WPScan Logo
WPScan is a black box WordPress vulnerability scanner. It's a command-line tool designed for assessing the security posture of WordPress websites.
Get an API Token
Navigation
  • WPScan Installation and Setup
  • Basic Usage
  • Target Enumeration
  • Brute-Forcing WordPress Logins
  • Detecting Vulnerabilities
  • User Enumeration and Exploitation
  • Plugin and Theme Analysis
  • Configuration and Backup Files Enumeration
  • Performance Tuning
  • Bypassing Security Measures
  • Stealth Mode and Obfuscation
  • Saving and Exporting Results
  • Combining Multiple Options
  • Troubleshooting and Debugging
  • Best Practices

Installation and Setup

Install on Kali Linux (Pre-installed)

sudo apt update && sudo apt install wpscan

Install via RubyGems

gem install wpscan

Docker

docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan --url https://example.com/ --enumerate u

Homebrew (macOS)

brew install wpscanteam/tap/wpscan to install the latest stable version
brew install wpscanteam/tap/wpscan --HEAD to install the latest code from the master branch

Compile from Source

git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
bundle install && ruby wpscan.rb --help

Updating WPScan

gem update wpscan

WordPress Vulnerability Database & API

The API collects reports of WordPress vulnerabilities that could be used hand in hand with the CLI scanner. Create an account and receive an API token here. For WPScan to retrieve the vulnerability data, an API token must be supplied via the --api-token option, or via a configuration file.

Basic Usage

wpscan --url http://example.com                                 #Basic WordPress Scan
wpscan --url http://example.com --enumerate u                   #Enumerate Users
wpscan --url http://example.com --api-token <YOUR_API_KEY>      #Use API Token for More Requests

Target Enumeration

wpscan --url http://example.com --enumerate        #Enumerate Everything
wpscan --url http://example.com --enumerate u      #Enumerate Users
wpscan --url http://example.com --enumerate p      #Enumerate Plugins
wpscan --url http://example.com --enumerate vp     #Enumerate Vulnerable Plugins
wpscan --url http://example.com --enumerate ap     #Enumerate All Plugins (Not Just Active)
wpscan --url http://example.com --enumerate vt     #Enumerate Vulnerable Themes
wpscan --url http://example.com --enumerate at     #Enumerate All Themes
wpscan --url http://example.com --enumerate c      #Enumerate Config Backups

Brute-Forcing WordPress Logins

wpscan --url http://example.com -U admin -P rockyou.txt                                         #Brute-Force Admin Password
wpscan --url http://example.com --usernames users.txt --passwords passwords.txt                 #Multi-User Brute-Force
wpscan --url http://example.com --usernames admin --passwords passwords.txt --max-threads 10    #Speed Up Brute-Force
wpscan --url http://example.com --usernames admin --passwords rockyou.txt --throttle 1          #Add 1-Second Delay Between Requests

Detecting Vulnerabilities

wpscan --url http://example.com --enumerate vp                   #Enumerate Vulnerable Plugins
wpscan --url http://example.com --enumerate vt                   #Enumerate Vulnerable Themes
wpscan --url http://example.com --api-token <YOUR_API_KEY>       #Use API for Latest Vulnerability Data
wpscan --url http://example.com --detection-mode aggressive      #Aggressive Detection Mode

User Enumeration and Exploitation

wpscan --url http://example.com --enumerate u                                 #Enumerate Users
wpscan --url http://example.com --enumerate u --wp-content-dir wp-content     #Custom WordPress Directory
wpscan --url http://example.com -U admin -P passwords.txt --force             #Force Login Brute-Force
wpscan --url http://example.com --wp-content-dir custom-dir                   #Scan Custom WordPress Installation

Plugin and Theme Analysis

wpscan --url http://example.com --enumerate p     #Enumerate Installed Plugins
wpscan --url http://example.com --enumerate ap    #Enumerate All Plugins (Active & Inactive)
wpscan --url http://example.com --enumerate vp    #Enumerate Vulnerable Plugins
wpscan --url http://example.com --enumerate vt    #Enumerate Vulnerable Themes

Configuration and Backup Files Enumeration

wpscan --url http://example.com --enumerate c       #Enumerate Config Backups
wpscan --url http://example.com --enumerate db      #Enumerate Database Dumps
wpscan --url http://example.com --enumerate med     #Enumerate Media Files

Performance Tuning

wpscan --url http://example.com --max-threads 20          #Increase Scan Speed
wpscan --url http://example.com --throttle 1              #Add Delay Between Requests
wpscan --url http://example.com --random-user-agent       #Use Random User-Agents
wpscan --url http://example.com --request-timeout 10      #Set Request Timeout

Bypassing Security Measures

wpscan --url http://example.com --proxy http://127.0.0.1:8080               #Use Proxy
wpscan --url http://example.com --proxy socks5://127.0.0.1:9050             #Use SOCKS5 Proxy
wpscan --url http://example.com --random-user-agent                         #Spoof User-Agent
wpscan --url http://example.com --headers "X-Forwarded-For: 127.0.0.1"      #Bypass WAF

Stealth Mode and Obfuscation

wpscan --url http://example.com --quiet                            #Silent Mode (No Output)
wpscan --url http://example.com --random-user-agent                #Use Random User-Agent
wpscan --url http://example.com --proxy http://127.0.0.1:8080      #Route Through Proxy
wpscan --url http://example.com --throttle 5                       #Add Delay to Reduce Detection

Saving and Exporting Results

wpscan --url http://example.com -o results.txt                   #Save Results to File
wpscan --url http://example.com -o results.json --format json    #Save Results as JSON
wpscan --url http://example.com --log wpscan.log                 #Save Scan Log

Combining Multiple Options

wpscan --url http://example.com --enumerate u,p,vp --max-threads 15 --random-user-agent                       #Multi-Enumeration with Speed & Stealth
wpscan --url http://example.com -U admin -P rockyou.txt --proxy socks5://127.0.0.1:9050 --random-user-agent   #Brute-Force via Proxy with Spoofed User-Agent

Troubleshooting and Debugging

wpscan --url http://example.com --debug-output debug.log     #Enable Debug Logging
wpscan --url http://example.com --disable-tls-checks         #Ignore SSL/TLS Errors

Best Practices

wpscan --url http://example.com --enumerate u,p,vp,vt --api-token YOUR_API_KEY --max-threads 20     #Full Scan with API Data
wpscan --url http://example.com -U admin -P rockyou.txt --max-threads 10 --throttle 1               #Slow Brute-Force to Avoid Lockouts
wpscan --url http://example.com --random-user-agent --proxy socks5://127.0.0.1:9050                 #Stealth Scan via Proxy