WPScan, an acronym of WordPress security scanner is a free non-commercial, command-line tool and black box vulnerability scanner written in Ruby programming language. It was first released on the 16th of June 2011. This tool mainly helps security professionals and blog maintainers test any vulnerabilities on their WordPress sites. With WPScan you can see any vulnerabilities associated with:
- WordPress plugins, themes
- Username enumeration
- Database dumps that may be publicly accessible
- The version of WordPress installed and any associated vulnerabilities
- If error logs are exposed by plugins
- Users with weak passwords via password brute forcing
- If WP-Cron is enabled
- Full Path Disclose
- Upload directory listing
- Vulnerable Timthumb files
- Media file enumeration
- If user registration is enabled
- Backed up and publicly accessible wp-config.php files e.t.c
This guide takes a deep dive into the installation and use of WPScan – WordPress security scanner.
Let’s dive in!
Install WPScan – WordPress security scanner
This guide demonstrates several methods one can use to install WPScan – WordPress security scanner. The methods include:
- Using Ruby gem
- Using Docker
- Using APT(Kali Linux)
Method 1 – Install WPScan – WordPress security scanner using Ruby gem.
For this method, there are several dependencies required that include:
- Ruby >= 2.5
- Curl >= 7.72
- RubyGems
- Nokogiri
The dependencies can be installed s below.
Install cURL
##On Debian/Ubuntu
sudo apt update
sudo apt -y install curl
##On RHEL/CentOS/Rocky Linux/Alma Linux
sudo yum -y install curlCheck the installed curl version.
$ curl -V
curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3
Release-Date: 2020-12-09
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSocketsThen import the GPG signing.
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -sSL https://rvm.io/pkuczynski.asc | gpg --import -Install RVM on Linux
$ curl -L get.rvm.io | bash -s stable
.....
Installing RVM to /home/thor/.rvm/
Adding rvm PATH line to /home/thor/.profile /home/thor/.mkshrc /home/thor/.bashrc /home/thor/.zshrc.
Adding rvm loading line to /home/thor/.profile /home/thor/.bash_profile /home/thor/.zlogin.
Installation of RVM in /home/thor/.rvm/ is almost complete:
* To start using RVM you need to run `source /home/thor/.rvm/scripts/rvm`
in all your open shell windows, in rare cases you need to reopen all shell windows.
Thanks for installing RVM 🙏
Please consider donating to our open collective to help us maintain RVM.
👉 Donate: https://opencollective.com/rvm/donate
Remember to source the RVM PATH.
source /home/$USER/.rvm/scripts/rvmInstall Ruby 2.5 using RVM.
export RUBY_VER='2.5'
rvm install ${RUBY_VER}
rvm use ${RUBY_VER} --defaultCheck the installed Ruby version.
$ ruby -v
ruby 2.5.8p224 (2020-03-31 revision 67882) [x86_64-linux]Install Nokogiri.
$ gem install nokogiri -v 1.12.5
Fetching nokogiri-1.12.5-x86_64-linux.gem
Successfully installed nokogiri-1.12.5-x86_64-linux
Parsing documentation for nokogiri-1.12.5-x86_64-linux
Installing ri documentation for nokogiri-1.12.5-x86_64-linux
Done installing documentation for nokogiri after 1 seconds
1 gem installedNow install WPScan – WordPress security scanner using RubyGems.
$ gem install wpscan
Fetching ffi-1.15.5.gem
Fetching ethon-0.14.0.gem
Fetching addressable-2.8.0.gem
Fetching get_process_mem-0.2.7.gem
Fetching concurrent-ruby-1.1.9.gem
Fetching tzinfo-2.0.4.gem
Fetching i18n-1.8.11.gem
Fetching activesupport-6.1.4.4.gem
Fetching cms_scanner-0.13.6.gem
........
Installing ri documentation for wpscan-3.8.20
Done installing documentation for ffi, ethon, get_process_mem, concurrent-ruby, i18n, tzinfo, zeitwerk, activesupport, public_suffix, addressable, opt_parse_validator, ruby-progressbar, typhoeus, yajl-ruby, sys-proctable, cms_scanner, wpscan after 17 seconds
17 gems installed
WPScan can be updated using the command.
$ gem update wpscan
Updating installed gems
Nothing to updateConfirm successful installation:
$ wpscan --version
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
Current Version: 3.8.20
Method 2 – Install WPScan – WordPress security scanner using Docker.
For this method, you need to have Docker installed on your system. This can be achieved using the dedicated guide below.
With Docker installed and running, add your user to the Docker group.
sudo usermod -aG docker $USER
newgrp dockerPull the WPScan container image.
$ docker pull wpscanteam/wpscan
Using default tag: latest
latest: Pulling from wpscanteam/wpscan
97518928ae5f: Pull complete
d879f3f43643: Pull complete
f6e3e74a152d: Pull complete
ab54e33b1bb3: Pull complete
525c9e55fcc4: Pull complete
1877cf82f07b: Pull complete
47a93fc45dd9: Pull complete
f981fa9ebc39: Pull complete
bd98520f45e4: Pull complete
Digest: sha256:981ef71ed54e77e5d6bef45dafa38957047dad7ac96bdaeaf8f83935407ce0e3
Status: Downloaded newer image for wpscanteam/wpscan:latest
docker.io/wpscanteam/wpscan:latestNow you can run WPScan as below.
docker run -it --rm wpscanteam/wpscan [option]Method 3 – Install WPScan – WordPress security scanner using APT
WPScan is available in the default Kali Linux APT repositories and can be installed using a simple APT command.
Update your APT package index.
sudo apt updateNow install WPScan.
sudo apt install wpscanDependency Tree:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
libdap27 libdapclient6v5 libdav1d4 libepsilon1 libgdal28 libgeos-3.9.1
libgupnp-1.2-0 libidn11 libnetcdf18 libntfs-3g883 libomp-11-dev libomp5-11
libproj19 liburcu6 libx265-192 libyara4 python3-editor
python3-ipython-genutils python3-pylnk
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
wpscan
1 upgraded, 0 newly installed, 0 to remove and 818 not upgraded.Use WPScan – WordPress security scanner
Once installed using any of the methods above, WPScan can be used to scan vulnerabilities. Note that, the below scans should be performed against your own blog.
1. Scan the entire blog site
To scan the whole blog, run the command:
wpscan --url wordpress.example.comFor Docker:
docker run -it --rm wpscanteam/wpscan --url wordpress.example.comSample Output:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
........By default, WPScan will scan HTTP, if you want HTTPS to be scanned, modify your URL as below.
wpscan --url https://wordpress.example.com -o scan-testThe -o flag can be used to output the scan results in a file.
There are 3 detection modes that can be run on a WordPress site i.e
- aggressive mode – more intrusive scan by sending a thousand request to the server.
- passive mode – send a few requests to the server. This is normally used to scan the homepage.
- mixed(default) – uses both the aggressive and passive modes.
A given detection mode can be specified as below.
wpscan --url wordpress.example.com -o test --detection-mode aggressive2. Scan Vulnerable Plugins.
To check for vulnerabilities in a plugin, the following argument is used:
-e/--enumerate [OPTS] option to the wpscan. The [OPTS] here can be ap for all plugins, vpfor vulnerable plugins and p for plugins.
For example, to scan vulnerable plugins use the command:
wpscan --url wordpress.example.com -e vp3. Scan Vulnerable Themes
Similar to plugins, themes can be scanned using the -e/--enumerate [OPTS]command. But now, [OPTS] is replaced with vt (Vulnerable themes), at (All themes), or t (Themes).
For example, themes with known vulnerabilities can be scanned as below.
wpscan --url wordpress.example.com -e vt4. Password Strength Testing.
To be able to know password strengths, you can try to brute force them. This process may be a bit slow depending on the number of passwords in the password file to be scanned -P, --passwords FILE-PATH, -t, --max-threads VALUE specifies the number of threads.
For example, to brute force the admin user, run the command:
wpscan --url wordpress.example.com -P password-file.txt -U admin -t 50A number of users’ password strengths can be tested without specifying the username.
wpscan --url wordpress.example.com -P password-file.txt -t 505. Enumerate WordPress Users.
To know users who can log in to a site, use the -e/--enumerate u option. Here, u stands for the user IDs.
wpscan --url wordpress.example.com -e u6. Scan WordPress in undetectable mode.
The above scans can as well be performed in stealth mode by adding the argument --stealthy
For example:
wpscan --url wordpress.example.com --stealthyIn case you need help when using WPScan, find help as below.
$ wpscan -h
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
Usage: wpscan [options]
--url URL The URL of the blog to scan
Allowed Protocols: http, https
Default Protocol if none provided: http
This option is mandatory unless update or help or hh or version is/are supplied
-h, --help Display the simple help and exit
--hh Display the full help and exit
--version Display the version and exit
-v, --verbose Verbose mode
--[no-]banner Whether or not to display the banner
Default: true
-o, --output FILE Output to FILE
-f, --format FORMAT Output results in the format supplied
Available choices: cli-no-colour, cli-no-color, cli, json
--detection-mode MODE Default: mixed
Available choices: mixed, passive, aggressive
--user-agent, --ua VALUE
..........That is it!
We have successfully gone through how to install and use WPScan – WordPress security scanner. I hope this article was helpful.
Check more guides on this page:
