• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WPScan Intro: WordPress Vulnerability Scanner

October 29, 2015Alycia MitchellEspanolPortugues

71
SHARES
FacebookTwitterSubscribe

Have you ever wanted to run security tests on your WordPress website to see if it could be easily hacked?

WPScan is a black box vulnerability scanner for WordPress sponsored by Sucuri and maintained by the WPScan Team, available free for Linux and Mac users. If you use Windows, you can install a virtual machine of a free Linux distro using Virtualbox (also free) or VMWare. If there is interest, we can do a tutorial on this in a future post. In this post we are going to cover the basics of installing WPScan, and we have also created a follow up post to teach you how to use WPScan.

We have included a video tutorial so you can follow along while you copy the commands into Terminal.

 Installation and Configuring WPScan

Run only the commands specific to your operating system – for Mac, or one of the Linux distros (Debian, Ubuntu, Fedora, ArchLinux).

I. Installing Git

The latest version of WPScan is hosted on Github, so first you need to install it.

Mac/Debian/Ubuntu
sudo apt-get install git
Fedora
$ yum install git
ArchLinux
$ pacman -S git

Linux Dependencies

For our Linux friends, a few libraries are needed first (as Linux does). Mac users can skip ahead.

Ubuntu 14.04+
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
Before Ubuntu 14.04
sudo apt-get install libcurl4-openssl-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
Debian
sudo apt-get install git ruby ruby-dev libcurl4-openssl-dev make
Fedora
sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch
ArchLinux
pacman -Syu ruby
pacman -Syu libyaml

II. Install WPScan from Github

Now we can all go ahead and download the wpscan folder from Github, right to our root folder, using the git clone command.

git clone https://github.com/wpscanteam/wpscan.git

Once it has completed downloading, you can change directory to enter the folder:

cd wpscan

Now we need just one more thing.

III. Install the Bundler

WPScan is a Ruby application, which uses “gems” as part of the programming language. Bundler will help keep WPScan and all of its “gems” or dependencies updated effectively.

Mac
sudo gem install bundler && sudo bundle install --without test
Ubuntu
sudo gem install bundler && bundle install --without test
Debian
sudo gem install bundler && bundle install --without test
Fedora
bundle install --without test --path vendor/bundle
Archlinux
sudo gem install bundler && bundle install --without test
gem install typhoeus
gem install nokogiri

It can take a little while to install these packages depending on your current configuration, but not more than ten minutes.

IV. Ready to Scan WP

There are several commands we go over in our post on using WPScan to find WordPress vulnerabilities. You will learn how to test your own website for vulnerabilities stored in the WPVulnDB and a number of other security issues such as vulnerable users and passwords.

Video

We have prepared a little video tutorial to illustrate the steps above, so you can follow along and copy the commands.

71
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Vulnerability Disclosure, WordPress SecurityTags: Command Line Tools

About Alycia Mitchell

Alycia Mitchell has been Sucuri’s Marketing Manager since 2014. Alycia's main responsibilities include analytics and content strategy. Her professional experience covers 10 years of SEO and digital marketing for cybersecurity. When Alycia isn’t deep in spreadsheets, you might find her exploring nature. Connect with her on Twitter.

Reader Interactions

Comments

  1. Mark

    October 30, 2015

    Please do a windows tutorial thanks!

    • Edder

      October 30, 2015

      Install vmware on windows and load a Linux ISO.

    • Un Usuario

      October 30, 2015

      I don’t mean to sound as a troll, but consider installing Linux in your computer. If you’re into programming, even as a hobby, Linux is way better suited for the task and it’s way easier to do things like this one for example.

      • sarumbear

        November 5, 2015

        There are 25 Million WP installs out there. Are you expecting every each webmaster for these sites are proficient in Linux or has Linux installs available? If you want this tool to be used you need to offer a Windows version – period!

        • Un Usuario

          November 5, 2015

          You can tinker on Windows, but if you are a serious developer, you don’t deploy WP on a Windows host. It’s easier to maintain it on a POSIX OS. You don’t need to be proficient at it (no need for sysadmin level of knowledge). And also cheaper (try finding Windows instances on the cloud that are cheaper than its Linux counterparts).
          Seriously, I don’t see many production WP installs running in that OS.

          • sarumbear

            November 5, 2015

            I think I misunderstood where this scanner is to be installed, I assumed it is a client app that runs remotely but from your post it seems it is a server app. Am I correct?

    • Alycia

      November 2, 2015

      Thanks – I’ll see what I can do. It’s worth getting to know Linux!

      As others have suggested, you can install VirtualBox on your computer so you can run a virtual machine – aka another operating system within your Windows operating system – and then download any Linux distribution. They are all free. I like Mint but I’ve heard good things about Lubuntu… then you set it as an ISO image in the settings for your new virtual machine, and voila – you have a Linux box.

      Then in a year you’ll be so excited about Linux that you’ll partition your Windows PC, or maybe even just replace Windows 😀

      • Mark

        November 2, 2015

        Thanks.

      • Mark

        August 31, 2016

        Working with Linux Mint but can’t seem to find a way to get the wireless adapter to work. Any suggestions?

        • Alycia Mitchell

          August 31, 2016

          What kind of adapter are you using? Is it external? Are you using Mint in a VM? I’d suggest searching Google with those specific keywords and try a bit of troubleshooting… a lot of times there’s someone else who already had the problem 🙂

  2. Karen Stewart

    October 30, 2015

    This seems very difficult to install these steps. Please tell us any other simple approach for wordpress vulnerability scanner.

    • Chris Herrick

      October 31, 2015

      wpscan is ruby-based command-line utility. The to install you only need to run a couple of commands, which is less than you will in-practice use to run the utility.

      If you want to forego the installation process (but you’ll still need to invoke the script from the terminal), you can use the Kali Linux distribution which has a version pre-installed.

  3. At The Rubicon

    October 30, 2015

    Your git installation instructions for Mac/ElCapitan do not work. When I enter sudo apt-get git I get:

    sudo: apt-get: command not found

    I also suspect that El Capitan’s System Integrity Protection adds some further complication to the installation of Git on the Mac now.

    • blacklash

      October 30, 2015

      THIS IS THE COMMAND: sudo apt-get install git

      NOT: sudo apt-get git

      • At The Rubicon

        October 30, 2015

        When I try “sudo apt-get install git” it says “sudo: apt-get: command not found”

        • brsox

          October 30, 2015

          Aptitude does not come bundled with OSX

    • Wesam Alalem

      October 31, 2015

      Install Xcode command line tools

  4. Michael

    October 30, 2015

    Is it safe to run against the production site? Any risk that will break the site?

    • Alycia

      November 2, 2015

      It won’t break the website, just let you know if it finds any known flaws. I’ll show more in a video next week 🙂

  5. Nadine

    November 7, 2015

    Thanks for the nice tutorial! Do you know how to address the following error when installing the bundler-

    Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.

    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/bin/ruby extconf.rb

    mkmf.rb can’t find header files for ruby at /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/include/ruby.h

    Gem files will remain installed in /Library/Ruby/Gems/2.0.0/gems/ffi-1.9.10 for inspection.

    Results logged to /Library/Ruby/Gems/2.0.0/gems/ffi-1.9.10/ext/ffi_c/gem_make.out

    An error occurred while installing ffi (1.9.10), and Bundler cannot continue.

    Make sure that `gem install ffi -v ‘1.9.10’` succeeds before bundling.

  6. dipaksaraf

    January 12, 2016

    While I try to install GIT I get the following error:
    yum install git on CentOS 64
    Error: Package: perl-Git-1.8.2.1-2.el5.x86_64 (epel)
    Requires: perl(:MODULE_COMPAT_5.8.8)
    Error: Package: git-1.8.2.1-2.el5.x86_64 (epel)
    Requires: libcurl.so.3()(64bit)
    You could try using –skip-broken to work around the problem
    You could try running: rpm -Va –nofiles –nodigest

    Any ideas

  7. Troy

    January 15, 2016

    Everything went fine until #3 “sudo: gem: command not found” 🙁 Using ubuntu 15.1

    • Don Dani

      September 10, 2017

      Hey buddy, did you finally solve this problem? I’m having the same issue

  8. Patrick Neuntausend

    September 29, 2016

    Excellent Article!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

How to Clean a Hacked Website Guide

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.