How to Scan Vulnerabilities on Wordpress Using Virtualbox
Posted inWebsite

How to Scan Vulnerabilities on WordPress Using Virtualbox (WPScan Github and OpenVas).

For anyone managing a WordPress site, knowing how to scan vulnerabilities on WordPress using Virtualbox is important. With WordPress powering over 40% of websites globally, it’s a target for cyberattacks. From outdated plugins to weak passwords, vulnerabilities in WordPress sites can expose critical data and compromise your site’s functionality. 

One of the best and secure way to test a WordPress site for weaknesses is by setting up a local environment using VirtualBox. This way, you replicate your site on a virtual machine (VM), scan for vulnerabilities, and experiment with security improvements—all without affecting your live website. 

Lets walk you through setting up a Linux-based virtual environment with WordPress installed, and then use tools like WPScan or OpenVAS to identify and fix the potential security risks.

How to Set Up Your Virtual Environment

To scan for vulnerabilities on WordPress without risking your live site, you’ll first need a virtual environment. VirtualBox, a free virtualization tool, is perfect for this task, allowing you to set up and configure a virtual machine (VM) that runs a Linux-based web server. Let’s go through each step.

Step 1: Install VirtualBox.

How to Scan Vulnerabilities on WordPress Using Virtualbox
  1. Download VirtualBox: Head over to the VirtualBox download page and select the version that matches your operating system (Windows, macOS, or Linux).
  2. Install VirtualBox: Follow the installation instructions for your OS, running the downloaded installer and completing the setup wizard. Make sure to install any required dependencies if prompted.
  3. Verify Installation: Once installed, open VirtualBox. You should see the VirtualBox Manager interface, where you’ll create and manage virtual machines.

Step 2: Create a New Virtual Machine.

  1. Open the VirtualBox Manager and click “New” to start creating a new VM.
  2. Configure the VM Name in Settings: Enter a name (e.g., “WordPress Test Environment”) to identify this VM easily.
  3. Set the Type: Select “Linux” from the dropdown menu.
  4. Pick Version: Choose “Ubuntu (64-bit)” if using Ubuntu, or select the Linux distribution of your choice.
  5. Allocate Memory (RAM): At least 2GB (2048MB) of RAM for basic WordPress operation; 4GB is better for more complex setups.
  6. Create Virtual Hard Disk: Select “Create a virtual hard disk now” and allocate at least 20GB of storage to handle the operating system, WordPress files, and other tools.
  7. Finalize VM Creation: Click through the prompts to complete the VM setup.

Step 3: Install Linux on the Virtual Machine.

  1. Download a Linux ISO: Download an ISO file of a lightweight Linux distribution like Ubuntu Server or Debian.
  2. Attach the ISO to Your VM:

In VirtualBox Manager, select your VM and click “Settings”. Navigate to the Storage tab, click on the “Empty” disk, and then select “Choose a disk file” to attach the ISO file you downloaded.

  1. Boot the VM and Install Linux:

Start the VM, which will boot from the attached ISO file. You should see the Linux installation screen.Follow the installation prompts, including configuring basic network settings, user accounts, and setting up a secure root password.

After installation, restart the VM and log in with the credentials you created.

  1. Update Linux:

Once logged in, update your Linux OS to ensure you have the latest security patches. Run:

sudo apt update && sudo apt upgrade

Step 4: Enable Network Settings for the VM.

To scan the WordPress installation, you need to make sure the VM can communicate over the network.

  1. Set Up Network Configuration:

Go to your VM settings in VirtualBox, click on Network, and choose “Bridged Adapter” for network configuration. This will allow your VM to have its own IP address on your local network.

  1. Check the VM’s IP Address:

Start the VM and log in. Run the following command to get the IP address of your VM:

ip a

Note this IP address, as you’ll need it to access your WordPress site later.

Step 5: Install Additional Tools (Optional)

Some optional tools may make it easier to manage your VM or perform scans.

  1. Install SSH (Secure Shell): This allows you to remotely access the VM from your host system, making management easier.

sudo apt install openssh-server

  1. Install Git: If you plan to use Git repositories to manage WordPress themes or plugins.

sudo apt install git

  1. Take a VM Snapshot: Before proceeding, take a snapshot of your VM’s current state. So you can revert to a clean setup if something goes wrong during testing. In VirtualBox Manager, right-click on the VM, select Snapshots, and create a new snapshot with a descriptive name like “Initial Setup.”

How do I scan my WordPress site for malware Vulnerabilities?

How to scan for wordpress malware in VM

With your WordPress installation set up in a VirtualBox environment, it’s time to identify any potential security issues using a vulnerability scanner.

This guide will walk you through running a scan with WPScan, a powerful tool specifically designed for WordPress security. We’ll cover basic commands, how to interpret results, and an alternative option using OpenVAS for a broader scan.

Step 1: How to Configure WPScan for WordPress

WPScan is a command-line tool that scans for known vulnerabilities in WordPress core files, plugins, and themes. Follow these steps to set it up on your virtual machine:

  1. Install WPScan: WPScan requires Ruby, so install both Ruby na WPscan on your VM:

sudo apt install ruby-full

sudo gem install wpscan

  1. Get an API Token: WPScan requires an API token for accessing the most up-to-date vulnerability database. Register for a free token at the WPScan website. Once you have your token, you’ll use it when running WPScan to ensure accurate and complete results.
  2. Basic WPScan Configuration:Ensure you know the IP address or domain of your WordPress installation (from Section 1). To get started, run a basic scan with the following code;

wpscan –url http://your-wordpress-site-ip –api-token YOUR_API_TOKEN

Step 2: How to Start Performing the Scan on VirtualBox

  1. Core Vulnerabilities Scan: This will scan the WordPress core installation for any vulnerabilities. Use the following command:

wpscan –url http://your-wordpress-site-ip –api-token YOUR_API_TOKEN –enumerate vp

  1. Plugin and Theme Enumeration: Many vulnerabilities are due to outdated plugins or themes. Use the –enumerate option to scan for plugins (p) and themes (t):

wpscan –url http://your-wordpress-site-ip –api-token YOUR_API_TOKEN –enumerate p,t

  1. User Enumeration: Attackers often target usernames for brute-force attacks. To see which usernames are visible to the public, run:

wpscan –url http://your-wordpress-site-ip –api-token YOUR_API_TOKEN –enumerate u

  1. Password Strength Testing (Optional): WPScan can check for weak passwords if you provide a list of common passwords. Use this option cautiously, as it can be resource-intensive:

wpscan –url http://your-wordpress-site-ip –api-token YOUR_API_TOKEN –passwords path/to/password_list.txt

Step 3: Interpreting WPScan Results

After running a scan, WPScan will output a list of potential vulnerabilities, categorized by severity. Here’s how to interpret the results:

  1. Critical and High-Severity Vulnerabilities: These include outdated WordPress versions, plugins, or themes with known exploits. Prioritize fixing these issues by updating software or removing vulnerable components.
  2. Medium and Low-Severity Issues: These are exposed usernames or minor misconfigurations. Address these as time permits, focusing on easy wins like hiding usernames or changing passwords.
  3. False Positives: Occasionally, WPScan may flag a plugin or theme as vulnerable when it’s already patched. Check plugin or theme update logs if you suspect a false positive.
  4. Output Report: To save scan results to a file for easy reference, add the following option to your scan command:

–output /path/to/save/report.txt

Step 4: Optional – Running a Broader Scan with OpenVAS

For a more comprehensive security check that goes beyond WordPress, consider using OpenVAS, an open-source general-purpose vulnerability scanner.

  1. Install OpenVAS: Install OpenVAS by running the code below, OpenVAS will initialize and update, which may take some time:

sudo apt install openvas

sudo openvas-setup

  1. Run an OpenVAS Scan: Launch the OpenVAS web interface by visiting https://your-vm-ip:9392 in a browser, and log in with the credentials set during setup. Create a new scan task targeting your WordPress IP address and run the scan. OpenVAS will assess a wide range of vulnerabilities, from misconfigurations to potential network issues.

Step 5: Re-Scanning for Verification

After addressing vulnerabilities flagged in WPScan or OpenVAS, run the same WPScan commands as before to confirm that issues have been resolved. For OpenVAS, repeat the scan to ensure that server and network vulnerabilities have been addressed.

More Helpful Links:

Tags:

3 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *