How to Install & Use WPScan to Secure Your WordPress Website

WordPress is one of the most popular content management systems (CMS) in the world, powering millions of websites. However, its popularity also makes it a prime target for hackers. To ensure the security of your WordPress website, it’s crucial to regularly scan for vulnerabilities and address them promptly. One powerful tool that can help with this is WPScan, a WordPress vulnerability scanner. In this comprehensive guide, we will walk you through the process of installing and using WPScan on your Ubuntu 20.04 server.

1. What is WPScan?

WPScan is a powerful command-line tool and WordPress vulnerability scanner developed in the Ruby language. It is designed to help security professionals and WordPress site owners identify and address potential security loopholes in their websites. WPScan utilizes Sucuri’s vulnerability database for WordPress core, plugins, and themes to provide a comprehensive report on known security vulnerabilities that could be exploited by hackers.

2. Prerequisites for Installing WPScan

Before installing WPScan on your Ubuntu 20.04 server, ensure that you have the following prerequisites:

  • A server running Ubuntu 20.04 or a similar Debian-based distribution.
  • SSH access to the server or terminal access if you’re on a desktop.
  • Basic knowledge of Linux and how to use the command-line interface.
  • A non-root sudo user or access to the root user.

It is recommended to have a fresh OS installation to prevent any potential conflicts or issues during the installation process.

3. Installing WPScan on Ubuntu 20.04

To install WPScan on your Ubuntu 20.04 server, follow these steps:

Step 1: Update System Packages

Before installing any new software, it’s essential to ensure that your system packages are up-to-date. Run the following commands in the terminal:

sudo apt update
sudo apt upgrade

Step 2: Install Required Package Dependencies

WPScan has several dependencies that need to be installed. Use the following command to install all the necessary package dependencies:

sudo apt install curl git libcurl4-openssl-dev make zlib1g-dev gawk g++ gcc libreadline6-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 autoconf libgdbm-dev libncurses5-dev automake libtool bison pkg-config ruby ruby-bundler ruby-dev -y

Step 3: Install Ruby Version Manager

WPScan requires Ruby to be installed on your system. To install Ruby Version Manager (RVM), use the following commands:

gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
\curl -sSL https://get.rvm.io | bash -s stable --ruby

Step 4: Install Nokogiri

Nokogiri is an essential library for parsing HTML, XML, and other markup languages. Install it using the following command:

gem install nokogiri

Step 5: Install WPScan

Now, you’re ready to install WPScan on your Ubuntu 20.04 server. There are two methods you can choose from:

Method 1: Install WPScan from RubyGems

The recommended method is to install WPScan from RubyGems. Execute the following command to install WPScan:

gem install wpscan

To uninstall WPScan, use the following command:

gem uninstall wpscan

Method 2: Install WPScan from Sources (Not Recommended)

Another method is to install WPScan from sources. However, this method is not recommended for most users. If you still want to proceed, follow these steps:

cd /usr/local/src/
sudo git clone https://github.com/wpscanteam/wpscan.git
cd wpscan/
bundle install --without test
rake install

Please note that this method may take longer and can be more complex than installing from RubyGems.

Congratulations! You have successfully installed WPScan on your Ubuntu 20.04 server. Next, we will cover how to update the WPScan database.

4. Updating WPScan Database

To ensure that your WPScan database is up-to-date, it’s essential to regularly update it with the latest vulnerability information. Follow these steps to update the WPScan database:

wpscan --update

This command will update your WPScan database to the latest version. It is recommended to run this command periodically to stay up-to-date with the latest security vulnerabilities.

5. Scanning WordPress Sites with WPScan

Once you have installed and updated WPScan, you can start scanning WordPress sites for security vulnerabilities. Use the following command to scan a WordPress site:

wpscan --url https://example.com

Replace https://example.com with the URL of the WordPress site you want to scan. WPScan will analyze the site’s core files, plugins, themes, and other components to identify any known vulnerabilities.

The scan results will provide you with valuable information about the security posture of the WordPress site, such as vulnerable plugins, outdated themes, and potential misconfigurations. It is crucial to address any identified vulnerabilities promptly to protect your website from potential attacks.

6. Using WPScan API for Vulnerability Details

WPScan also provides an API that allows you to obtain detailed information about specific vulnerabilities. To use the WPScan API, you need to sign up at https://wpvulndb.com and generate an API token. Once you have the API token, you can use it to retrieve vulnerability details during scanning.

wpscan --url https://example.com --api-token YOUR_API_TOKEN

Replace https://example.com with the URL of the WordPress site you want to scan, and YOUR_API_TOKEN with your actual API token. This will enable WPScan to provide vulnerability details in the scan results, giving you more insights into the security issues affecting your WordPress site.

7. Different Detection Modes in WPScan

WPScan offers three detection modes: passive, aggressive, and mixed. These modes determine the level of intrusion and thoroughness of the scan. Here’s an overview of each mode:

  • Passive Mode: This mode performs a non-intrusive scan, sending only a few requests to the server. It is suitable for situations where you want to minimize the load on the target server.
  • Aggressive Mode: In this mode, WPScan performs a more intrusive scan, sending hundreds of requests to the server. It thoroughly checks for vulnerabilities in all plugins, even those without known vulnerabilities. Use this mode when you need a more comprehensive scan, but be aware that it may increase the load on the target server.
  • Mixed Mode (Default): The default mode in WPScan is a combination of passive and aggressive modes, providing a balanced scan that covers common vulnerabilities without overwhelming the server.

To specify a detection mode during scanning, use the --detection-mode option followed by the desired mode flag:

wpscan --url https://example.com --detection-mode aggressive

Replace https://example.com with the URL of the WordPress site you want to scan, and aggressive with your chosen detection mode.

8. Scanning and Analyzing Plugins and Themes

WPScan allows you to scan and analyze both plugins and themes installed on a WordPress site. This can help you identify vulnerable or outdated components that may pose a security risk. Here are some commands to scan plugins and themes:

Scan Installed Plugins:

wpscan --url https://example.com --enumerate p

Scan Vulnerable Plugins:

wpscan --url https://example.com --enumerate vp

Scan Installed Themes:

wpscan --url https://example.com --enumerate t

Scan Vulnerable Themes:

wpscan --url https://example.com --enumerate vt

Replace https://example.com with the URL of the WordPress site you want to scan. These commands will provide you with a list of installed plugins or themes, along with any vulnerabilities associated with them. It is crucial to keep your plugins and themes up-to-date to minimize the risk of exploitation.

9. Enumerating WordPress Users

WPScan can also help you enumerate WordPress users on a targeted site. User enumeration allows you to discover valid usernames, which can be useful for potential brute-force attacks or other security assessments. Use the following command to enumerate WordPress users:

wpscan --url https://example.com --enumerate u

Replace https://example.com with the URL of the WordPress site you want to scan. WPScan will provide you with a list of usernames associated with the site. It is essential to ensure that your WordPress site does not have easily guessable usernames to prevent unauthorized access.

10. Testing for Password Strength and Brute-Force Attacks

WPScan can also help you test the strength of passwords used by WordPress users and perform brute-force attacks to simulate potential attacks. It is important to note that you should only perform these tests on your own website with proper authorization. Here’s an example command to test password strength:

wpscan --url https://example.com -P password-file.txt -U admin -t 50

Replace https://example.com with the URL of the WordPress site you want to scan. The -P option specifies a password file containing a list of passwords to test, and the -U option specifies the username to target. Adjust the number of threads (-t) based on your server’s capabilities.

11. Automating WPScan with Cron Jobs

To ensure regular and timely scanning of your WordPress site, you can automate WPScan using cron jobs. Cron jobs allow you to schedule tasks to run automatically at specified intervals. Here’s an example of setting up a cron job to update WPScan and the vulnerability database daily:

sudo crontab -e

Add the following line at the end of the file:

@daily /usr/bin/gem update wpscan && /usr/local/bin/wpscan --update

Save the file and exit. This cron job will update WPScan and the vulnerability database once a day. Adjust the frequency according to your needs.

12. Conclusion

Securing your WordPress website is crucial to protect it from potential security vulnerabilities. WPScan is a powerful tool that can help you identify and address these vulnerabilities. In this guide, we walked you through the process of installing and using WPScan on your Ubuntu 20.04 server. By regularly scanning your website with WPScan, keeping your plugins and themes up-to-date, and following best security practices, you can enhance the security of your WordPress site and minimize the risk of exploitation.