Wondering if a bad actor can exploit vulnerabilities on your website? WPScan is a black box scanning tool built for WordPress websites. It checks for a wide range of security issues, making it a must-have tool if you’re looking to harden your WordPress sites.
WPScan is a great WordPress security tool for uncovering critical vulnerabilities including WordPress and vulnerable plugins and themes. It also checks for user enumeration, weak passwords using brute force attacks, and much more.
In this article, we will cover all the different options available to install WPScan.
Table of contents
The WPScan CLI Scanner
The WPSCan CLI Scanner is a command-line scanner that focuses on vulnerability listing, enumeration, and exposed WordPress files. It is able to list the WordPress version, plugins, themes, and backup files, among other things. To get vulnerability data, however, you need to have an API key.
An API key allows you to access the WPVulnDB (WordPress Vulnerability DataBase), which has information about WordPress, plugin, and theme vulnerabilities. API keys are tied to a plan with a few different options available.
The WordPress vulnerability database API is what makes WPScan such an invaluable tool. It has thousands of vulnerabilities in its catalog and is constantly being updated as new vulnerabilities are found.
There is a free plan that offers 25 API calls per day for free. You need 1 API call for WordPress and a separate API call for every theme and plugin on your WordPress website.
How to get a WPScan API token
WPScan offers a free account for non-commercial use, which includes 25 API calls per day. As mentioned previously, one API request is required for WordPress core and every plugin and theme on your WordPress site. Of course, they also offer plans that cater to larger scopes should the free plan not be enough for your purposes.
To get your API key, head to the WPScan registration page and fill out your details. A confirmation email will be sent to your inbox. Confirm your email by clicking the link and logging in – and you’ll find your API Token ready and waiting for you.
Plugin
The official WPScan plugin is no longer supported, and as such, we do not recommend installing it. WPScan, which Automattic owns, recommends installing JetPack Protect instead, which is also owned by Automattic.
Step 1: Download and activate the plugin
Log in to your WordPress site and navigate to Plugins > Add New Plugin. Search for JetPack Protect, then click Install. Once it’s installed, click on Activate.
Step 2: Choose your preferred plan
Once the plugin is activated, it will automatically launch. You can also find it from the Installed Plugins page or by clicking on Jetpack and then Protect from the sidebar menu. Next, choose the plan you would like to activate. Do keep in mind that if you choose the free plan, you can always upgrade later at any point.
Step 3: Site scan
The plugin will start scanning your website automatically and present you with the results once the scan is complete.
Ruby gem
Gems are prepackaged software libraries that enable you to run code without installation. Ruby is a programming language, with WPScan being written in Ruby. To use Ruby gems, you need to have Ruby installed on your computer. Ruby is available for Windows, Mac, and Linux OSs and is free to download and use.
Step 1: Install wpscan gem
Make sure you have Ruby installed on your machine. Open the terminal and type the below command. In this example, we are using a Windows machine, so we’ll be using cmd.
gem install wpscan
Ruby gems will also advise you of any available updates that you can download.
Once it’s installed, we want to make sure we have the latest version. We can do this by running the following update command:
gem update wpscan
Step 2: Run wpscan
All that is left to do now is run wpscan by using the following command:
wpscan --url mywebsite.com
You can also add any options as required.
Geek note Ruby gems does not install dependencies (like Homebrew), so we ran into a few issues with our setup. The first issue we encountered was a missing curl .DLL file. This was quickly resolved by downloading the appropriate .DLL and copying it to the Ruby directory. The second issue we encountered saw WPScan aborting scans due to a certificate issue. We were able to work around this by using the –disable-tls-checks, which is not ideal. As such, keep in mind that additional configurations and downloads may be required when using this method. |
Docker
Docker is a containerization platform that allows you to deploy apps in ‘containers.’ These containers can run on all operating systems on which Docker can be installed, including Windows, Mac, and Linux.
Step 1: Pull the image
WPScan provides an image that we can run in a Docker container. You can find this image through Docker itself. First, navigate to Images and then type wpscan in the search box at the top of the window. The one you’re looking for is called wpscanteam/wpscan. Click on it and then click Pull. The image will then start to download to your computer.
Step 2: Run the image
Now that we have the image, we need to run it. Images are run as containers. A container is an instance of an image and not the image itself. To run an image, navigate to Images and click the play button, as shown in the screenshot below.
Step 3: Run WPScan
Now that we have the image running as a container, we can go ahead and run WPScan commands right from the Windows command prompt. You can also use PowerShell if you prefer.
docker run -it --rm wpscanteam/wpscan --url websiteurl.com
The docker run command runs an image, which in our case is wpscanteam/wpscan. This creates an instance of that image as a container. In the example above, we added the -it option, which takes us straight to the container once it’s started, and –rm, which deletes the container (not the image) once we are done.
In the screenshot above, you’ll notice that we have added the –enumerate u option. This tells WPScan to enumerate users on the target WordPress site.
Homebrew
Homebrew is a package manager for Mac and Linux. It helps you avoid descending into the 9th circle of dependency hell by installing missing packages automatically.
Geek note Don’t know what dependencies are? I envy you. Many, many years ago, most software didn’t come packaged with everything you need to run it. Sometimes, it’ll tell you what else you need to download, and sometimes not. You then had to go to forums where you could ask or at least get clues as to what else you need to download to get the software to work. Once you gain some semblance of confidence that you’ve figured it out and your eyes start to glimmer with hope, it becomes apparent that the supporting software you downloaded and installed requires its own supporting software. And on and on it goes as you descend into the many circles of dependency hell. |
Installing WPScan through Homebrew is the same as a Ruby Gems install – the only difference is that Homebrew also installs any dependencies you may need.
Step 1: Install Howebrew
Open the terminal application and run the following command:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Once installed, you’ll need to add Homebrew to your path, which allows you to run it. The good news is that Homebrew will give you the commands you need to run, so all you’ll need to do is copy and paste.
(echo; echo 'eval "$(/opt/homebrew/bin/brew shellenv)"') >> /Userpath/.zprofile eval "$(/opt/homebrew/bin/brew shellenv)"
where /userpath/ is the user path as configured on your machine.
Step 2: Install WPScan
Now that we have Homebrew installed, we can install WPScan by running the following command:
brew install wpscanteam/tap/wpscan
This installs the latest stable version of the software, including any required dependencies.
Step 3: Run WPScan
All that’s left to do now is run WPScan. This is done through the terminal window by typing:
wpscan --url mywebsite.com
You can also add any options that you might want to include.
Virtual Machine
Many penetration-testing Linux distributions, such as Kali Linux and Parrot Security, come with WPScan pre-installed. These can be installed natively on a PC if you have a spare one running around or as a virtual machine.
In our example, we are using Parrot Security OS installed as a virtual machine on VMWare.
Step 1: Download and install Virtual Machine software
The first step is to download the VM software. In our example, we will be using VMWare. However, this is not the only option. Oracle VirtualBox is another VM software that is widely used. You may also choose to get a VM as a service.
Step 2: Download and install ParrotSec OS
In this example, we will be using ParrotSec OS. Of course, this is not the only option available, with Kali Linux being another popular option. ParrotSec OS installation file comes in 3 different flavors:
- ISO: This is the most popular format for OS installation files and will work with most virtual machine software as well as native installations
- Virtualbox: If you opted for Oracle VirtualBox, download this file
- UTM: If you have a Mac computer running Apple Silicon (M1 processor or later), download this instead
Download the version that is appropriate for your setup and proceed to install it as you would with any other OS.
Step 3: Run WPScan
With ParrotOS now installed, log in and navigate to Applications > Pentesting > Web Application Analysis > WPScan.
Once you click on WPScan, a terminal window will open where you can run your scan.
Is WPScan worth installing?
WPScan is a great tool for identifying WordPress vulnerabilities as well as vulnerable themes and plugins. Aside from this, it can also check for other vulnerabilities on your WordPress site, making it a must-have tool in your security toolbox.
Most hackers use this WordPress security scanner when trying to identify potential targets. Installing WPScan gives you the opportunity to see what bad actors are seeing – and the insight you need to ensure your website is as secure as possible.
Get even more security for your WordPress website by installing Melapress Login Security and setting up policies for secure passwords, limiting login attempts, and inactive users. The plugin also lets you easily change the WordPress login URL, set up login time policies, and much more.