How to Install and Use WPScan

WordPress is one of most fav CMS. There are so many people using this CMS because it’s easy, simple and can be tweaked more. But there are some vulnerabilities comes with wordpress through its plugins, theme etc. Remember the vulnerable not comes just from weak software management, but also weak Password/authentification.


So there are WPScan. What is WPScan?
WPScan is a vulnerability scanner which checks the security of WordPress installations using a black box approach.
This project is sponsored by the RandomStorm Open Source Initiative.
Some key of features :

  • Username enumeration (from author querystring and location header)
  • Weak password cracking (multithreaded)
  • Version enumeration (from generator meta tag and from client side files)
  • Vulnerability enumeration (based on version)
  • Plugin enumeration (2220 most popular by default)
  • Plugin vulnerability enumeration (based on version)
  • Plugin enumeration list generation
  • Other misc WordPress checks (theme name, dir listing, …)


Even WPScan comes in Backtrack 5R1 by default, we could install on almost Unix/Linux distro.
WPScan can be downloaded from its Google Code project’s page, but i think installing from SVN is more ‘uptodate’.
Software requirement/dependencies :

  • ruby (comes by default in most unix distro, i think :p )
  • subversion (for svn-ing)
  • libcurl4-gnutls-dev
  • libopenssl-ruby
  • some ruby packages : thypoeus and xml-simple


Install dependencies (for debian and debian based)

  • sudo apt-get install libcurl4-gnutls-dev
  • sudo apt-get install libopenssl-ruby
  • sudo gem install typhoeus
  • sudo gem install xml-simple

for Ubuntu 12.04, install ruby-nokogiri (credit goes to realloc )

  • sudo apt-get install ruby-nokogiri


To install from read-only SVN :
svn checkout http://wpscan.googlecode.com/svn/trunk/ wpscan-read-only
After get source through SVN amd also deps, we could use it just dot slash it
cd wpscan-read-only

Some quick usage

For basic enumeration:
./wpscan.rb --url http://www.example.com
For plugin enumeration:
./wpscan.rb --url http://www.example.com --enumerate p
./wpscan.rb --url http://www.example.com --wordlist wordlist.lst --username admin
Code aboves explain that http://www.exampe.com is being brute-forcing by admin as username and using password from wordlist.lst as wordlist/dictionary


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s