Install and Use WPScan on Linux – A WordPress Vulnerability Scanner

WPScan is a command-line WordPress vulnerability scanner that can be used to scan WordPress vulnerabilities. It comes pre-installed on the following penetration testing Linux distributions.

  • BackBox Linux
  • Kali Linux
  • Pentoo
  • SamuraiWTF
  • BlackArch

WPScan is available as a WordPress plugin. It will scan your WordPress site on a daily basis and alert you via email if vulnerabilities are found. If you prefer to use WPScan on Linux command line, then follow the instructions below to install WPScan on Debian 10, Ubuntu 18.04, Ubuntu 20.04, CentOS/RHEL 8/Fedora, Arch Linux and learn how to use this WP exploit scanner.

wpscan

How to Install WPScan on Debian 10/Ubuntu 18.04/Ubuntu 20.04

First, install Ruby.

sudo apt install ruby

Install dependencies for building extensions.

sudo apt install build-essential libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev  libgmp-dev zlib1g-dev

Install WPScan.

sudo gem install wpscan

It will be installed to /usr/local/bin/wpscan.

Install WPScan on CentOS 8/RHEL 8/Fedora

First, install Ruby.

sudo dnf install ruby

install dependencies for building extensions.

sudo dnf group install "Development Tools"
sudo dnf install git gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build

Install WPScan.

sudo gem install wpscan

It will be installed to /usr/local/bin/wpscan.

Install WPScan on Arch Linux

WPScan is in Arch Linux repository, simply run the following command to install it.

sudo pacman -S wpscan

How to Use WPScan

To update database to the lastest version, run

wpscan --update

Scan installed plugins

wpscan --url http(s)://your-domain.com --enumerate p

Scan vulnerable plugins

wpscan --url http(s)://your-domain.com --enumerate vp

Scan installed themes

wpscan --url http(s)://your-domain.com --enumerate t

Scan vulnerable themes

wpscan --url http(s)://your-domain.com --enumerate vt

Scan user accounts:

wpscan --url http(s)://your-domain.com --enumerate u

Scan vulnerable timthumb files:

wpscan --url http(s)://your-domain.com --enumerate tt

Please note that scanning other’s websites is illegal. Do it only on your own website.

Using WPVulnDB API

By default, WPScan only tells you if there’s vulnerabilities found, but doesn’t show the details of vulnerabilities. You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.

Once you have created account, you can save the API token in a file. Run the following command to create WPScan configruation file.

nano ~/.wpscan/scan.yml

Put the following lines in the file.

cli_options:
    api_token: YOUR_API_TOKEN

Creating A Cron Job

Edit root user’s crontab file.

sudo crontab -e

Add the following line at the end of the file to try updating the vulnerability database and WPScan itself once a day.

@daily /usr/local/bin/wpscan --update && gem update wpscan

Wrapping UP

I hope this tutorial helped you install and use the WordPress vulnerability scanner. And as always, if you found this post useful, then subscribe to our free newsletter for more tips and tricks 🙂

Rate this tutorial
[Total: 2 Average: 5]

7 Responses to “Install and Use WPScan on Linux – A WordPress Vulnerability Scanner

  • Binary Mind
    7 months ago

    what about Centos?!

  • Hello,

    Possible to scan local directory plugin without specifying url ?

    Thank. you

    • If you installed WordPress on your local computer but you don’t have a domain name for your WordPress site, then create a fictitious DNS entry in /etc/hosts file like.

      127.0.0.1      example.com

      Next, you can type example.com in your browser address bar to access to your WordPress site, and you can use the example.com domain in wpscan command.

  • Brett Long
    3 months ago

    I created the scan.yml file but i’m still getting the No WPVulnDB API Token given.
    In what location should i place the scan.yml file?

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.


The maximum upload file size: 2 MB.
You can upload: image.