Protect WordPress Sites from WP Scan

WP Scan is a tool to scan for vulnerable parts on your WordPress website. It checks various kinds of files and directories to make sure you don’t leave the backdoor behind.

WP Scan is capable to:

Scan in general
Guess WordPress login name and password
List all plugins the site is using
List what theme the site is using
Ability to read .htaccess, XML files, …

Image from Tecmint

However, hackers can use it to scan your site, looking for possible backdoors, and use them to attack your site and steal the information. Cam CERT’s tip has written a great advice on what to allow and what not to.

WP Scan does not support Windows operating system. It comes pre-installed on some Linux distributions and is packaged by Homebrew for Mac OS.

Regardless of the operating systems needed, install WP Scan by using Docker.

First, you need Docker to be up and running on your machine. To install Docker, follow this tutorial.

Next, install WP Scan by running the following command:

docker pull wpscanteam/wpscan

Scan any of your sites by running the following command:

docker run -it --rm wpscanteam/wpscan -u https://yourblog.com [options]

You can find the [options] argument on the WP Scan official website.

Here are the things we should add to stop hackers who might use this tool against us.

1. Block from Reading robots.txt File

Hook the following codes to your functions.php:

/** Block Robot Information */ add_action(‘do_robots’, ‘hook_robots’, 1); function hook_robots() { // Return 404 status_header(404); // End script die(); }

2. Block from Reading readme.txt File

Simply put the following code to your .htaccess file:

RewriteRule ^readme\.html$ – [R=404,L,NC]

3. Block Full Path Disclosure

When a website is badly configured, hackers can pull down all your directory structures from wp-includes/rss-functions.php.

To stop this action, put the following setting to your .htaccess file:

RewriteRule ^wp-includes/rss-functions\.php$ – [R=404,L,NC]

4. Block from Reading wp-config.php File

Put the following settings to your .htaccess file:

RewriteRule ^wp-config\.php\.save$index.php?wp_config_enumeration=1 [L] RewriteRule ^\.wp-config\.php\.swp$ index.php?wp_config_enumeration=1 [L] RewriteRule ^wp-config\.php\.swp$ index.php?wp_config_enumeration=1 [L]

Then put the following codes to your functions.php:

/** Detect this requests and temporary block user. */ $transient_name = ‘wce_block_’.$_SERVER[‘REMOTE_ADDR’]; $transient_value = get_transient( $transient_name );

if ( $transient_value !== false ) { die( ‘BANNED!’ ); }

if ( isset( $_GET[‘wp_config_enumeration’] ) ) { set_transient( $transient_name, 1, DAY_IN_SECONDS ); die(‘BANNED!’); }

5. Disable User-Agent

Put the following codes to your functions.php:

/** Detect User Agent */ if ( !empty( $_SERVER[‘HTTP_USER_AGENT’] ) && preg_match(‘/WPScan/i’, $_SERVER[‘HTTP_USER_AGENT’] ) ) { die( ‘Wrong user agent’ ); }

6. Block from Reading from XML-RPC Server

Put the following codes into your functions.php:

/** Remove strange XML-RPC server info. */ function add_fake_xmlrpc() { // We don’t want to display die(‘XML-RPC server accepts POST requests only.’); on $_GET if ( !empty( $_POST ) ) { return ‘wp_xmlrpc_server’; } else { return ‘fake_xmlrpc’; } }

add_filter(‘wp_xmlrpc_server_class’, ‘add_fake_xmlrpc’);

class fake_xmlrpc { function serve_request() { // It's fake ? die(); } }

7. Hide Your WordPress Version Information

Append these codes to your functions.php:

/** Remove generator info. */ remove_action(‘wp_head’, ‘wp_generator’); add_filter(‘the_generator’, ‘remove_generator’); function remove_generator() { // Return nothing return ”; }

8. Stop Advance Fingerprint

First, add the following setting to your .htaccess file:

RewriteRule ^wp-includes/js/tinymce/wp-tinymce\.js\.gz$ index.php?advanced_fingerprinting=1 [L]

then put the following codes to append to your functions.php

/** Prevent advanced fingerprinting */ if ( isset( $_GET[‘advanced_fingerprinting’] ) ) { switch ($_GET[‘advanced_fingerprinting’]) { case ‘1’: // Unpack file $file = gzopen( ABSPATH . ’wp-includes/js/tinymce/wp-tinymce.js.gz’, ‘rb’ ); // Add comment $out = ‘// ‘ . uniqid(true) . ”\n”; while( !gzeof( $file ) ) { $out .= gzread( $file, 4096 ); }

// Pack again header( ‘Content-type: application/x-gzip’ ); echo gzencode($out); break; default: status_header( 404 ); }

die(); }

9. Remove WordPress Version Number

Append these codes to the functions.php:

/** Remove version number from stylesheet. */ add_action( ‘init’, ‘init’ ); function init() { global $wp_version; $wp_version = ‘some_strange_number’; }

10. Disable Plugin Enumeration

Put the following setting to your .htaccess file:

RewriteRule ^(.*)wp-content/plugins/(.*)$ index.php?plugin_enumeration=1 [L]

Then place the following codes to your functions.php:

/** Stop plugin enumeration. */ if (isset($_GET[‘plugin_enumeration’])) { // Display something random die(‘‘); }

11. Block Username Enumeration

Hackers can get your username easily by just appending the ?author=[user_id] to the domain name. To disable the access to the $_GET['author'], simply add the following codes to your functions.php file:

/** Prevent username enumeration. */ if ( ! is_admin() && isset( $_REQUEST[‘author’] ) ) { status_header(404); die(); }

After applying the above configurations, when WP Scan scans your website, it will tell you that "The remote website is up, but does not seem to be running WordPress".

Source: CamCERT

3 thoughts on “Protect WordPress Sites from WP Scan”

eyeDug says:
July 9, 2021 at 1:54 pm
hello, how can i solve this problem with this page showing? eye
1. Vannkorn says:
  July 18, 2021 at 4:47 pm
  Hey eye, I’m not sure what you really meant.
tantricmassagelondon.co.uk says:
July 31, 2024 at 9:36 pm
I constantly spent my half an hour to read this blog’s articles or reviews all
the time along with a cup of coffee.