and we will look for an alternative on youtube.