👁️

ARGUS

WordPress Security Scanner — All-Seeing Guardian

"Eyes on the site. Proof in the log..."

🎯 Target: https://test-bedrock.avlab.pl

📅 Date: 2025-12-08T10:42:52.461492+00:00Z

🔒 Mode: AGGRESSIVE

⚙️ Version: Argus 0.1.0

Critical: 0

High: 0

Medium: 7

Low: 3

Info: 3

📊 Scan Overview

Total Findings

13

Scan Mode

AGGRESSIVE

Target Type

WordPress

HTTP Requests

164

🔍 Security Findings (13)

ID	Finding	Severity	Confidence	Recommendation
`ARGUS-WP-000`	WordPress detected body: Found 2/5 WP indicators Indicators: /wp-content/, /wp-includes/, /wp-admin/	info	high	WordPress installation confirmed. Proceed with security checks.
`ARGUS-WP-001`	WordPress core version disclosed WordPress version 6.9 detected. Version disclosure helps attackers identify known vulnerabilities for targeted exploits. other: Version: 6.9 Methods: ['meta_generator', 'rss_feed', 'assets']	medium	high	1. Update WordPress to latest version 2. Hide version info by removing generator tags 3. Restrict access to readme.html and license.txt 4. Use security plugins to mask WP fingerprints References: 🔗 https://wordpress.org/documentation/article/hardening-wordpress/ 🔗 https://developer.wordpress.org/apis/security/
`ARGUS-WP-050`	Missing security header: HSTS (HTTP Strict Transport Security) HSTS (HTTP Strict Transport Security) header is not set. Forces browsers to use HTTPS, preventing protocol downgrade attacks. header: Strict-Transport-Security: [not set] Header missing in HTTP response	medium	high	Add header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload References: 🔗 https://owasp.org/www-project-secure-headers/ 🔗 https://securityheaders.com/
`ARGUS-WP-050`	Missing security header: Content Security Policy (CSP) Content Security Policy (CSP) header is not set. Mitigates XSS, clickjacking, and other code injection attacks. header: Content-Security-Policy: [not set] Header missing in HTTP response	medium	high	Add CSP header with appropriate directives (e.g., default-src 'self') References: 🔗 https://owasp.org/www-project-secure-headers/ 🔗 https://securityheaders.com/
`ARGUS-WP-050`	Missing security header: X-Frame-Options X-Frame-Options header is not set. Prevents clickjacking attacks by controlling iframe embedding. header: X-Frame-Options: [not set] Header missing in HTTP response	medium	high	Add header: X-Frame-Options: SAMEORIGIN or DENY References: 🔗 https://owasp.org/www-project-secure-headers/ 🔗 https://securityheaders.com/
`ARGUS-WP-050`	Missing security header: X-Content-Type-Options X-Content-Type-Options header is not set. Prevents MIME-sniffing attacks. header: X-Content-Type-Options: [not set] Header missing in HTTP response	low	high	Add header: X-Content-Type-Options: nosniff References: 🔗 https://owasp.org/www-project-secure-headers/ 🔗 https://securityheaders.com/
`ARGUS-WP-050`	Missing security header: X-XSS-Protection (Legacy) X-XSS-Protection (Legacy) header is not set. Legacy XSS filter (modern browsers use CSP instead). header: X-XSS-Protection: [not set] Header missing in HTTP response	low	high	Add header: X-XSS-Protection: 1; mode=block (or rely on CSP) References: 🔗 https://owasp.org/www-project-secure-headers/ 🔗 https://securityheaders.com/
`ARGUS-WP-050`	Missing security header: Referrer-Policy Referrer-Policy header is not set. Controls how much referrer information is shared. header: Referrer-Policy: [not set] Header missing in HTTP response	low	high	Add header: Referrer-Policy: strict-origin-when-cross-origin References: 🔗 https://owasp.org/www-project-secure-headers/ 🔗 https://securityheaders.com/
`ARGUS-WP-050`	Missing security header: Permissions-Policy Permissions-Policy header is not set. Controls which browser features can be used. header: Permissions-Policy: [not set] Header missing in HTTP response	info	high	Add header with appropriate feature restrictions References: 🔗 https://owasp.org/www-project-secure-headers/ 🔗 https://securityheaders.com/
`ARGUS-WP-053`	7 security header/cookie issue(s) detected Found 7 missing headers, 0 weak headers, and 0 insecure cookies.	medium	high	Implement security headers best practices: 1. Add all missing security headers 2. Strengthen weak header configurations 3. Set proper cookie security flags 4. Test configuration at https://securityheaders.com/ 5. Use WordPress security plugins for easy header management
`ARGUS-WP-030`	No sensitive files exposed (Good practice) No sensitive files were publicly accessible.	info	high	Continue protecting sensitive files and regularly audit file permissions.
`ARGUS-WP-040`	User enumerated: avlab Username 'avlab' discovered via author_idor_html. User enumeration allows attackers to target brute force attacks. url: https://test-bedrock.avlab.pl/?author=1 Method: author_idor_html, ID: 1	medium	high	1. Consider changing predictable username 2. Disable author IDOR enumeration (security plugin) 3. Restrict REST API user endpoint 4. Implement brute force protection 5. Enable 2FA for all users 6. Use security plugins like Wordfence or iThemes Security References: 🔗 https://wordpress.org/documentation/article/hardening-wordpress/ 🔗 https://owasp.org/www-community/attacks/Brute_force_attack
`ARGUS-WP-041`	1 user(s) enumerated Successfully enumerated 1 WordPress users. 0 have risky/default usernames: none. other: Usernames: avlab Methods: author_idor_html	medium	high	Implement user enumeration protection: 1. Use security plugins to block author IDOR 2. Disable REST API user endpoint: add_filter("rest_endpoints", function($endpoints) { unset($endpoints["/wp/v2/users"]); return $endpoints; }); 3. Enable login attempt limiting 4. Change all default/obvious usernames 5. Enable 2FA site-wide 6. Monitor for brute force attempts References: 🔗 https://perishablepress.com/stop-user-enumeration-wordpress/ 🔗 https://es.wordpress.org/plugins/stop-user-enumeration/

📝 Scan Notes

⏱️ Scan Duration	13.68 seconds
📡 HTTP Requests	164
⚠️ Disclaimer	Manual verification recommended for all findings before remediation.