How to Install and run WPScan on Windows

WPScan is a vulnerability scanner for WordPress powered sites. It is a ‘black box’ scanner, that is, it operates without access to website source code. It can be used to discover security issues of remote WordPress sites.

The vulnerability search process is as follows:

  • For the specified site, it searches for installed plugins and themes. Since plugins are placed in the same folders on all sites, it can determine the availability of the plugin by making a request to a specific file. Attempts are also being made to determine the versions for plugins and to detect themes.
  • If a plugin is found, then the database checks if it has any known vulnerabilities.
  • Additionally, the version of WordPress is determined and known vulnerabilities for this version are displayed.
  • Backup files and databases are also searched, a robots.txt file is analyzed, a list of users and other information useful to the site security auditor are displayed.

WPScan is usually used on Linux, this program is already preinstalled on distributions such as Kali Linux and BlackArch. WPScan is written in Ruby and can be run on any operating system that supports Ruby, including Windows. When using WPScan in Windows, there are some nuances that will be discussed later.

To install WPScan on Windows, you need to start by installing Ruby, as described in this article.

Let’s search WPScan among the gem packages:

gem search WPScan

Found wpscan (3.7.5) package, which is the latest version of WPScan. To install, just type:

gem install wpscan

Now you need to update the WPScan database with information about plugins and WordPress themes:

wpscan --update --disable-tls-checks

If the error “Could not open library 'libcurl.dll', '', ''” occurs during startup, then see its solution here.

To run WordPress site scanning on Windows using WPScan, run a command of the form:

wpscan --url https://DOMAIN --random-user-agent --disable-tls-checks

For example, I want to scan the URL

wpscan --url --random-user-agent --disable-tls-checks

Why WPScan does not show vulnerabilities. How to get WPVulnDB API

Previously, WPScan displayed versions of found plugins and themes, and if a plugin or theme has vulnerabilities, then it displayed them. Now WPScan only shows versions of WordPress, plugins and themes, but does not display vulnerabilities. Instead, the following messages are shown at the end of the scan:

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at

There is no catch — just go ahead, sign up and get your free token.

Then add the --api-token option to the command to run:

wpscan --url https://DOMAIN --random-user-agent --disable-tls-checks --api-token API_KEY

Example scan without an API key:

More information and services


SSL peer certificate or SSH remote key was not OK

When updating the database, an error may occur:

[i] Updating the Database ...

Scan Aborted: Unable to get (SSL peer certificate or SSH remote key was not OK)

The same error can occur when scanning a site using the HTTPS protocol:

Scan Aborted: The url supplied '' seems to be down (SSL peer certificate or SSH remote key was not OK)

To fix this, add the option --disable-tls-checks to your command, for example:

wpscan --update --disable-tls-checks

Could not open library 'libcurl.dll', '', ''

When starting WPScan on Windows:

wpscan --url

You may encounter this error:

Traceback (most recent call last):
        27: from C:/Ruby26/bin/wpscan:23:in `<main>'
        26: from C:/Ruby26/bin/wpscan:23:in `load'
        25: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/wpscan-3.7.5/bin/wpscan:4:in `<top (required)>'
        24: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        23: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        22: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/wpscan-3.7.5/lib/wpscan.rb:8:in `<top (required)>'
        21: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        20: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        19: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/cms_scanner-0.7.1/lib/cms_scanner.rb:4:in `<top (required)>'
        18: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        17: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        16: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/typhoeus-1.3.1/lib/typhoeus.rb:2:in `<top (required)>'
        15: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        14: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        13: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/ethon-0.12.0/lib/ethon.rb:15:in `<top (required)>'
        12: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        11: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
        10: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/ethon-0.12.0/lib/ethon/curl.rb:8:in `<top (required)>'
         9: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/ethon-0.12.0/lib/ethon/curl.rb:13:in `<module:Ethon>'
         8: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/ethon-0.12.0/lib/ethon/curl.rb:27:in `<module:Curl>'
         7: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
         6: from C:/Ruby26/lib/ruby/site_ruby/2.6.0/rubygems/core_ext/kernel_require.rb:92:in `require'
         5: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/ethon-0.12.0/lib/ethon/curls/settings.rb:1:in `<top (required)>'
         4: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/ethon-0.12.0/lib/ethon/curls/settings.rb:2:in `<module:Ethon>'
         3: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/ethon-0.12.0/lib/ethon/curls/settings.rb:7:in `<module:Curl>'
         2: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/ffi-1.11.3-x64-mingw32/lib/ffi/library.rb:99:in `ffi_lib'
         1: from C:/Ruby26/lib/ruby/gems/2.6.0/gems/ffi-1.11.3-x64-mingw32/lib/ffi/library.rb:99:in `map'
C:/Ruby26/lib/ruby/gems/2.6.0/gems/ffi-1.11.3-x64-mingw32/lib/ffi/library.rb:145:in `block in ffi_lib': Could not open l (LoadError)url': �� ������ ��������� ������.
Could not open library 'libcurl.dll': �� ������ ��������� ������.
Could not open library '': �� ������ ��������� ������.
Could not open library '': �� ������ ��������� ������.

Its essence is that the program cannot find the libcurl.dll file it needs. Then it tries to find this file by the alternative names and, which also fails.

It is quite simple to fix the problem – you need to download the libcurl.dll file. To download the libcurl.dll file, go to the official cURL website and download the latest curl version for Windows there:

In the downloaded archive in the bin folder, find the file libcurl-x64.dll, unzip it and rename it to libcurl.dll. Now this file needs to be moved to the bin folder of the installed Ruby, for example, I have this folder C:\Ruby26\bin\.

After that, the problem will disappear.

Last Updated on

Recommended for you:

3 Comments to How to Install and run WPScan on Windows

  1. Igor Chernov says:

    Hi Alexey,

    The process above drops off at installing nokogiri 1.10.8 and won't complete wpscan installation.

    Windows PowerShell
    Copyright (C) 2014 Microsoft Corporation. All rights reserved.

    PS C:\Windows\system32> gem search wpscan

    *** REMOTE GEMS ***

    wpscan (3.7.8)
    PS C:\Windows\system32> gem install wpscan
    ERROR:  Error installing wpscan:
            The last version of nokogiri (~> 1.10.4) to support your Ruby & RubyGems was 1.10.8. Try installing it with `gem
     install nokogiri -v 1.10.8` and then running the current command again
            nokogiri requires Ruby version >= 2.3, < The current ruby version is


    PS C:\Windows\system32\wpscan> gem install nokogiri --platform=ruby
    Fetching nokogiri-1.10.8.gem
    Temporarily enhancing PATH for MSYS/MINGW…
    Building native extensions. This could take a while…
    Successfully installed nokogiri-1.10.8
    Parsing documentation for nokogiri-1.10.8
    Installing ri documentation for nokogiri-1.10.8
    Done installing documentation for nokogiri after 3 seconds
    1 gem installed



    Now run the wpscan installer again

    PS C:\Windows\system32\wpscan> gem install wpscan
    Successfully installed opt_parse_validator-1.8.1
    Successfully installed ruby-progressbar-1.10.1
    Successfully installed ethon-0.12.0
    Successfully installed typhoeus-1.3.1
    Temporarily enhancing PATH for MSYS/MINGW…
    Building native extensions. This could take a while…
    Successfully installed yajl-ruby-1.4.1
    Successfully installed sys-proctable-1.2.2
    Successfully installed cms_scanner-0.8.2
    Successfully installed wpscan-3.7.8
    Parsing documentation for opt_parse_validator-1.8.1
    Installing ri documentation for opt_parse_validator-1.8.1
    Parsing documentation for ruby-progressbar-1.10.1
    Installing ri documentation for ruby-progressbar-1.10.1
    Parsing documentation for ethon-0.12.0
    Installing ri documentation for ethon-0.12.0
    Parsing documentation for typhoeus-1.3.1
    Installing ri documentation for typhoeus-1.3.1
    Parsing documentation for yajl-ruby-1.4.1
    Installing ri documentation for yajl-ruby-1.4.1
    Parsing documentation for sys-proctable-1.2.2
    Installing ri documentation for sys-proctable-1.2.2
    Parsing documentation for cms_scanner-0.8.2
    Installing ri documentation for cms_scanner-0.8.2
    Parsing documentation for wpscan-3.7.8
    Installing ri documentation for wpscan-3.7.8
    Done installing documentation for opt_parse_validator, ruby-progressbar, ethon, typhoeus, yajl-ruby, sys-proctable, cms_
    scanner, wpscan after 4 seconds
    8 gems installed

  2. Frank Unger says:

    Thank you for the webpage and information on the installation. I did register for the Vulnerability API and tried to enter it on the command line, but it keeps providing an error that it is invalid. I am entering the parameter as --api-token BaUr1J……

    Is that correct, or if not, how do I set/configure an API_KEY parameter?

    • Alex Alex says:

      Hello! Yes, we have to provide the API key after the --api-token options. Please check, whether you copy-paste the key correctly?

Leave a Reply

Your email address will not be published.