Commands to install WPscan WordPress security scanner on Linux Ubuntu 20.04 or 18.04 distos to find plugins or themes vulnerabilities and other security issues.
WPScan WordPress Security Scanner is a free to install tool for Linux and Windows systems. It allows users to check for security issues related to certain blogs or websites installed on WordPress. This means that the user can scan any WordPress based website to discover various issues such as core files, plugins, and theme vulnerabilities; Weak passwords, HTTPS enabled or not, header elements; including a check of debug.log files, wp-config.php backup files, XML-RPC is enabled, code repository files, default secret keys, exported database files and more … However, to get the vulnerabilities in the result, we need to add the WPscan API key available for free to generate and provide 25 scans per day.
Moreover, Wpscan is also available as a plugin to be installed directly on the WordPress backend and users can operate it through its GUI dashboard. If you don’t want to use the WPscan plugin, the CLI tool can be used.
Step to install WPScan on Ubuntu 20.04 / 18.04 LTS
Let’s see the commands to install this WordPress Vulnerability Scanner (WPscan) on Ubuntu, Debian, Kali Linux, Linux Mint or other similar operating systems.
1. Run the system update
The first thing to do before installing any application or tool is running the system update command.
2. Install Ruby on Ubuntu 20.04 LTS
Wpscan can be installed from RubyGems, so let’s install Ruby and other required dependencies on our Ubuntu
sudo apt install ruby-full
3. Command to install WPScan on Ubuntu
Finally, use Ruby’s gem command to download and install the WPscan packages on your system.
sudo gem install wpscan
4. Check out the version
Once the installation is complete, let’s check its version-
5. WPscan commands
To learn about the different controls and indicators that can be used with Wpscan, open the help section.
Usage: wpscan [options] --url URL The URL of the blog to scan Allowed Protocols: http, https Default Protocol if none provided: http This option is mandatory unless update or help or hh or version is/are supplied -h, --help Display the simple help and exit --hh Display the full help and exit --version Display the version and exit -v, --verbose Verbose mode --[no-]banner Whether or not to display the banner Default: true -o, --output FILE Output to FILE -f, --format FORMAT Output results in the format supplied Available choices: cli-no-colour, cli-no-color, json, cli --detection-mode MODE Default: mixed Available choices: mixed, passive, aggressive --user-agent, --ua VALUE --random-user-agent,--rua Use a random user-agent for each scan --http-auth login:password -t, --max-threads VALUE The max threads to use Default: 5 --throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1. --request-timeout SECONDS The request timeout in seconds Default: 60 --connect-timeout SECONDS The connection timeout in seconds Default: 30 --disable-tls-checks Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter) --proxy protocol://IP:port Supported protocols depend on the cURL installed --proxy-auth login:password --cookie-string COOKIE Cookie string to use in requests, ....more
6. Analyze WordPress sites
Now, if you want to use this command line tool to scan some WordPress websites for security issues and other details, run the following syntax:
wpscan --urlÂ http://your-website.com
7. Obtain the API key of the WPScan token
By default, this security tool will not provide vulnerabilities in the output, and for that we need to generate an API key. To go to the official site and select the free plan to sign up.
Copy the API key and use it as follows with the command-
wpscan --urlÂ your-website.com --api-token your-api-key
To note: Replace your-api-key text in the above command with the one you generated.
8. Detection modes
Wpscan offers three detection modes, they are passive, aggressive and mixed. In Passive In mode, the tool will send few requests to the server and scan only to discover common security issues for a website home page. It is good to use if you think the server will not be able to handle a large number of requests.
Come Aggressive mode, in this, the intrusive scan performed by WPscan will be more powerful and will send hundreds of requests to the server to discover vulnerabilities, if any, in all WordPress plugins.
While, mixed which is the default on the WPScan tool is a combination of aggressive and passive mode to provide balanced analysis.
So if you want to change the default Mixed to one of the other two, use
--detection-mode option in the command-
wpscan --urlÂ your-website.com --detection-mode aggressive --api-token your-api-key
9. List all installed plugins and themes and check for vulnerabilities
To enumerate various elements of WordPress, we can use the options given below with
vp ----(Vulnerable plugins) ap ----(All plugins) p ----(Popular plugins) vt ----(Vulnerable themes) at ----(All themes) t ----(Popular themes) tt ----(Timthumbs) cb ----(Config backups) dbe ----(Db exports) u ----(User IDs range. e.g: u1-5) m ----(Media IDs range. e.g m1-15)
For example, we want to list all plugins with known vulnerabilities, then we use the vp option given in the list above with the detection mode of the -e flag
wpscan --urlÂ your-website.comÂ -e vp --detection-mode mixed --api-token your-api-key
10 Run WPscan to bypass WAF
To run the scan in hidden mode so that the web application firewall cannot detect Wpscan, we can try