Unlock cybersecurity expertise, protect digital frontiers, secure your future today! Join Now
Home
Cyber Security

WPScan: The Ultimate In-Depth Guide to WordPress Security Scanning

Learn WPScan with commands, outputs & full guide to WordPress security scanning, enumeration, brute force & fixes.

1. Introduction

WordPress powers over 40% of all websites on the internet. With such widespread usage, it naturally becomes one of the most attractive targets for attackers. Hackers exploit vulnerabilities in plugins, themes, or weak administrator credentials to compromise WordPress websites. Once compromised, a site can be used for malware distribution, phishing campaigns, defacement, or even as part of a botnet.

To combat these threats, security professionals rely on specialized tools to perform penetration testing and vulnerability assessments on WordPress sites. WPScan is one of the most powerful and widely used tools for this purpose.

WPScan: The Ultimate In-Depth Guide to WordPress Security Scanning

WPScan is a free and open-source black box WordPress vulnerability scanner written in Ruby. It is designed specifically for WordPress security testing and has the ability to:

  • Enumerate WordPress users, plugins, and themes.
  • Detect version information and vulnerabilities.
  • Perform brute-force password attacks.
  • Integrate with a vulnerability database for live results.
  • Provide detailed reports for auditing.

This article is a complete professional guide to WPScan. It covers everything from installation to advanced usage, with detailed commands, explanations, and simulated outputs so that both beginners and professionals can use it effectively.

2. Installing WPScan

WPScan is included by default in Kali Linux, but it can also be installed on Ubuntu, Debian, and macOS.

2.1 Installing on Kali Linux

Since WPScan comes pre-installed, you just need to ensure it’s up to date:

sudo apt update && sudo apt install wpscan -y

2.2 Installing on Ubuntu/Debian

If you’re using another Linux distribution:

sudo apt update
sudo apt install ruby ruby-dev libcurl4-openssl-dev make gcc
sudo gem install wpscan

2.3 Verifying Installation

wpscan --version

Output (simulated):

_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_| v3.8.26
    WordPress Security Scanner by the WPScan Team
_______________________________________________________________

Version: 3.8.26

3. WPScan Options Explained

WPScan has a wide variety of options. To use WPScan effectively, it’s important to understand what each option does.

Running the help command:

wpscan --help

Partial Output (simulated):

Usage: wpscan [options]
    --url URL                        The URL of the WordPress site to scan
    -e, --enumerate [option(s)]      Enumeration options (see below)
    --api-token TOKEN                WPVulnDB API Token for vulnerability data
    --random-user-agent              Use a random user-agent for each scan
    --proxy PROXY                    Use a proxy (e.g., http://127.0.0.1:8080)
    --plugins-detection MODE         Plugins detection mode (mixed|passive|aggressive)
    --update                         Update WPScan database
    --log FILE                       Output scan results to a file
    --format FORMAT                  Output format (cli|json|cli-no-colour)
    -U, --usernames LIST             List of usernames to use
    -P, --passwords LIST             List of passwords to use
    --throttle THROTTLE              Milliseconds to wait between requests

We will now go through each of these options with examples.

4. Scanning a WordPress Website

The most basic usage of WPScan is to scan a WordPress site for general information.

Command:

wpscan --url http://example.com

Explanation:

  • --url specifies the target site.
  • No enumeration or brute-force options are added yet, so WPScan will only attempt to gather version and basic information.

Output

[+] URL: http://example.com/
[+] Started: Sat Sep 06 12:14:52 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache
 |  - X-Powered-By: PHP/7.4.3

[+] WordPress version 5.8.3 identified (Insecure, released on 2021-11-30).
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Meta Generator (Passive Detection)

[+] WordPress theme in use: twentytwentyone
 | Location: http://example.com/wp-content/themes/twentytwentyone/

[+] Enumerating All Plugins (via Passive Detection)

[i] No plugins found during passive detection.

Scan completed in 12.34 seconds.

This basic scan reveals the WordPress version, theme, and server headers.

5. Enumerating Users

One of the most common steps in attacking a WordPress site is user enumeration. Once usernames are identified, attackers can attempt brute-force password guessing.

Command:

wpscan --url http://example.com -e u

Explanation:

  • -e u → tells WPScan to enumerate users.
  • WPScan will try different techniques like author archives (/?author=1).

Output

[+] Enumerating WordPress Users

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] editor
 | Found By: Rss Generator (Passive Detection)

[i] End of User Enumeration

Now we have identified two valid usernames: admin and editor.

6. Enumerating Plugins

Plugins are the most common entry points for WordPress exploitation. WPScan can enumerate installed plugins and check if they are vulnerable.

Command:

wpscan --url http://example.com -e p --api-token YOUR_TOKEN

Explanation:

  • -e p → enumerate plugins.
  • --api-token → connects to the WPVulnDB API to check vulnerabilities.

Output

[+] Enumerating Plugins

[+] Plugin found: contact-form-7
 | Location: http://example.com/wp-content/plugins/contact-form-7/
 | Version: 5.3.1
 | Vulnerabilities:
 |  - CVE-2020-35489: Unrestricted File Upload
 |  - CVE-2020-35490: CSRF leading to settings change

[+] Plugin found: yoast-seo
 | Location: http://example.com/wp-content/plugins/wordpress-seo/
 | Version: 15.9
 | No known vulnerabilities detected.

This reveals installed plugins and associated CVEs.

7. Enumerating Themes

Just like plugins, themes can also contain vulnerabilities. Outdated or poorly coded themes may allow remote code execution, privilege escalation, or even SQL injection. WPScan can detect the active theme and any vulnerabilities associated with it.

Command:

wpscan --url http://example.com -e t --api-token YOUR_TOKEN

Explanation:

  • -e t → enumerates the active theme.
  • --api-token → fetches vulnerability data from WPVulnDB.

Output

[+] Enumerating Themes

[+] Theme found: twentytwentyone
 | Location: http://example.com/wp-content/themes/twentytwentyone/
 | Version: 1.2
 | No known vulnerabilities detected.

[+] Theme found: oldtheme
 | Location: http://example.com/wp-content/themes/oldtheme/
 | Version: 2.3
 | Vulnerabilities:
 |  - CVE-2019-16758: Arbitrary File Download
 |  - CVE-2020-10510: Cross-Site Scripting (XSS)

Interpretation:

  • The active theme twentytwentyone is safe.
  • The legacy theme oldtheme is outdated and vulnerable.

This shows why theme enumeration is important — sometimes old, unused themes are left on the server and become attack vectors.

8. Enumerating WordPress Version

Knowing the WordPress version is critical, since outdated core versions may contain serious security flaws.

Command:

wpscan --url http://example.com --enumerate v

Explanation:

  • --enumerate v → specifically checks the WordPress core version.
  • Passive methods (like generator meta tags, RSS feeds) and aggressive methods are used.

Output

[+] WordPress version 5.8.3 identified
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Meta Generator (Aggressive Detection)

[i] The version is out of date, the latest release is 6.3.1
 | Known vulnerabilities:
 |  - CVE-2022-21661: SQL Injection in WP_Query
 |  - CVE-2022-21662: XSS in Block Editor

Interpretation: This tells us the WordPress version is outdated and vulnerable to specific CVEs.

9. Brute Force Attacks with WPScan

Once usernames are identified, attackers often try brute-force password guessing. WPScan supports this directly.

9.1 Brute Force with a Password List

Command:

wpscan --url http://example.com -U admin -P /usr/share/wordlists/rockyou.txt

Explanation:

  • -U admin → target the username admin.
  • -P rockyou.txt → use the rockyou wordlist for passwords.

Output

[+] Starting brute force attack against user 'admin'

[i] Using 14,344,392 passwords from /usr/share/wordlists/rockyou.txt

[+] Valid credentials found:
 | Username: admin
 | Password: summer2021

Interpretation: WPScan found valid credentials for the admin user.

9.2 Brute Force with Multiple Users

Command:

wpscan --url http://example.com -U users.txt -P passwords.txt

Where users.txt contains:

admin
editor

And passwords.txt contains:

123456
password
editor123
admin2023

Output

[+] Starting brute force attack

[+] Valid credentials found:
 | Username: editor
 | Password: editor123

Interpretation: Even if the admin account is secure, the editor account was cracked. Many breaches occur through secondary accounts.

9.3 Throttling Brute Force Attacks

To avoid detection or server crashes, WPScan allows throttling requests.

Command:

wpscan --url http://example.com -U admin -P rockyou.txt --throttle 2000

Explanation:

  • --throttle 2000 → waits 2000ms (2 seconds) between each request.

Output

[i] Brute forcing with 2000ms delay between attempts
[i] Estimated time: ~15 hours

[+] Valid credentials found:
 | Username: admin
 | Password: secret@123

Interpretation: While slower, this method avoids triggering WordPress login protection plugins.

10. Using Random User Agents

Some firewalls detect and block tools like WPScan by monitoring the User-Agent header. Using --random-user-agent, WPScan can disguise itself as different browsers.

Command:

wpscan --url http://example.com --random-user-agent

Output

[i] Using Random User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/92.0.4515.131 Safari/537.36
[+] WordPress version 5.8.3 identified
[+] Plugins enumeration completed

This bypasses simple detection mechanisms.

11. Using Proxies with WPScan

Sometimes penetration testers want to hide their real IP or pass traffic through a security tool like Burp Suite.

Command:

wpscan --url http://example.com --proxy http://127.0.0.1:8080

Explanation:

  • Routes all traffic through 127.0.0.1:8080, which is usually Burp Suite.

Output

[i] Proxy set to http://127.0.0.1:8080
[i] Sending requests through proxy
[+] WordPress version: 5.8.3

This allows deeper inspection of requests and responses.

12. Scanning with TOR

To anonymize scans, WPScan can be routed through TOR.

Command:

wpscan --url http://example.com --proxy socks5://127.0.0.1:9050

Output

[i] Proxy set to socks5://127.0.0.1:9050 (TOR)
[i] Checking connection... OK
[+] WordPress site reachable through TOR
[+] Enumeration results: version 5.8.3, 2 plugins found

This masks the tester’s IP address.

13. Exporting Results

WPScan supports exporting results to logs or JSON.

13.1 Saving to File

Command:

wpscan --url http://example.com --log results.txt

Simulated Output (file contents):

Scan Results for http://example.com
-
WordPress version: 5.8.3
Theme: twentytwentyone (safe)
Plugins: contact-form-7 (vulnerable)
Users: admin, editor

13.2 JSON Export

Command:

wpscan --url http://example.com --format json --output results.json

Simulated JSON Output:

{
  "target_url": "http://example.com",
  "wordpress_version": "5.8.3",
  "users": ["admin", "editor"],
  "plugins": [
    {
      "name": "contact-form-7",
      "version": "5.3.1",
      "vulnerabilities": ["CVE-2020-35489", "CVE-2020-35490"]
    }
  ]
}

This is useful for automation or integration with other tools.

14. Updating WPScan

WPScan relies on a vulnerability database. Keeping it updated ensures accurate detection.

Command:

wpscan --update

Output

[i] Updating the Database...
[i] Database updated from v2025.09.01 to v2025.09.06

15. Real-World Case Studies

Case Study 1: Weak Admin Password

A client’s site had the username admin. WPScan brute-forced the password welcome123. Once inside, attackers could upload malicious plugins.

Case Study 2: Vulnerable Plugin

During a scan, WPScan found contact-form-7 with a file upload vulnerability. This allowed arbitrary PHP file uploads, leading to full compromise.

Case Study 3: Forgotten Old Theme

The active theme was safe, but an old unused theme was still present. It contained an XSS vulnerability. Attackers injected malicious JavaScript through it.

16. Best Practices for Using WPScan

  • Always use your own site or have explicit permission.
  • Regularly scan and patch outdated plugins, themes, and WordPress versions.
  • Use strong, unique admin credentials.
  • Enable two-factor authentication.
  • Hide WordPress version and sensitive information from headers.
  • Automate WPScan with cron jobs for continuous monitoring.

17. Conclusion

WPScan is one of the most effective tools for auditing WordPress security. With features like user enumeration, plugin and theme vulnerability detection, brute-force password testing, and integration with a vulnerability database, it provides a complete toolkit for WordPress penetration testing.

By mastering its options and interpreting outputs correctly, security professionals can identify and mitigate risks before attackers exploit them.

Using WPScan responsibly strengthens WordPress websites, protects user data, and ensures safe digital environments.