Why and How to Install WPScan for WordPress Security
You can never be too careful about security, especially when designing or developing sites with WordPress. Hackers have a better arsenal than ever, with sly ways to break in and breach your sites. Thankfully, there are tools like WPScan to help developers and owners keep their websites secure.
WPScan? What’s That?
WPScan is a free tool that security professionals and website developers can use to perform “black box scanning” to test WordPress sites for vulnerabilities.
Black box scans approach a website in the same way most hackers do. While they don’t have specific insider information, they’ll pore through your code and poke at sensitive points to find exploitable weaknesses.
Because WordPress is one of the top CMS systems used to build websites, a lot of these vulnerabilities are well known across its popular themes, plugins, and even the core code itself.
It’s a bit like having a house in a big subdivision, where all the houses have similar floor plans, construction, and even modifications. Once a thief knows of a weak point in one house, that weakness can likely be exploited across many.
That’s both a pro and a con for site owners: A con because hackers don’t have to be particularly savvy to find and exploit vulnerabilities. But a pro because all those same tricks are known across the WordPress development and security communities. It can also be faster to identify weaknesses, implement fixes, and spread the word.
WPScan bundles a huge chunk of that knowledge into a single tool. And because it takes that “black box” approach, you can see exactly how ripe-for-the-picking your site is in the eyes of hackers.
So, yeah. Pretty, pretty, pretty useful.
Let’s Install WPScan
It’s all fairly straightforward.
WPScan works on Linux and Mac. For Windows users, there’s also a VMWare version.
Here are the command-line steps to get it up and running:
Install Git
WPScan is hosted on Github, so you’ll need to start with Git.
- Mac/Debian/Ubunto command:
sudo apt-get install git
- Fedora command:
$ yum install git
- ArchLinux command:
$ pacman -S git
Install Linux Dependencies
If you’re using Linux, you’ll also need to install the dependencies based on your distribution.
- Ubuntu 14.04+ command:
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
- Prior to Ubunto 14.04 command:
sudo apt-get install libcurl4-openssl-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
- Debian command:
sudo apt-get install git ruby ruby-dev libcurl4-openssl-dev make
- Fedora command:
sudo yum install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch
- ArchLinux:
pacman -Syu ruby
Install WPScan
Now it’s time to “git” into it by installing WPScan using the following command:
git clone https://github.com/wpscanteam/wpscan.git
Next, change your directory to where it is installed using the command cd wpscan
Install the Bundler
WPScan runs on Ruby, so it requires “gems.” Run the following commands on your operating system to update the dependencies.
Mac:
sudo gem install bundler && sudo bundle install --without test
Ubuntu:
sudo gem install bundler && bundle install --without test
Debian:
sudo gem install bundler && bundle install --without test
Fedora:
bundle install --without test --path vendor/bundle
ArchLinux:
sudo gem install bundler && bundle install --without test
gem install typhoeus
gem install nokogiri
Be patient; these installs can take up to ten minutes to complete. Once complete, you’re (almost) ready to start scanning.
Always Remember to Update WPScan
Before running any scans, you should always update WPScan to ensure you are comparing your website against the most updated list of vulnerabilities. If you don’t have the latest intel, you may be overlooking the biggest things hackers are looking to exploit. To update your WPScan, open Terminal and enter the following commands:
Change directories: cd wpscan
Update WPScan: git pull
ruby wpscan.rb --update
Once you see the WPScan logo, you know you’re ready to go.
Now, Let’s Have WPScan Do What It Was Made to Do
Check for Vulnerabilities
First, you’ll want to check your WordPress installation and your theme for any apparent vulnerabilities. Run the following command to scan your website:
ruby wpscan.rb --url http://yourwebsite.com
(Of course, replace “http://yourwebsite.com” with your actual WordPress URL).
Scan Plugins and Themes for any Open Doors
Some WPScan options include running specific commands to check for risky plugins, themes, or user enumeration. The dangers here? Exposed WordPress versions, SQL injection, and other well-known vulnerabilities regularly exploited by hackers. (If you haven’t run updates in a while and there is a known issue, you’re probably at risk.)
The command to check for vulnerable plugins is:
ruby wpscan.rb --url http://yourwebsite.com --enumerate vp
The results will show a red exclamation point next to those with problems. You can replace them or disable them to mitigate the risk.
To check for insecure themes, run this command:
ruby wpscan.rb --url http://yourwebsite.com --enumerate vt
Again, you will see red exclamation points next to any of these that include security issues. If there is no update, replace the theme to secure your site.
Test for User Enumeration
Hackers use the technique of enumeration to perform brute force attacks or credential stuffing by guessing or confirming usernames. Those usernames often get exposed through common website vulnerabilities.
So, you should always check your WordPress site using WPScan and the following command:
ruby wpscan.rb --url http://yourwebsite.com --enumerate u
A great result won’t show any usernames. If any do show up, change them and their corresponding passwords immediately. (Be aware that some website firewalls may block this command, and you’ll see an error.)
Wrapping Up
Working with WordPress puts a lot of power in your hands. As always, though, the Peter Parker principle applies: “With great power comes great responsibility.”
It’s just one part of securing yourself, your clients, and site visitors, but WPScan provides a critical view into the state of your website security.
Give it a swing.