📊 Scan Overview
🔍 Security Findings (24)
| ID | Finding | Severity | Confidence | Recommendation |
|---|---|---|---|---|
ARGUS-WP-000 |
WordPress detected
body:
Found 3/5 WP indicators
Indicators: /wp-content/, /wp-includes/, /wp-admin/ |
info | high |
WordPress installation confirmed. Proceed with security checks.
|
ARGUS-WP-001 |
WordPress core version disclosed
WordPress version 6.9 detected. Version disclosure helps attackers identify known vulnerabilities for targeted exploits.
other:
Version: 6.9
Methods: ['meta_generator', 'rss_feed', 'assets'] |
medium | high |
1. Update WordPress to latest version
2. Hide version info by removing generator tags
3. Restrict access to readme.html and license.txt
4. Use security plugins to mask WP fingerprints
|
ARGUS-WP-050 |
Missing security header: HSTS (HTTP Strict Transport Security)
HSTS (HTTP Strict Transport Security) header is not set. Forces browsers to use HTTPS, preventing protocol downgrade attacks.
header:
Strict-Transport-Security: [not set]
Header missing in HTTP response |
medium | high |
Add header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
|
ARGUS-WP-050 |
Missing security header: Content Security Policy (CSP)
Content Security Policy (CSP) header is not set. Mitigates XSS, clickjacking, and other code injection attacks.
header:
Content-Security-Policy: [not set]
Header missing in HTTP response |
medium | high |
Add CSP header with appropriate directives (e.g., default-src 'self')
|
ARGUS-WP-050 |
Missing security header: X-Frame-Options
X-Frame-Options header is not set. Prevents clickjacking attacks by controlling iframe embedding.
header:
X-Frame-Options: [not set]
Header missing in HTTP response |
medium | high |
Add header: X-Frame-Options: SAMEORIGIN or DENY
|
ARGUS-WP-050 |
Missing security header: X-Content-Type-Options
X-Content-Type-Options header is not set. Prevents MIME-sniffing attacks.
header:
X-Content-Type-Options: [not set]
Header missing in HTTP response |
low | high |
Add header: X-Content-Type-Options: nosniff
|
ARGUS-WP-050 |
Missing security header: X-XSS-Protection (Legacy)
X-XSS-Protection (Legacy) header is not set. Legacy XSS filter (modern browsers use CSP instead).
header:
X-XSS-Protection: [not set]
Header missing in HTTP response |
low | high |
Add header: X-XSS-Protection: 1; mode=block (or rely on CSP)
|
ARGUS-WP-050 |
Missing security header: Referrer-Policy
Referrer-Policy header is not set. Controls how much referrer information is shared.
header:
Referrer-Policy: [not set]
Header missing in HTTP response |
low | high |
Add header: Referrer-Policy: strict-origin-when-cross-origin
|
ARGUS-WP-050 |
Missing security header: Permissions-Policy
Permissions-Policy header is not set. Controls which browser features can be used.
header:
Permissions-Policy: [not set]
Header missing in HTTP response |
info | high |
Add header with appropriate feature restrictions
|
ARGUS-WP-053 |
7 security header/cookie issue(s) detected
Found 7 missing headers, 0 weak headers, and 0 insecure cookies. |
medium | high |
Implement security headers best practices:
1. Add all missing security headers
2. Strengthen weak header configurations
3. Set proper cookie security flags
4. Test configuration at https://securityheaders.com/
5. Use WordPress security plugins for easy header management
|
ARGUS-WP-030 |
Sensitive file exposed: license.txt
File 'license.txt' is publicly accessible.
url:
https://test-wp.avlab.pl/license.txt
HTTP 200, Size: 19903 bytes |
medium | high |
Remove or restrict access to this file.
|
ARGUS-WP-030 |
WordPress readme.html accessible
Default WordPress readme file exposes version information.
url:
https://test-wp.avlab.pl/readme.html
HTTP 200, Size: 7425 bytes |
high | high |
Remove or restrict access to readme.html and license.txt files.
|
ARGUS-WP-031 |
2 sensitive file(s) exposed
Found 2 publicly accessible sensitive files. 0 are critical (contain credentials/secrets). |
high | high |
URGENT: Secure or remove all exposed files:
1. Block access via .htaccess or web server config
2. Move sensitive files outside webroot
3. Delete backup files and database dumps
4. Regenerate compromised credentials
5. Enable proper file permissions (644 for files, 755 for dirs)
|
ARGUS-WP-060 |
XML-RPC partially restricted (Good)
XML-RPC file exists but returns 405, indicating some restriction. |
info | high |
Verify XML-RPC is fully disabled or properly restricted.
|
ARGUS-WP-065 |
Admin login page publicly accessible
WordPress admin login page is accessible at default URL.
url:
https://test-wp.avlab.pl/wp-login.php?redirect_to=https%3A%2F%2Ftest-wp.avlab.pl%2Fwp-admin%2F&reauth=1
HTTP 200 |
info | high |
Harden admin access:
1. Consider changing wp-admin URL (security plugin)
2. Implement login attempt limiting
3. Enable 2FA for all admin users
4. Use IP whitelisting if possible
5. Monitor for brute force attempts
|
ARGUS-WP-040 |
User enumerated: avlab
Username 'avlab' discovered via author_idor_html. User enumeration allows attackers to target brute force attacks.
url:
https://test-wp.avlab.pl/?author=1
Method: author_idor_html, ID: 1 |
medium | high |
1. Consider changing predictable username
2. Disable author IDOR enumeration (security plugin)
3. Restrict REST API user endpoint
4. Implement brute force protection
5. Enable 2FA for all users
6. Use security plugins like Wordfence or iThemes Security
|
ARGUS-WP-041 |
1 user(s) enumerated
Successfully enumerated 1 WordPress users. 0 have risky/default usernames: none.
other:
Usernames: avlab
Methods: author_idor_html |
medium | high |
Implement user enumeration protection:
1. Use security plugins to block author IDOR
2. Disable REST API user endpoint: add_filter("rest_endpoints", function($endpoints) { unset($endpoints["/wp/v2/users"]); return $endpoints; });
3. Enable login attempt limiting
4. Change all default/obvious usernames
5. Enable 2FA site-wide
6. Monitor for brute force attempts
|
ARGUS-WP-010 |
Plugin detected: akismet
WordPress plugin 'akismet' is installed.
path:
https://test-wp.avlab.pl/wp-content/plugins/akismet/
Version: None |
info | high |
1. Verify akismet is necessary
2. Update to latest version
3. Remove if unused
4. Check for known CVEs: https://wpscan.com/plugins/
|
ARGUS-WP-011 |
1 plugin(s) detected
Found 1 WordPress plugins installed. |
info | high |
Review all plugins:
- Remove unused plugins
- Update all plugins to latest versions
- Monitor for security updates
- Use only reputable plugins from WordPress.org
|
ARGUS-WP-020 |
Theme detected: twentytwentytwo
WordPress theme 'twentytwentytwo' is installed.
path:
https://test-wp.avlab.pl/wp-content/themes/twentytwentytwo/
Version: 2.1 |
info | high |
1. Update twentytwentytwo to latest version
2. Remove unused themes (keep only active + one backup)
3. Use child themes for customizations
|
ARGUS-WP-020 |
Theme detected: twentytwentythree
WordPress theme 'twentytwentythree' is installed.
path:
https://test-wp.avlab.pl/wp-content/themes/twentytwentythree/
Version: 1.6 |
info | high |
1. Update twentytwentythree to latest version
2. Remove unused themes (keep only active + one backup)
3. Use child themes for customizations
|
ARGUS-WP-020 |
Theme detected: twentytwentyfour
WordPress theme 'twentytwentyfour' is installed.
path:
https://test-wp.avlab.pl/wp-content/themes/twentytwentyfour/
Version: 1.4 |
info | high |
1. Update twentytwentyfour to latest version
2. Remove unused themes (keep only active + one backup)
3. Use child themes for customizations
|
ARGUS-WP-020 |
Theme detected: twentytwentyfive
WordPress theme 'twentytwentyfive' is installed.
path:
https://test-wp.avlab.pl/wp-content/themes/twentytwentyfive/
Version: 1.4 |
info | high |
1. Update twentytwentyfive to latest version
2. Remove unused themes (keep only active + one backup)
3. Use child themes for customizations
|
ARGUS-WP-021 |
4 theme(s) detected
Found 4 WordPress themes installed. |
info | high |
Keep only necessary themes installed and updated.
|
📝 Scan Notes
| ⏱️ Scan Duration | 25.72 seconds |
| 📡 HTTP Requests | 164 |
| ⚠️ Disclaimer | Manual verification recommended for all findings before remediation. |