Install and Use WPScan on Linux – A WordPress Vulnerability Scanner

WPScan is a command line wp vulnerability scanner that can be used to scan WordPress vulnerabilities. It comes pre-installed on the following penetration testing Linux distributions.

  • BackBox Linux
  • Kali Linux
  • Pentoo
  • SamuraiWTF
  • BlackArch

WPScan is available from Github. Now let’s see how to install WPScan on Ubuntu 16.04/16.10, Debian 8, Fedora 24, Arch Linux and explain how to use this wp exploit scanner.

How to Install WPScan on Ubuntu 16.04, 16.10

First, install dependencies.

sudo apt install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev

Then install Git version control tool.

sudo apt install git

Clone the Github repository.

git clone https://github.com/wpscanteam/wpscan.git

Install it.

cd wpscan

sudo gem install bundler

bundle install --without test development

Install WPScan on Debian 8

First, install dependencies

sudo apt install git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev

Then clone repository and install it

git clone https://github.com/wpscanteam/wpscan.git

cd wpscan

sudo gem install bundler

bundle install --without test development

Install WPScan on Fedora 24

First, install dependencies.

sudo dnf install git gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build

Then clone repository and install it

git clone https://github.com/wpscanteam/wpscan.git

cd wpscan

sudo gem install bundler

bundle install --without test development

Install WPScan on Arch Linux

First, install dependencies.

sudo pacman -Syu ruby libyaml git

Then clone repository and install it

git clone https://github.com/wpscanteam/wpscan.git

cd wpscan

gem install bundler

bundle install --without test development

How to Use WPScan

Make sure you are in wpscan folder.

cd wpscan

To update database to the lastest version, run

ruby wpscan.rb --update

Scan installed plugins

ruby wpscan.rb --url http(s)://your-domain.com --enumerate p

Scan vulnerable plugins

ruby wpscan.rb --url http(s)://your-domain.com --enumerate vp

Scan installed themes

ruby wpscan.rb --url http(s)://your-domain.com --enumerate t

Scan vulnerable themes

ruby wpscan.rb --url http(s)://your-domain.com --enumerate vt

Scan user accounts:

ruby wpscan.rb --url http(s)://your-domain.com --enumerate u

Scan vulnerable timthumb files:

ruby wpscan.rb --url http(s)://your-domain.com --enumerate tt

Please note that scanning other’s websites is illegal. Do it only on your own website.

Enjoy this wp vulnerability scanner. And as always, if you found this post useful, then subscribe to our free newsletter or follow us on Google+, Twitter or like our Facebook page. Thanks for visiting!

Rate this tutorial
[Total: 4 Average: 3]