Category Archives: Expert SEO

How to install WPScan on Windows 10

What is WPScan?

WPScan is described as a ‘black box’ WordPress vulnerability checker and is free to use. It took me a couple of hours fiddling around, so I thought I’d help you get this installed by showing you some of the problems and providing the files and sources I used to get it working.

What you need to know…

WPScan is a command line utility, so you will need to know a little bit about the command prompt environment and the PATH variable. It isn’t hugely tricky to use, just don’t expect a fancy user interface. You’ll be telling the executable what to run and how to run via the command prompt.

Installation requires:

    • Ruby (version 2.2.X is the one I’m using, but 2.3.X may be OK too)
    • DevKit (to add Ruby Gems. Gems are extensions to Ruby, and the DevKit helps to provide a sane environment on Windows when adding them)
    • libcurl.dll (a dynamic link library to help make internet requests using cURL)
    • WPScan (the software itself)

The steps are:

Install Ruby

Download a RubyInstaller .zip file from
Unzip the file and execute it – you will be prompted as follows:
a) Select setup language
b) Ruby License agreement

Ruby installation agreement window
Ruby installation license agreement

c) Installation directory
– check all the additional boxes to help with environment setup (you may not need Tcl/Tk, but if space is no issue, just do it anyway)
– installs in the root of C:\ drive

Ruby installation window
Ruby installation options

Install the DevKit

Download a DevKit for use with Ruby 2.0 and above (32bit version) from
Download here: DevKit-mingw64-32-4.7.2-20130224-1151-sfx.exe

Unzip the file and execute it
a) Edit the extraction path to change from the default user to the root C:\DevKit location as follows:

DevKit default installation path
DevKit default installation path
Devkit install path changed
Devkit install path changed

b) Extraction can take a while, be patient. It looks like it gets stuck at 17% and 35% on my machine…

DevKit install progress
DevKit install progress

c) Open a command prompt (right click on the windows icon in the bottom left and choose Command Prompt (Admin) from the context menu)
d) Go to the installation directory using ‘cd’ cd C:\DevKit
e) Type ruby dk.rb init to initialise the DevKit, ready for binding
f) Type ruby dk.rb install to bind the DevKit to the ruby installation(s) in your path

Install cURL (or just use the libcurl.dll provided)

Download ‘curl-7.46.0-win32.exe’ from Download here:  curl-7-46-0-win32
Download here: libcurl.dll
Run the installation wizard and follow these steps:
a) Ensure that the option to install ‘C headers, lib files and dlls’ is selected

Choosing Curl installation options
Remember to select the libraries

b) cURL should be installed here: C:\Program Files (x86)\cURL
c) Check that the libcurl.dll has been installed here: C:\Program Files (x86)\cURL\dlls as you will need to copy this file later to the Ruby22 binary directory.

Install WPScan

Download WPScan zipfile ‘’ from:

Download here:
Unzip and run the installer
a) Install to C:\wpscan (for simplicity of navigating using the command prompt)
b) Unzip the sample file into the C:\wpscan directory to create C:\wpscan\data
c) Copy the libcurl.dll file from the cURL installation to the following directory C:\Ruby22\bin

Directory of Ruby bin showing libcurl.dll
Place a copy of libcurl.dll in the Ruby bin directory

Install Ruby Gems

It should now be possible to issue the following commands, to install components required by WPScan:
From the command prompt, cd to C:\wpscan and type the following instructions:
gem install bundler
gem install typhoeus
gem install rspec-its
gem install ruby-progressbar
gem install nokogiri
gem install terminal-table
gem install webmock
gem install simplecov
gem install rspec
gem install xml-simple
gem install yajl-ruby
gem install bundler && bundle install --without test

If you receive an error message about SSL when installing (and can’t fix it), then use the following command to add a non SSL source:
gem sources --add

Then try to add the gem packages above again.

Try to run WPScan…

Staying in the C:\wpscan folder:
a) Type ruby wpscan.rb at the command prompt
If you see the following error message, check that you have copied libcurl.dll to the C:\Ruby22\bin directory.

Download here: libcurl.dll

Error message if libcurl is missing
If you see this, copy libcurl.dll to C:\Ruby22\bin

b) Once you have started WPScan successfully, you may be prompted to update the database. Select Y when asked.
If you see the following error message, there is a work around  – turning off SSL verification:

Error message when updating WPScan
Certificate error when updating the WPScan database

To fix this issue, I found and edited the db_updater.rb file located here: C:\wpscan\lib\common

Find this file and edit it
Find this db_updater.rb file and edit it

Change the code as follows by editing the ssl_verifypeer paramter and setting it to false:

Edits to the db_updater.rb file
Change and save the file as shown

It’s working when you see this:

WPScan in the command window
WPScan is working and shows options


You can now use WPScan to analyse WordPress installations for vulnerabilities.

Ways to deal with (not provided) in Google Analytics

There is a growing problem for many businesses looking for insights from Google Analytics. Logged in users of Google products (and search bars), have the keyword referral data stripped and this is replaced with the keyword (not provided) instead.
There are several ways to gain insights from the data that is reported instead. At the simplest level, you can segment the organic data by landing page. For a more complex approach, register for the new (not provided) tool currently in Beta testing.

This tool relies on neural networks and machine learning techniques to discover the hidden keywords within the the (not provided) organic referrals.

Optimising Bees for Google Image Search using CSS to Show Part of the Image

Google has changed the way image search results are presented. This is having a major impact on traffic driven to sites from image search results.

With Google trying to keep visitors away from your site, what can be done ?

This post shows one way to make the most of the space Google now gives an image.

The idea is to modify the images on your site so that:

  • enlarge the image to include a call to action in the border
  • then use CSS to show only part of the image on the site

When Google crawls the image, it will take the entire image including the border and calls to action within.

This will enable both brand impressions and marketing messages to be shown to people using Google image search, so even if you can’t get the visit, you can at least claim some mind share.

[An alternative, is simply to add a ‘watermark’ to all of your images, however that doesn’t look so good on your site.]

The following example using an out of focus bee settling on a lavender plant, shows how to use CSS to control the visible area of the photo.

The CSS used for the following image ensures that only part of the image is visible on page:

img.wp-image-363 {
 position:absolute !important;

The html code for the image itself:

<img class="size-full wp-image-363" title="Bees on lavender" 
src="" alt="" >
Bees on lavender - an extract of the whole image
Using CSS to clip images
Click on the image above to see the full size photo of the bees on the lavender, including the additional border.

The border is transparent to maximize the appearance of the CTA within Google image results.

If you try searching in Google for this image, you should see the image complete with calls to action.

Give it a go and let me know what you think about this technique.