Below I will show few methods which can prevent WPScan scan.
First, WPScan is trying to find
/wp-content/plugins/ string is found inside site content, default dir is used.
In other cases it tries to use more complex regexp. This one search for
/plugins/ and if found something, use string before as wp-content dir.
But, there is one exception. If inside url string
twitter.com exists, it’s omitted.
So, if we change wp-content dir to
facebook.com/another_dir WPScan will try to check only
We can change this dir using wp-config.php - see
Also we need to move folders content using FTP.
Right now we will get:
2. Disable robots.txt
robots.txt file is used to obtain usefull information.
We can disable generating this file hooking do_robots.
3. Remove readme.html
readme.html file is used to obtain WordPress version info.
We can disable access to this file using
RewriteRule ^readme\.html$ - [R=404,L,NC]
4. Prevent Full Path Disclosure
When server is badly configured it’s possible to obtain path information displaying
Because this file is deprecated, we can disable access to it.
RewriteRule ^wp-includes/rss-functions\.php$ - [R=404,L,NC]
5. Detect wp-config.php enumeration
WPScan contains list of files, which can by created by some text editors (like VIM) when wp-config.php file is opened and then upload to server by mistake.
We can assume that it’s very unlikely that normal user will visit
.wp-config.php.swp by mistake.
So we can detect this requests and temporary block user.
6. Detect User Agent
WPScan v2.9 (http://wpscan.org) string is used as User Agent.
So we can easily detect this.
7. Remove strange XML-RPC server info
By default when you open
xmlrpc.php it displays
XML-RPC server accepts POST requests only text.
WPScan is trying to find this string in order to check if xmlrpc functionality exist.
We can prevent this hooking wp_xmlrpc_server_class and creating own xmlrpc class on
8. Remove generator info
We can remove
<meta name="generator" content="WordPress" /> from source code.
9. Prevent advanced fingerprinting
wp_versions.xml WPScan stores list of files which can be used to detect WordPress version based on file hash.
We should modify each of files there. Right now we will focus on version
It can be detected using:
First one is disabled using
RewriteRule ^wp-includes/js/tinymce/wp-tinymce\.js\.gz$ index.php?advanced_fingerprinting=1 [L]
10. Remove version number from stylesheet
WordPress adds version number inside stylesheet link, for example:
<link rel='stylesheet' id='twentyfifteen-style-css' href='http://szurek.pl/wp-content/themes/twentyfifteen/style.css?ver=4.3.1' type='text/css' media='all' />
We can change this using global $wp_version.
11. Stop plugin enumeration
WPScan can enumerate installed plugins and then display info about known vulnerabilities inside them.
We can trick this scan so it will be think that we have every plugin installed.
Because of that output will be very long and useless.
12. Prevent username enumeration
In WordPress when you visit
?author=1 you will be redirected to
Using this, WPScan can obtain usernames very easily.
So we can block any
Proof of Concept:
Below you can find example WordPress plugin which uses techniques described above.
This code is not heavily tested and should not be used on any production website.
It only should give you idea how this kind of protection can be implemented.
You can also download this file from here.