WPScan Install on Ubuntu

WPScan project page

WPScan can test a WordPress installation for security vulnerabilities. The tool is a black box scanner, it allows remote testing of a WordPress installation. Find vulnerable plugins and themes, security configuration issues and attack users by brute forcing passwords.

Take a look at our FREE WordPress testing tool. The easiest way to discover a range of security related information about your WordPress site with 2 clicks from here.

Installation on Ubuntu Linux is easy and you will be up and running in a few minutes - literally.

If you do not have git installed, you will need it. Git is a tool that allows easy access for installation and updates to a code repository.

apt-get install git

Now for a few prerequisites.....

apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev

Now to use git you clone the main branch of WPScan code, this will create a folder on your system with the code.

git clone https://github.com/wpscanteam/wpscan.git

cd wpscan

sudo gem install bundler && bundle install --without test development

To launch the wpscan.rb launch it with ruby.

ruby wpscan.rb
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                    Version v2.1r2d5a770
     Sponsored by the RandomStorm Open Source Initiative
 @_WPScan_, @ethicalhack3r, @erwan_lr, @gbrindisi, @_FireFart_

Examples :

-Further help ...
ruby wpscan.rb --help

-Do 'non-intrusive' checks ...
ruby wpscan.rb --url www.example.com

-Do wordlist password brute force on enumerated users using 50 threads ...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

-Do wordlist password brute force on the 'admin' username only ...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin

-Enumerate installed plugins ...
ruby wpscan.rb --url www.example.com --enumerate p

-Enumerate installed themes ...
ruby wpscan.rb --url www.example.com --enumerate t

-Enumerate users ...
ruby wpscan.rb --url www.example.com --enumerate u

-Enumerate installed timthumbs ...
ruby wpscan.rb --url www.example.com --enumerate tt

-Use a HTTP proxy ...
ruby wpscan.rb --url www.example.com --proxy

-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)
ruby wpscan.rb --url www.example.com --proxy socks5://

-Use custom content directory ...
ruby wpscan.rb -u www.example.com --wp-content-dir custom-content

-Use custom plugins directory ...
ruby wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins

-Update ...
ruby wpscan.rb --update

-Debug output ...
ruby wpscan.rb --url www.example.com --debug-output 2>debug.log

See README for further information.

No argument supplied

Like any vulnerability scanner that uses signatures or known issues as part of its detection capability WPScan needs to be updated on a regular basis. Thankfully the Ryan and the WPScan team update it on a regular basis.

To update simply launch a git pull command from within the installation directory.

cd wpscan
git pull

15 Responses to WPScan Install on Ubuntu

  1. Kost'ka November 6, 2013 at 4:31 pm #

    better on windows

    • WIK February 19, 2015 at 7:28 pm #

      You can use /g/entoo too, if you want.

  2. Linuz Theropod February 5, 2014 at 10:15 am #

    apt-get update && apt-get install git
    if the git package is not found

    • Justin Ng June 4, 2014 at 1:32 pm #

      try sudo apt-get -y install git-core

  3. Rama February 26, 2015 at 2:05 pm #

    Error: “Don’t run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this machine.”

    This is a Debian server, there’s only root allowed for SSH. So this guide does not work for Debian Server in this scenario 🙁 Also there is no “Sudo” on Debian.

    • Sebastian Schleussner June 29, 2015 at 7:08 am #

      First time I hear of a distro *only* allowing root for SSH!? Are you sure? The normal and sane thing is to DISallow SSH login to root. Also, if sudo doesn’t exist on your weird server, install it or use su.

  4. Luite April 26, 2015 at 10:35 am #

    For Ubuntu 15.04 you will find that the package libopenssl-ruby no longer exists; instead, use package “libruby”

    • tekstorm May 14, 2015 at 3:10 pm #

      Use this command before performing the build command,

      sudo apt-get install build-essential

  5. Juan Cruz September 11, 2015 at 9:27 pm #

    where can I found the darkc0de.lst or an othet dictionary ?

  6. CannyCookie January 25, 2016 at 11:12 pm #

    Can anyone help with this problem?
    wpscan runs from the command line, but when I try to exec from a PHP script I get this error:
    sh: /home/ec2-user/.rvm/rubies/ruby-2.3.0/bin/ruby: Permission denied
    I’ve tried setting recursive group permissions on /home/ec2-user/.rvm for apache
    any help very gratefully received

  7. Ugo Pagliai January 28, 2016 at 7:32 pm #

    we pay you so please pay for a commercial WPScan licence and offer it online again.

  8. DemonDesigner March 30, 2016 at 7:51 am #

    i got this error

    -Package libopenssl-ruby is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    E: Package ‘libopenssl-ruby’ has no installation candidate

    -sudo: gem: command not found

    • ChristophSEO April 19, 2016 at 10:11 am #

      I have the same problem – but didn’t get the error message “Package ‘libopenssl-ruby’ has no installation candidate” on Ubuntu 12.04 LTS. Any help?

  9. baba April 24, 2016 at 11:19 am #

    I got error msg at the 2nd step ”
    apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev” as there’s no libopenssl-ruby is not available. after that comes lot of error

  10. Han-han Yosua Kristanto July 22, 2016 at 11:52 am #

    [ask] fail update wpscan database

    wpscan –update

    [i] Updating the Database …

    [!] plugins.json: checksums do not match (local: 3a08ccad3a9293b840fd4842a05cb1afe32c32d7d2bc86de797e0d074f0a10aee6523514ee10b3436c25cbe52689d57d68f63d8d0cc756f0197e3f58d4714d82 remote: a322df94b7d2f3631d3109acf72671583d2b80be260862f17e2ab82943008be252f4dc06d81c728764098ea91846b89d047f0ec6205adfa579a5d38650aafa1d)