What does your WordPress site look like to hackers? Would it be tough to crack? Or does it have unlocked doors and unlatched windows just waiting for someone to try them? If you want to run a security test on your WordPress site that’ll reveal its weaknesses, get familiar with WPScan.
Even though most hackers don’t have insider knowledge of your site’s weaknesses, there’s a lot they can figure out based on its publicly visible code. WPScan tests your site with a similar approach – what’s called black-box testing.
The result: WPScan gives you an understanding of what vulnerabilities hackers can find. It’s effectively a checklist of things to (quickly) seal off.
Feels pretty useful, right?
What Does WPScan Cost?
WPScan essentially utilizes a freemium model. (This wasn’t always the case.)
The scanner itself is largely free to use. At its base level, it will use enumeration to display discoverable information like usernames, plugins, and themes being used.
In order to check vulnerabilities, you’ll need access to the WordPress Vulnerability Database API. This also starts at no cost. But as you need to scan more sites – or more complex sites – you’ll want to upgrade your plan. (More on this in a bit.)
How to Install WPScan
WPScan ships as a Ruby gem. So, if you have Ruby installed, it’s as simple as running this command:
gem install wpscan
An Alternate for Mac Users
Newer versions of MacOS make the process a bit tougher due to System Integrity Protection – security technology to protect you from malicious software.
There are a few ways to work around this – including temporarily disabling SIP. The simplest route may be to use a package manager like Homebrew, installed with this command in Terminal.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
From there, your WPScan install command will simply become:
brew install wpscanteam/tap/wpscan
Getting Started on Windows
If you don’t already have Ruby installed, start with this installer. Once you’ve done that, you’ll use the original command:
gem install wpscan
Using Docker?
You can pull the repo using this command:
docker pull wpscanteam/wpscan
Always Update WPScan
If you don’t have the most up-to-date version of the software, you won’t find the most critical vulnerabilities. WPScan constantly updates the database to keep you fully informed of identifiable vulnerabilities. 514 new vulnerabilities were added over the course of 2020!
So, be sure to run this command before any scans:
gem update wpscan
Or if you used the Homebrew method for Mac:
brew upgrade wpscan
How to Access the WordPress Vulnerability Database API
While it’s technically optional, this database is really the primary value in using WPScan.
In order to utilize the API, you need to register on WPScan’s site. You’ll then receive an API token, which you’ll add to any scans you make.
You’ll then receive the vulnerabilities details associated with your scan by including this at the end of your command:
--api-token YOUR_TOKEN
Of course, without this command, you won’t get the vulnerability information.
How to Decide on a Plan
Your scans will make one API request for each of these:
- WordPress version
- Installed plugin
- Installed theme
Considering this, fully scanning a WordPress site with a theme and 12 plugins would require 14 API requests.
WPScan estimates that the average WordPress site has 22 installed plugins. So, the Free plan of 25 API requests should typically work. If you have more plugins on your site or need to scan multiple sites each day, you’ll want to upgrade your plan accordingly.
What’s Next?
Once you have WPScan installed and have your API token, the next step is simply to start scanning for WordPress vulnerabilities with WPScan! Let’s dig in.
Daniel Cid
Juliana Lewis
Luke Leal
Ben Martin
Mohit Jawanjal
Denis Sinegubko
Peter Gramantik
Matt Morrow
