Monday, December 8, 2014

Trying WPScan, a black box WordPress vulnerability scanner

I just found a great tool to scan my wordpress sites for vulnerability, WPScan. WPScan is a blackbox scanner which means that you can install it on your computer and scan remote wordpress servers.

To install WPScan on my Ubuntu 14.04 server, I ran these command lines:

$ sudo apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential
$ git clone
$ cd wpscan
$ sudo gem install bundler && bundle install --without test

Then, tried some of these features:

1. Simple check:

$ ruby wpscan.rb --url

2.  Do a wordlist password brute force on all the users:

$ ruby wpscan.rb --url --wordlist darkc0de.txt

Notes: you can download the sample wordlist file here.

for more scanning methods, please read the WPScan's official website.