What is WPScan?
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. If you want to know more about WPScan, check out our blog post WPScan - Vulnerability Scanner for WordPress Powered Sites.Step 1: Install Ruby
To install WPScan on Windows, you need first install Ruby on your machine.
Navigate to > https://rubyinstaller.org/downloads/ and select Ruby+Devkit (x64) (if you don't know which version you need). It provides the largest number of compatible gem (Ruby packages) and installs MSYS2-Devkit along with Ruby, so gem with C-extensions can be compiled immediately after installation.
Install WPScan
First, open Windows PowerShell and search WPScan among the gem packages:
gem search wpscan
Found WPScan (3.8.17) package, which is the latest version of WPScan. Now you can install WPScan, just type:
gem install wpscan
Now you need to update the WPScan database with information about plugins and WordPress themes:
wpscan --update --disable-tls-checks
If you get error “Could not open library 'libcurl.dll', 'libcurl.so.4', 'libcurl.so.4.dll'”, you need to download latest curl version for windows. https://curl.se/download.html#Win64.
After you have downloaded curl, check the bin folder, and find the file libcurl-x64.dll, unzip it and rename it to libcurl.dll. Move that file to the bin folder where you installed Ruby. Example: C:\Ruby26\bin\
How to Use WPScan
Open Windows PowerShell and run this command:
wpscan --url https://YOUR-SITE-DOMAIN.COM --random-user-agent --disable-tls-checks
WPScan Does Not Show Vulnerabilities
WPScan only shows versions of WordPress, plugins, themes and some extra information, but does not display vulnerabilities. Go to https://wpscan.com/register and signup so you can get free token yourself.
Then add the --api-token
to the previous command:
wpscan --url https://YOUR-SITE-DOMAIN.COM --random-user-agent --disable-tls-checks --api-token API_KEY
If you like this blog post and it was useful to you, please follow us on Twitter and Facebook.
Related articles
- 10 Effective Ways to Secure Your WordPress Site
- WPScan - Vulnerability Scanner for WordPress Powered Sites
- Use Bandit To Find Common Security Issues In Your Python Code
0 Comments