WPScan is automatic scanner for WordPress sites and since we spoke so much about security issues with it’s time to get it. I’ve already spoke about it in my first post about WordPress security risks & issues which you can __check here__.
You might want to be aware that if you’re paying for a security scan it will be done using this tool in 60% of cases, some other tools might be used as well.
If you’re a business you might want to go with premium service that offers extra checks on top of that, but if you’re just starting your blog or don’t have a budget then why not get to run it for free?
There are couple of ways in which you can get WP Scan, check them below:
- Install it on your Windows machine or Linux server.
- Grab a Kali Linux VirtualBox (free virtualisation software) or VMWARE image and run it from there (as it’s one of standard apps in this security concentrated Linux distribution).
- Install it via Docker.
Usually I’m going with number 2 as apart of WPScan there’s lots of other tools very useful for finding holes and bugs within your WordPress, we speak about Acutinx scanner, AnotherOne and SQLMap for testing out all those SQL Injections holes. It comes as a packet and without a pain of installing Ruby on your home or development machine, everything is ready.
But for the sake of this article we’ll go over both option, i.e. installing it on Windows machine as well as running it from Kali Linux. We’ll skip the option of installing it on Linux server as Im not (sorry) a great fun of Ruby and I just don’t want to install it on any of my servers 😀 sounds cruel? Please forgive me if you’re Ruby fan!
Installing on Windows machine
It went out to be less pain than suspected, but still some pain, hit couple of errors on my way, but quick google search saved me and I’ll try to save you from that research 😀
1. Install Ruby
I’ve picked 2.6.1 (WITHOUT DEVKIT > rubyinstaller-2.6.1-1-x64.exe) as I’ve read WPScan has some issues when using Ruby 2.5.1-2.5.3 and generally you should pick up newer version. I’ve ran the installer and when asked about adding Ruby to path I’ve answered yes, it as well asked if I want to install MingSys for which answer is the same.
When the installation is complete we will go to Command Prompt and check if it’s installed and added to system path by typing:
Here I’ve hit my first error, despite selecting option add ruby location to PATH environmental variable the installer didn’t add it, so let’s do that:
– click right button on My Computer,
– then Properties,
– then Advance System Settings
– then Environment Variables
– select PATH and add at the end (your location might differ depending on version you’ve installed!):
It’s important to use ; to separate it from other directories added to PATH variable. Once done click OK.
2. Install & Update WPScan
Now we can reopen Command Prompt and again type ruby –version.
Once we confirm that the command for installing WPScan (which is gem.cmd located in in YourRubyInstallationFolder\bin) we can just type:
gem install wpscan
the process will ask you if you want to do it, do it. Ok so we have Ruby and WPScan installed. Since the latter is connected to the live database of bugs we should update it on first run.
We can do that by running command:
> CURL error
Here I’ve hit another error: __CURL ERROR___, it was lack of CURL installed, let’s grab it from here:
I’ve used the curl for 64 bit , grabbed the libcurl-x64.dll unpacked it to my Ruby binaries (C:\Ruby26-x64\bin) directory and renamed libcurl-x64.dll to just lib_curl.dll.
After that I’ve ran wpscan –update again and this time the error was different, mainly:
> Certificates error
It complained about SSL certificates which happens often on my old Windows 7 system (is it virus? is it miss-configuration? who knows!) 😀
To bypass certificate verification and just get that scanner up and running we’ll add one option to command. Let’s run it now like that:
wpscan --update --disable-tls-checks
It will take a moment after which you’ll be presented with information that it was successfully updated, all looks fine.
4. Scan your WordPress
We’re ready to run the scan so let’s start with command:
wpscan --url https://yourblog.com
In case you’d get the same error as me (certificates again) just use the same option as when updating so we end up with:
wpscan --url https://yourblog.com --disable-tls-checks
That finally did the trick and I was able to scan my own website for free & without using virtual machine. The charm of WPScan is the connection to live bugs database, it will detect if you’re using a theme or a plugin with well known holes. If that’s not enough you can do couple of other things like trying to brute force your own server and test your web and server firewall rules (it should block multiple connections).
By default it will have a user agent that says: WPSCAN – it’s great to change it if you’re planning to analyse your web server logs later on so you know which requests has been done by you.
You can do it by running it like that:
wpscan --url https://yourblog.com --user-agent "My User Agent"
To see all possible options and switches you can run:
Ok folks, now you should be able to scan your WordPress for security issues within themes and plugins for free and anytime you want.
If you have any questions or problems leave a comment. In next post from this series we’ll see how to run it using Kali Linux VM.