Support Online
MirrorLooking Glass
GenixNodeGenixNode
Client Panel
Skip to main content

WPScan Setup: WordPress Security Scan

What Will You Learn in This Guide?

In this guide, you will learn how to scan your WordPress site from an attacker perspective with the WPScan tool.
The aim is to reduce risks by detecting vulnerabilities early.

🧠 Technical Summary

Main Technical Topic:
Detecting WordPress vulnerabilities with WPScan.

Solved Problem:
XSS and SQL Injection risks caused by weak plugins and themes.

Steps Followed:

  • Installing the necessary dependencies
  • WPScan download and configuration
  • Plugin, theme and user scanning
  • Timthumb security check

1️⃣ Install Required Dependencies

1. WPScan is a Ruby-based security tool.

sudo apt-get update
sudo apt-get install git libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev
  • This command installs the system and Ruby dependencies required for WPScan to run.

2️⃣ WPScan Download and Installation


git clone https://github.com/wpscanteam/wpscan.git
  • This command downloads the WPScan source code from GitHub.

cd wpscan
sudo gem install bundler && bundle install --without test development
  • This command makes WPScan ready by installing the necessary Ruby packages.

3️⃣ Plugin Security Scan


ruby wpscan.rb --url https://ornek.com --enumerate p
  • This command lists all WordPress plugins on the site.

ruby wpscan.rb --url https://ornek.com --enumerate vp
  • This command only reports plugins containing vulnerabilities.

4️⃣ Theme Security Scan


ruby wpscan.rb --url https://tr1-node01.ornek.com --enumerate vt
  • This command checks for known vulnerabilities in the active theme.

5️⃣ User Discovery (Enumeration)


ruby wpscan.rb --url https://ornek.com --enumerate u
  • This command tries to detect WordPress usernames.

6️⃣ Timthumb Security Check


ruby wpscan.rb --url https://ornek.com --enumerate tt
  • This command scans risky timthumb files.

7️⃣ WPScan Update


ruby wpscan.rb --update
  • This command updates the WPScan database, allowing it to recognize new vulnerabilities.

❓ Frequently Asked Questions (FAQ)

1. Does WPScan run on Windows? No, it requires Linux or macOS.

2. What should I do if I find it open after scanning? Update or remove the plugin or theme.

3. Will there be false positive results? Yes, results must be verified manually.

4. Is browsing on the live site safe? Yes, but not recommended during peak hours.

🎯 Result

WPScan is a powerful tool for proactively testing WordPress security. You can take early precautions against attacks with regular scanning. You can safely implement this security approach on the GenixNode infrastructure 🚀