I used to think website security was something you outsourced—something only “real” cybersecurity pros understood. That illusion shattered the day I scanned my own site with Nikto… and uncovered vulnerabilities I didn’t even know existed.
I wasn’t on a laptop. I wasn’t using expensive tools. I was on my phone, inside Termux, casually testing a few commands when Nikto started flagging issues: outdated server software, exposed directories, misconfigured headers.
My blog—the one I’d proudly built and assumed was “safe enough”—was practically handing out invites to attackers.
That scan changed everything.
It showed me that website security isn’t optional—and more importantly, it’s not out of reach. With nothing more than your Android phone, Termux, and Nikto, you can run serious vulnerability checks in minutes.
This guide is what I wish I had back then: a no-fluff walkthrough of how to use Nikto in Termux to quickly secure your site. It’s simple. It’s powerful. And it might just save your site from the kind of breach you never see coming.
Let’s get your website secure—before someone else finds the holes.
Get my FREE Nikto Cheat Sheet Now!
Introduction to Website Security
Website security is often overlooked until it’s too late. It’s more than just using a strong password or enabling HTTPS—it’s about ensuring your site is protected from hackers, data breaches, and the countless vulnerabilities that can be exploited. Every day, malicious actors try to find weaknesses in websites, and if you’re not actively protecting yours, you’re leaving it wide open for attacks.
Website security isn’t just for large corporations. Whether you run a personal blog, an e-commerce store, or a corporate site, protecting your site from vulnerabilities is critical. This is where tools like Nikto come in. By scanning your website for weaknesses, Nikto helps ensure that your site stays secure and your data stays safe from threats.
· · ─ ·𖥸· ─ · ·
Nikto’s Role in Website Security
Nikto is a powerful web server scanner designed to detect vulnerabilities in your website. It checks for a wide range of security issues, including:
- Outdated software versions that may have known vulnerabilities.
- Server misconfigurations that could expose sensitive data.
- SQL injections that allow attackers to interact with your database.
- Cross-site scripting (XSS) vulnerabilities that could enable malicious scripts to run in a user’s browser.
- SSL/TLS vulnerabilities like weak ciphers that could make data transmissions less secure.
With Nikto, you’re not just identifying low-level issues—you’re taking proactive steps to ensure that the foundations of your site are secure. Running regular scans with this tool can help you stay one step ahead of hackers who are constantly looking for ways to exploit weaknesses in web servers.
· · ─ ·𖥸· ─ · ·
What is Nikto?
Nikto is a command-line tool that scans web servers for vulnerabilities, outdated software, and security misconfigurations. It can check for over 6,700 potential issues, including insecure files, outdated server software, and common vulnerabilities associated with web applications. By integrating Nikto into your security practices, you can gain valuable insights into the state of your website security.
Why Use Nikto for Website Security?
- Comprehensive Vulnerability Detection: Nikto examines your web server for known vulnerabilities, helping you identify potential security risks before they can be exploited.
- Open Source and Free: Being open-source, Nikto is available for free, making it accessible to security professionals and organizations of all sizes.
- Regular Updates: The Nikto community actively maintains and updates the tool to address new vulnerabilities and security challenges, ensuring that users have access to the latest testing capabilities.
· · ─ ·𖥸· ─ · ·
Setting Up Termux for Nikto
Before you can use Nikto, you need to have Termux set up on your Android device. Termux is a terminal emulator that allows you to run Linux-based tools, like Nikto, directly on your phone or tablet. Here’s how to get it ready:
Install Termux
Go to the Google Play Store or F-Droid and install the Termux app.
Update packages and install dependencies
pkg update && pkg upgrade -y
pkg install git perl curl make clang openssl openssl-dev -yClone Nikto
git clone https://github.com/sullo/nikto.git
cd nikto/programInstall cpanminus manually
curl -L https://cpanmin.us | perl - App::cpanminusOptional: Add to PATH
mkdir -p $HOME/.local/bin
ln -s $HOME/perl5/bin/cpanm $HOME/.local/bin/cpanm
echo 'export PATH=$HOME/.local/bin:$PATH' >> ~/.bashrc
source ~/.bashrc
(Use .zshrc instead if you’re using Zsh.)
Install required Perl modules with SSL support
cpanm --force Net::SSLeay
cpanm --force IO::Socket::SSL LWP::Protocol::httpsRun Nikto with HTTPS support
perl nikto.pl -h https://scanme.nmap.orgIf it scans successfully without SSL errors, everything is working as it should.
Tip: Create an alias for convenience
echo 'alias nikto="perl $HOME/nikto/program/nikto.pl"' >> ~/.bashrc && source ~/.bashrcBy following these steps, you’ll have Nikto running smoothly on your Android device via Termux.
· · ─ ·𖥸· ─ · ·
Running Your First Nikto Scan
Once your Termux setup is complete, it’s time to run your first Nikto scan and see how it works. To get started, simply use the following command:
perl nikto.pl -h http://yourwebsite.comThis command tells Nikto to scan your website at the specified URL. Nikto will go through a series of checks and output a list of potential vulnerabilities it finds. Here’s an example of what the output might look like:
+ Server: Apache/2.4.18 (Ubuntu)
+ SSL/TLS: SSLv3 Supported (vulnerable)
+ HTTP Methods: TRACE, OPTIONS allowed
+ Web Server Software: Apache
+ /cgi-bin/ directory is accessible
+ /phpmyadmin/ - phpMyAdmin installation found
+ Potential SQL Injection found in form parameterAs you can see, Nikto flags various issues that could pose security risks to your website. The next step is to take action and resolve these vulnerabilities.
· · ─ ·𖥸· ─ · ·
What to Do with Nikto Results
Once your scan is complete and you have the results, it’s important to understand how to handle them. Here are some actions you can take based on common Nikto findings:
- Outdated Software: If Nikto detects outdated versions of software or plugins, update them immediately to prevent exploitation of known vulnerabilities.
- SQL Injection: If a SQL injection vulnerability is detected, make sure you sanitize all user inputs on your website and use prepared statements in your database queries.
- Cross-Site Scripting (XSS): Implement input validation and output encoding to prevent malicious scripts from executing in your users’ browsers.
- SSL/TLS Misconfigurations: Upgrade to a stronger SSL/TLS configuration and disable outdated protocols like SSLv3.
- Accessible Directories: Restrict access to sensitive directories like
/cgi-bin/or/phpmyadmin/by securing them with strong authentication or disabling them altogether.
· · ─ ·𖥸· ─ · ·
Best Practices for Website Security
While Nikto is a powerful tool for identifying vulnerabilities, it’s just one part of the broader website security picture. To truly protect your website, follow these best practices:
- Use HTTPS: Always secure your website with SSL/TLS encryption, ensuring data transmitted between your site and users is private.
- Keep Software Up-to-Date: Regularly update your website’s software, plugins, and dependencies to patch known vulnerabilities.
- Use Strong Passwords: Make sure all accounts associated with your website use strong, unique passwords.
- Implement Two-Factor Authentication (2FA): This adds an extra layer of protection for both administrators and users.
- Regular Backups: Keep regular backups of your website so you can restore it if anything goes wrong.
By following these best practices in addition to running regular Nikto scans, you can significantly improve your website security.
Limitations of Nikto
While Nikto is a powerful web server scanner, it’s important to understand its limitations:
- Not a Complete Solution: Nikto can’t find every vulnerability. It’s effective at identifying known issues, but it might miss zero-day vulnerabilities or more advanced attacks.
- False Positives: Some results may not necessarily be critical vulnerabilities. It’s important to verify the findings and understand the context.
- Limited to Web Servers: Nikto focuses primarily on the web server and HTTP-related vulnerabilities. It doesn’t provide a full security assessment of your website, including application-layer issues like insecure code or misconfigurations in your CMS.
For more thorough assessments, consider using additional tools like OWASP ZAP or Burp Suite to supplement Nikto’s scans.
· · ─ ·𖥸· ─ · ·
Best Practices for Using Nikto
- Obtain Permission: Always ensure you have permission to scan a website to avoid legal repercussions.
- Regular Scanning: Make Nikto scans a regular part of your security assessment routine to continuously monitor your website security.
- Combine with Other Tools: While Nikto is powerful, it’s most effective when used alongside other security tools and practices to create a comprehensive security strategy.
· · ─ ·𖥸· ─ · ·
From Curious Clicks to Confident Control
Running that first Nikto scan felt like opening a hidden door to my own website’s weak points—and it lit a fire I didn’t expect. I went from blind trust to informed action, all thanks to one free tool and a smartphone terminal.
The truth is, most site owners never look under the hood. They rely on hope, plugins, or luck. But hope isn’t a strategy—website security demands intentionality. And tools like Nikto, especially when paired with Termux, give you that power without the need for a security team or enterprise budget.
You’ve just learned how to run your first web vulnerability scan in under 10 minutes. That’s not just a technical win—it’s a shift in mindset. You’re no longer guessing. You’re scanning, verifying, and locking doors before anyone can walk through them.
So don’t stop here. Run those scans regularly. Learn what the results mean. Stay curious, stay cautious—and stay in control.
Because in the world of website security, knowing is the first step toward never being caught off guard.
Leave a Reply