How-To Install and Use WPScan

WPScan is a black box WordPress vulnerability scanner. It’s a great tool that you can use to scan your WordPress installations or WordPress installations of your clients. WPScan requires Linux, Ruby version 1.9 or higher, RubyGems and Git.

So, let’s learn how-to install and use WPScan.

Installation of Prerequisites and WPScan

Install RVM

The following will show you how-to install Ruby on Ubuntu.

Firstly, let’s download the software packages list from all repositories and update them. This will get information on the newest versions of software packages and their dependencies.

sudo apt-get update

We are going to install Ruby via RVM. In order to install RVM, we will need CURL. So, let’s install CURL.

sudo apt-get install curl

Now, let’s install RVM:

curl -L https://get.rvm.io | bash -s stable

After the installation, exit you session and then open a new session. After you start a new session, load RVM:

source ~/.rvm/scripts/rvm

Install RVM dependancies, which is needed for RVM to work:

rvm requirements

Install Ruby

Once you’ve installed RVM, we can now install Ruby using RVM.

rvm install ruby

Now let’s tell the system that we want to use the latest version, which we just installed:

rvm use ruby --default

Install RubyGems

Since WPScan requires RubyGems, let’s install it:

rvm rubygems current

Install Git

Installing Git is easy and requires only the following command:

sudo apt-get install git

Install WPScan

Firstly, run the following command:

sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev

Next, we’ll “clone” WPScan on the server:

git clone https://github.com/wpscanteam/wpscan.git

We will now switch to the directory where everything was installed:

cd wpscan

Once you are in the wpscan directory, we will install all necessary ruby gems through the bundler:

sudo gem install bundler && bundle install --without test development

Congratulations, WPScan has been installed and you can now use it!

How-to Use WPScan

You can use WPScan through arguments. You can get a complete list of arguments by executing the following command:

ruby wpscan.rb --help

Typical Arguments To Use

Non-intrusive (quick) checks can be done like so:

ruby wpscan.rb --url domainname.com

Password brute force:

ruby wpscan.rb --url domainname.com --wordlist passlist.txt --username admin

In the above example, make sure your change passlist.txt with the file, which contains the list of passwords you want to check against. Also, change admin with the username you want to test against.

To enumerate installed plugins and themes, run the following:

ruby wpscan.rb --url domainname.com --enumerate p

The above will enumerate installed plugins. For themes, use t instead of p, which is located at the end of the command.

Make sure with these examples that you change domainname.com, with the domain name you want to test.

Test Multiple URLs

WPScan does not currently have support to test multiple domains at the same time, but you can easily work around this by creating and using a bash script. Here is the code snippet:

#!/bin/bash

urls=(
"http://www.example.com/"
"http://www.example2.com/"
"http://www.example3.com/"
)

for i in "${urls[@]}"
do
     echo "Testing " $i
     ruby ./wpscan.rb -u $i -e >> results.txt
done

The URLs that will be tested is listed on line four (4) and five (5). You can add more by wrapping the URL with quotes. Each URL should be on its own line. The message that is telling you it’s testing is on line 10. Line 11 contains the WPScan command you want executed for each of those URLs. It will send the WPScan results to a text file called results.txt.

For the WPScan command, as previously stated is held on line 11: ruby ./wpscan.rb -u $i -e. Simply change it to the WPScan argument you want, as I showed you under “Typical Arguments To Use.” But instead of stating domainname.com, you will use $1.

Keep WPScan Up-to-Date

To update WPScan, simply use the following command:

ruby wpscan.rb --update