Install and Use WPScan on Linux – A WordPress Vulnerability Scanner

WPScan is a command-line WordPress vulnerability scanner that can be used to scan WordPress vulnerabilities. It comes pre-installed on the following penetration testing Linux distributions.

  • BackBox Linux
  • Kali Linux
  • Pentoo
  • SamuraiWTF
  • BlackArch

WPScan is available as a WordPress plugin. It will scan your WordPress site on a daily basis and alert you via email if vulnerabilities are found. If you prefer to use WPScan on Linux command line, then follow the instructions below to install WPScan on Debian 10, Ubuntu 18.04, Ubuntu 20.04, CentOS/RHEL 8/Fedora, Arch Linux and learn how to use this WP exploit scanner.

wpscan

How to Install WPScan on Debian 11/Ubuntu 20.04/Ubuntu 22.04

First, install Ruby.

sudo apt install ruby

Install dependencies for building extensions.

sudo apt install build-essential libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev  libgmp-dev zlib1g-dev

Install WPScan.

sudo gem install wpscan

It will be installed to /usr/local/bin/wpscan.

Install WPScan on CentOS 8/RHEL 8/Fedora

First, install Ruby.

sudo dnf install ruby

install dependencies for building extensions.

sudo dnf group install "Development Tools"
sudo dnf install git gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build

Install WPScan.

sudo gem install wpscan

It will be installed to /usr/local/bin/wpscan.

Install WPScan on Arch Linux

WPScan is in Arch Linux repository, simply run the following command to install it.

sudo pacman -S wpscan

How to Use WPScan

To update database to the lastest version, run

wpscan --update

Scan installed plugins

wpscan --url http(s)://your-domain.com --enumerate p

Scan vulnerable plugins

wpscan --url http(s)://your-domain.com --enumerate vp

Scan installed themes

wpscan --url http(s)://your-domain.com --enumerate t

Scan vulnerable themes

wpscan --url http(s)://your-domain.com --enumerate vt

Scan user accounts:

wpscan --url http(s)://your-domain.com --enumerate u

Scan vulnerable timthumb files:

wpscan --url http(s)://your-domain.com --enumerate tt

Please note that scanning other’s websites is illegal. Do it only on your own website.

Using WPVulnDB API

By default, WPScan only tells you if there’s vulnerabilities found, but doesn’t show the details of vulnerabilities. You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.

Once you have created account, you can save the API token in a file. Run the following command to create WPScan configruation file.

nano ~/.wpscan/scan.yml

Put the following lines in the file.

cli_options:
    api_token: YOUR_API_TOKEN

Creating A Cron Job

Edit root user’s crontab file.

sudo crontab -e

Add the following line at the end of the file to try updating WPScan and the vulnerability database once a day.

@daily /usr/bin/gem update wpscan && /usr/local/bin/wpscan --update

Next Step

I hope this tutorial helped you install and use the WordPress vulnerability scanner. You may also want to set up the ModSecurity web application firewall to protect your WordPress site from hacking. If you use Apache web server on Debian/Ubuntu, then read the following tutorial.

If you use Nginx web server on Debian/Ubuntu, then read the following tutorial:

And as always, if you found this post useful, then subscribe to our free newsletter for more tips and tricks 🙂

Rate this tutorial
[Total: 7 Average: 5]

10 Responses to “Install and Use WPScan on Linux – A WordPress Vulnerability Scanner

  • Binary Mind
    5 years ago

    what about Centos?!

    • Xiao Guoan (Admin)
      5 years ago

      Hi, I have updated this article to include instructions on installing WPScan on CentOS 8.

    • I have same problem on Ubuntu 18.04…

      • Xiao Guoan (Admin)
        5 years ago

        Hi, I have updated this article to include instructions on installing WPScan on Ubuntu 18.04. It’s super easy.

  • Hello,

    Possible to scan local directory plugin without specifying url ?

    Thank. you

    • Xiao Guoan (Admin)
      5 years ago

      If you installed WordPress on your local computer but you don’t have a domain name for your WordPress site, then create a fictitious DNS entry in /etc/hosts file like.

      127.0.0.1      example.com

      Next, you can type example.com in your browser address bar to access to your WordPress site, and you can use the example.com domain in wpscan command.

  • Brett Long
    4 years ago

    I created the scan.yml file but i’m still getting the No WPVulnDB API Token given.
    In what location should i place the scan.yml file?

  • i get this problem while trying to scan my website:
    _______________________________________________________________
    __ _______ _____
    \ \ / / __ \ / ____|
    \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
    \ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
    \ /\ / | | ____) | (__| (_| | | | |
    \/ \/ |_| |_____/ \___|\__,_|_| |_|

    WordPress Security Scanner by the WPScan Team
    Version 3.8.17
    Sponsored by Automattic – https://automattic.com/
    @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
    _______________________________________________________________

    Scan Aborted: wrong number of arguments (given 2, expected 1)
    Trace: /var/lib/gems/2.7.0/gems/psych-4.0.0/lib/psych.rb:322:in `safe_load’
    /var/lib/gems/2.7.0/gems/wpscan-3.8.17/lib/wpscan/db/dynamic_finders/base.rb:14:in `all_df_data’
    /var/lib/gems/2.7.0/gems/wpscan-3.8.17/lib/wpscan/db/dynamic_finders/wordpress.rb:9:in `df_data’
    /var/lib/gems/2.7.0/gems/wpscan-3.8.17/lib/wpscan/db/dynamic_finders/wordpress.rb:51:in `versions_finders_configs’
    /var/lib/gems/2.7.0/gems/wpscan-3.8.17/lib/wpscan/db/dynamic_finders/wordpress.rb:55:in `create_versions_finders’
    /var/lib/gems/2.7.0/gems/wpscan-3.8.17/app/controllers/wp_version.rb:20:in `before_scan’
    /var/lib/gems/2.7.0/gems/cms_scanner-0.13.4/lib/cms_scanner/controllers.rb:46:in `each’
    /var/lib/gems/2.7.0/gems/cms_scanner-0.13.4/lib/cms_scanner/controllers.rb:46:in `block in run’
    /var/lib/gems/2.7.0/gems/timeout-0.1.1/lib/timeout.rb:80:in `timeout’
    /var/lib/gems/2.7.0/gems/cms_scanner-0.13.4/lib/cms_scanner/controllers.rb:45:in `run’
    /var/lib/gems/2.7.0/gems/cms_scanner-0.13.4/lib/cms_scanner/scan.rb:24:in `run’
    /var/lib/gems/2.7.0/gems/wpscan-3.8.17/bin/wpscan:17:in `block in ‘
    /var/lib/gems/2.7.0/gems/cms_scanner-0.13.4/lib/cms_scanner/scan.rb:15:in `initialize’
    /var/lib/gems/2.7.0/gems/wpscan-3.8.17/bin/wpscan:6:in `new’
    /var/lib/gems/2.7.0/gems/wpscan-3.8.17/bin/wpscan:6:in `’
    /usr/local/bin/wpscan:23:in `load’
    /usr/local/bin/wpscan:23:in `’

    do you know how to fix this?

  • Hola en un servidor fedora le falta el compilador; “dnf install ruby-devel”
    y luego instalar el wpscan; “gem install wpscan”

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here