The install instructions from WPScan.org are a bit daunting, and it turns out, not correct for Ubuntu 16.04. WPScan uses Ruby, which uses the Ruby Version manager RVM. I took their advice and installed with RVM, but you still need to install RVM. I needed to modify their instructions for a proper install. The general steps are:
- Install Ubuntu 16.04 prerequisite packages
- Install Ruby Version Manager RVM
- Install Ruby version 2.4.1
- git clone WPScan
- install some gems
- Update the WPScan database
1. Install Ubuntu Dependencies
sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev
2. Installing Ruby Version Manager RVM
Here are the instructions from the Ubuntu RVM PPA. The rvm install came back with some instructions that I did not follow:
Installing RVM to /usr/share/rvm/
Installation of RVM in /usr/share/rvm/ is almost complete:
* First you need to add all users that will be using rvm to ‘rvm’ group,
and logout – login again, anyone using rvm will be operating with `umask u=rwx,g=rwx,o=rx`.
* To start using RVM you need to run `source /etc/profile.d/rvm.sh`
in all your open shell windows, in rare cases you need to reopen all shell windows.
# Thank you for using RVM!
# We sincerely hope that RVM helps to make your life easier and more enjoyable!!!
# ~Wayne, Michal & team.
In case of problems: https://rvm.io/help and https://twitter.com/rvm_io
Creating local gemsets for don-computer
3, 4, 5. Install Ruby Version, Git Clone, Gems
I then went back to the WPScan instructions and successfully did the rest of the install:
rvm install 2.4.1
rvm use 2.4.1 –default
echo “gem: –no-ri –no-rdoc” > ~/.gemrc
git clone https://github.com/wpscanteam/wpscan.git
gem install bundler
bundle install –without test
6. Update the WPScan Database
ruby wpscan.rb –help
The second is to update the WPScan database:
ruby wpscan.rb –update
Now you can do WPScans:
ruby wpscan.rb –url yoursite.ca
I did a vulnerability scan on my plugins and it really does hit your site hard, so some caution here. The plugins info returned shows you vulnerabilities but WPScan does not know which version you are using, or even if the plugin is actually active. You need to check if the vulnerability is applicable to you.