Installing WPScan on Ubuntu 16.04

Wanted, I do, WPScan in order to do WordPress pen testing. It looks like a good product, and I do WordPress webmaster admin work, so this is an appropriate tool.

The install instructions from are a bit daunting, and it turns out, not correct for Ubuntu 16.04. WPScan uses Ruby, which uses the Ruby Version manager RVM. I took their advice and installed with RVM, but you still need to install RVM. I needed to modify their instructions for a proper install. The general steps are:

  1. Install Ubuntu 16.04 prerequisite packages
  2. Install Ruby Version Manager RVM
  3. Install Ruby version 2.4.1
  4. git clone WPScan
  5. install some gems
  6. Update the WPScan database

1. Install Ubuntu Dependencies

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev

2. Installing Ruby Version Manager RVM
Here are the instructions from the Ubuntu RVM PPA. The rvm install came back with some instructions that I did not follow:

Installing RVM to /usr/share/rvm/
Installation of RVM in /usr/share/rvm/ is almost complete:

* First you need to add all users that will be using rvm to ‘rvm’ group,
and logout – login again, anyone using rvm will be operating with `umask u=rwx,g=rwx,o=rx`.

* To start using RVM you need to run `source /etc/profile.d/`
in all your open shell windows, in rare cases you need to reopen all shell windows.

# dontai,
# Thank you for using RVM!
# We sincerely hope that RVM helps to make your life easier and more enjoyable!!!
# ~Wayne, Michal & team.

In case of problems: and
Creating local gemsets for don-computer

After you do the “sudo apt-get install rvm” part you need to actually change the properties of your terminal screen. Go to the top of the Terminal window and click Edit > Profile Preferences and follow the instructions. Save the instructions in a browser bookmark, or you’ll lose them. Then log out and back in.

3, 4, 5. Install Ruby Version, Git Clone, Gems
I then went back to the WPScan instructions and successfully did the rest of the install:

rvm install 2.4.1
rvm use 2.4.1 –default
echo “gem: –no-ri –no-rdoc” > ~/.gemrc
git clone
cd wpscan
gem install bundler
bundle install –without test

6. Update the WPScan Database

You should be in your WPScan dir now. The first command is WPScan help:
ruby wpscan.rb –help

The second is to update the WPScan database:
ruby wpscan.rb –update

Now you can do WPScans:
ruby wpscan.rb –url

WPScan Performance
I did a vulnerability scan on my plugins and it really does hit your site hard, so some caution here. The plugins info returned shows you vulnerabilities but WPScan does not know which version you are using, or even if the plugin is actually active. You need to check if the vulnerability is applicable to you.

Leave a Reply

Your email address will not be published. Required fields are marked *