Have you ever wanted to run security tests on your WordPress website to see if it could be easily hacked?
WPScan is a black box vulnerability scanner for WordPress sponsored by Sucuri and maintained by the WPScan Team, available free for Linux and Mac users. If you use Windows, you can install a virtual machine of a free Linux distro using Virtualbox (also free) or VMWare. If there is interest, we can do a tutorial on this in a future post. In this post we are going to cover the basics of installing WPScan, and we have also created a follow up post to teach you how to use WPScan.
We have included a video tutorial so you can follow along while you copy the commands into Terminal.
Installation and Configuring WPScan
Run only the commands specific to your operating system – for Mac, or one of the Linux distros (Debian, Ubuntu, Fedora, ArchLinux).
I. Installing Git
The latest version of WPScan is hosted on Github, so first you need to install it.
Mac/Debian/Ubuntu
sudo apt-get install git
Fedora
$ yum install git
ArchLinux
$ pacman -S git
Linux Dependencies
For our Linux friends, a few libraries are needed first (as Linux does). Mac users can skip ahead.
Ubuntu 14.04+
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
Before Ubuntu 14.04
sudo apt-get install libcurl4-openssl-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
Debian
sudo apt-get install git ruby ruby-dev libcurl4-openssl-dev make
Fedora
sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch
ArchLinux
pacman -Syu ruby pacman -Syu libyaml
II. Install WPScan from Github
Now we can all go ahead and download the wpscan folder from Github, right to our root folder, using the git clone command.
git clone https://github.com/wpscanteam/wpscan.git
Once it has completed downloading, you can change directory to enter the folder:
cd wpscan
Now we need just one more thing.
III. Install the Bundler
WPScan is a Ruby application, which uses “gems” as part of the programming language. Bundler will help keep WPScan and all of its “gems” or dependencies updated effectively.
Mac
sudo gem install bundler && sudo bundle install --without test
Ubuntu
sudo gem install bundler && bundle install --without test
Debian
sudo gem install bundler && bundle install --without test
Fedora
bundle install --without test --path vendor/bundle
Archlinux
sudo gem install bundler && bundle install --without test gem install typhoeus gem install nokogiri
It can take a little while to install these packages depending on your current configuration, but not more than ten minutes.
IV. Ready to Scan WP
There are several commands we go over in our post on using WPScan to find WordPress vulnerabilities. You will learn how to test your own website for vulnerabilities stored in the WPVulnDB and a number of other security issues such as vulnerable users and passwords.
Video
We have prepared a little video tutorial to illustrate the steps above, so you can follow along and copy the commands.
Please do a windows tutorial thanks!
Install vmware on windows and load a Linux ISO.
I don’t mean to sound as a troll, but consider installing Linux in your computer. If you’re into programming, even as a hobby, Linux is way better suited for the task and it’s way easier to do things like this one for example.
There are 25 Million WP installs out there. Are you expecting every each webmaster for these sites are proficient in Linux or has Linux installs available? If you want this tool to be used you need to offer a Windows version – period!
You can tinker on Windows, but if you are a serious developer, you don’t deploy WP on a Windows host. It’s easier to maintain it on a POSIX OS. You don’t need to be proficient at it (no need for sysadmin level of knowledge). And also cheaper (try finding Windows instances on the cloud that are cheaper than its Linux counterparts).
Seriously, I don’t see many production WP installs running in that OS.
I think I misunderstood where this scanner is to be installed, I assumed it is a client app that runs remotely but from your post it seems it is a server app. Am I correct?
Thanks – I’ll see what I can do. It’s worth getting to know Linux!
As others have suggested, you can install VirtualBox on your computer so you can run a virtual machine – aka another operating system within your Windows operating system – and then download any Linux distribution. They are all free. I like Mint but I’ve heard good things about Lubuntu… then you set it as an ISO image in the settings for your new virtual machine, and voila – you have a Linux box.
Then in a year you’ll be so excited about Linux that you’ll partition your Windows PC, or maybe even just replace Windows 😀
Thanks.
Working with Linux Mint but can’t seem to find a way to get the wireless adapter to work. Any suggestions?
What kind of adapter are you using? Is it external? Are you using Mint in a VM? I’d suggest searching Google with those specific keywords and try a bit of troubleshooting… a lot of times there’s someone else who already had the problem 🙂
This seems very difficult to install these steps. Please tell us any other simple approach for wordpress vulnerability scanner.
wpscan is ruby-based command-line utility. The to install you only need to run a couple of commands, which is less than you will in-practice use to run the utility.
If you want to forego the installation process (but you’ll still need to invoke the script from the terminal), you can use the Kali Linux distribution which has a version pre-installed.
Your git installation instructions for Mac/ElCapitan do not work. When I enter sudo apt-get git I get:
sudo: apt-get: command not found
I also suspect that El Capitan’s System Integrity Protection adds some further complication to the installation of Git on the Mac now.
THIS IS THE COMMAND: sudo apt-get install git
NOT: sudo apt-get git
When I try “sudo apt-get install git” it says “sudo: apt-get: command not found”
Aptitude does not come bundled with OSX
Install Xcode command line tools
Is it safe to run against the production site? Any risk that will break the site?
It won’t break the website, just let you know if it finds any known flaws. I’ll show more in a video next week 🙂
Thanks for the nice tutorial! Do you know how to address the following error when installing the bundler-
Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.
/System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/bin/ruby extconf.rb
mkmf.rb can’t find header files for ruby at /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/include/ruby.h
Gem files will remain installed in /Library/Ruby/Gems/2.0.0/gems/ffi-1.9.10 for inspection.
Results logged to /Library/Ruby/Gems/2.0.0/gems/ffi-1.9.10/ext/ffi_c/gem_make.out
An error occurred while installing ffi (1.9.10), and Bundler cannot continue.
Make sure that `gem install ffi -v ‘1.9.10’` succeeds before bundling.
While I try to install GIT I get the following error:
yum install git on CentOS 64
Error: Package: perl-Git-1.8.2.1-2.el5.x86_64 (epel)
Requires: perl(:MODULE_COMPAT_5.8.8)
Error: Package: git-1.8.2.1-2.el5.x86_64 (epel)
Requires: libcurl.so.3()(64bit)
You could try using –skip-broken to work around the problem
You could try running: rpm -Va –nofiles –nodigest
Any ideas
Everything went fine until #3 “sudo: gem: command not found” 🙁 Using ubuntu 15.1
Hey buddy, did you finally solve this problem? I’m having the same issue
Excellent Article!