How to Audit WordPress Security from the Command Line with WpScan

WPScan is a Ruby-based WordPress security scanner that is run from the command line and used to detect vulnerabilities on a WordPress installation.

While there are plenty of plugins out there that do the same job, it makes a lot of sense for server administrators to scan their installations from the backend and not the frontend, so WPScan could be really handy for them and people who just love the terminal.

Installation

WPScan is shipped by default on a couple of Linux distributions such as Kali Linux and BlackBox Linux. You can also install on the popular distros such as Ubuntu and Arch Linux.

Windows is not supported, so if you’re hoping to make use of WPScan, your server has to be running either Linux or Mac OS X.

While WPScan installation is fairly simple, there are a couple of prerequisites and dependencies to set up before attempting installation.

Prerequisites:

  • Ruby – v1.92 and later (Recommended 2.2.3)
  • Curl – 7.21 and later (Recommended latest)
  • RubyGems – Recommended latest
  • Git

Installation on Ubuntu

Since WPScan is hosted on Git, we must install Git first by running the following command:

sudo apt-get install git

Then we need to install the needed dependencies for WPScan,

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential

and then clone WPScan from Git.

git clone https://github.com/wpscanteam/wpscan.git

Enter the newly-created WPScan directory and use bundler to install the necessary Ruby gems

cd wpscan
sudo gem install bundler && bundle install --without test development

Installation on Arch Linux

You can run the following commands in turn to get WPScan on Arch Linux. Make sure Ruby and Git are installed first though.

pacman -Syu ruby
pacman -Syu libyaml
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
sudo gem install bundler && bundle install --without test
gem install typhoeus
gem install nokogiri

Using WPScan

WPScan is very simple to use. All you need to do is type in the appropriate commands for enumerating plugins and themes or for performing non-intrusive checks on your WordPress website.

Make sure you are in the WPScan directory before attempting to use the tool:

cd wpscan

To enumerate all your installed plugins, run the following command:

ruby wpscan.rb --url http://yoursiteurl.com --enumerate p

Replace “http://yoursiteurl.com” with your website URL. The -enumerate p flag stands for enumerate plugins.

To display only vulnerable plugins, use:

ruby wpscan.rb --url http://yoursiteurl.com --enumerate vp

Sample output:

[!] Title: W3 Total Cache - Remote Code Execution
    Reference: https://wpvulndb.com/vulnerabilities/6622
    Reference: http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/
    Reference: http://wordpress.org/support/topic/pwn3d
    Reference: http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2010
    Reference: https://secunia.com/advisories/53052/
    Reference: http://osvdb.org/show/osvdb/92652
    Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/php_wordpress_total_cache
    Reference: https://www.exploit-db.com/exploits/25137/
[i] Fixed in: 0.9.2.9

[!] Title: WordPress SEO by Yoast 

From the sample output above, we can see that WordPress SEO by Yoast is vulnerable to Blind SQL injection and the W3 Total Cache is vulnerable to Remote Code Execution. Both vulnerabilities have been patched in this case, so it is recommended to update the plugins.

In addition, WPScan can be used to check all installed themes

ruby wpscan.rb --url http://yoursiteurl.com --enumerate t

or just vulnerable themes.

ruby wpscan.rb --url http://yoursiteurl.com --enumerate vt

In the same manner, you can perform non-intrusive checks on your installation with the following command:

ruby wpscan.rb --url http://yoursiteurl.com

Finally, to update WPScan’s database, run:

ruby wpscan.rb --update

Conclusion

The security of your WordPress website is very important, and tools like WPScan are extremely helpful for running checks to help find and fix vulnerabilities and prevent hackers from exploiting them.

Have you used WPScan? Share your experiences in the comments section below.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Ayo Isaiah Avatar

Read next

Suzanne Simard sealed paper birch and Douglas fir seedlings inside plastic bags, fed them carbon-14 and carbon-13 dioxide, and nine days later found carbon had crossed between species through fungal threads in the British Columbia soil beneath her boots
A species of jellyfish called Turritopsis dohrnii can revert its adult cells back to a juvenile polyp stage when injured or starving, effectively restarting its life cycle, and biologists have so far failed to identify any natural limit to how many times it can do this.
A Japanese man named Jiroemon Kimura, who lived to 116, was born in 1897 when Queen Victoria still ruled and died in 2013, meaning a single human life personally overlapped with the invention of the airplane, the atomic bomb, the internet, and Instagram
The Hollywood sign originally read HOLLYWOODLAND when it was built in 1923 as a real estate advertisement for a housing development, and it was only meant to stand for 18 months, but nobody ever got around to taking it down and the city eventually adopted it as a landmark
Almost all of the world’s internet traffic does not travel by satellite but through fibre-optic cables lying on the ocean floor, a hidden web of wires crossing the deepest parts of the sea to connect the continents.
People who flip their phone face down on every table aren’t being secretive. They figured out that staying interruptible meant handing their time to whoever rang first
Twitch vs. Facebook Gaming vs. YouTube Gaming: What’s the Best Live Game Streaming Platform?
Chrome Extensions Ownership Transfer is a Direct Threat to You: How to Stay Safe