How to Install and Use WPScan on Ubuntu to Secure Your WordPress Site
WordPress powers a significant portion of the web, making it a prime target for attackers. If you manage a WordPress site, proactive security is not just recommended—it’s essential. One of the most powerful tools in any website administrator’s security arsenal is WPScan, a free, command-line WordPress vulnerability scanner.
This guide will walk you through everything you need to know to install and effectively use WPScan on an Ubuntu system (including versions 18.04, 20.04, and 22.04) to identify and fix potential security weaknesses.
What is WPScan and Why Should You Use It?
WPScan is a “black box” vulnerability scanner, meaning it probes your website from the outside, just as an attacker would. It doesn’t need access to your source code. Instead, it checks for common vulnerabilities and misconfigurations.
By using WPScan, you can:
- Detect your WordPress version and see if it has any known vulnerabilities.
- Identify active plugins and themes, checking them against a database of known security issues.
- Enumerate user accounts, which can expose usernames to brute-force attacks.
- Check for publicly accessible sensitive files, like
wp-config.phpbackups or debug logs. - Discover if your site is using weak passwords (with dictionary attacks).
Regularly scanning your site with WPScan helps you find and patch security holes before malicious actors can exploit them.
Step 1: Installing Prerequisites on Ubuntu
Before we can install WPScan, we need to ensure our system has the necessary dependencies. WPScan is a Ruby application, so we’ll need to install Ruby and a few other development tools.
First, open your terminal and update your package list:
sudo apt update && sudo apt upgrade -y
Next, install the required dependencies. These packages include Ruby, tools needed to compile native extensions, and Git for cloning the repository.
sudo apt install curl git libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
Step 2: Installing WPScan
With the dependencies in place, we can now install WPScan itself. The recommended method is to clone the project directly from its official Git repository. This ensures you always have the latest version.
Clone the WPScan repository to your home directory:
git clone https://github.com/wpscanteam/wpscan.git
Navigate into the newly created directory:
cd wpscan
Now, we need to install the required Ruby gems (libraries) that WPScan depends on. The bundle command handles this automatically.
sudo bundle install
Once the process is complete, WPScan is successfully installed on your system.
Step 3: Keeping WPScan Updated
The world of cybersecurity moves fast. New vulnerabilities are discovered daily. To ensure your scans are effective, you must keep both the WPScan software and its vulnerability database up to date.
To update the WPScan tool itself, navigate to its directory and run a git pull command:
cd ~/wpscan
git pull
To update the vulnerability database, use the following WPScan command:
ruby wpscan.rb --update
It is crucial to run the --update command before every security audit to ensure you are scanning for the latest known threats.
How to Use WPScan: A Practical Guide
Now that WPScan is installed and updated, let’s put it to work. All commands should be run from within the ~/wpscan directory.
Running a Basic Scan
The most basic scan identifies the WordPress version, themes, and plugins. Replace yourwebsite.com with your actual domain.
ruby wpscan.rb --url http://yourwebsite.com
This command will provide a general overview of your site’s public components.
Enumerating Plugins, Themes, and Users
To get more specific information, you can use enumeration flags. This is one of the most powerful features of WPScan.
- Enumerate Vulnerable Plugins: This command specifically looks for plugins with known security issues.
bash
ruby wpscan.rb --url http://yourwebsite.com --enumerate vp
- Enumerate All Plugins: This command attempts to identify every active plugin, not just vulnerable ones.
bash
ruby wpscan.rb --url http://yourwebsite.com --enumerate ap
- Enumerate Users: This identifies publicly discoverable user accounts on your site.
bash
ruby wpscan.rb --url http://yourwebsite.com --enumerate u
Using an API Token for Superior Results
To access the most up-to-date vulnerability data, WPScan uses an API. While you can run scans without it, the results will be limited. Registering for a free API token from WPScan.com gives you access to the latest vulnerability information.
Once you have your token, you can add it to your scan command:
ruby wpscan.rb --url http://yourwebsite.com --enumerate vp --api-token YOUR_API_TOKEN_HERE
This ensures your scan is as accurate and comprehensive as possible.
Interpreting the Results and Taking Action
Running the scan is just the first step. The real work is in analyzing the output and securing your website. Look for items marked in red or yellow, as these indicate potential issues.
Here are actionable steps based on common findings:
- Outdated WordPress Core, Plugins, or Themes: If WPScan flags any component as outdated, update it immediately. This is the single most important step you can take to secure your site.
- Vulnerable Plugins/Themes: If a plugin or theme has a known vulnerability, check for a patched version. If no patch is available, deactivate and delete the plugin and find a secure alternative.
- User Enumeration: If WPScan successfully lists usernames (e.g., ‘admin’), you should take steps to hide them. More importantly, ensure every user account, especially administrators, uses a strong, unique password and consider implementing two-factor authentication (2FA).
- Publicly Accessible Files: If the scan reveals sensitive files (like
debug.log), ensure their permissions are set correctly or delete them from the server if they are not needed.
By incorporating WPScan into your regular website maintenance routine, you can adopt a proactive approach to security, identify weaknesses, and protect your website from common threats.
Source: https://kifarunix.com/install-use-wpscan-wordpress-vulnerability-scanner-ubuntu-18-04/
