WPScan is the go-to tool for WordPress security scanning. It’s an open-source black-box scanner that enumerates users, themes, and plugins, and โ crucially โ checks everything it finds against a curated vulnerability database to surface real, known CVEs. It ships with Kali Linux and is actively maintained by the WPScan team. This guide covers installation, the API key setup you now need for vulnerability data, and practical usage examples.
What WPScan Does
WPScan takes a black-box approach โ it doesn’t need access to the WordPress admin panel or the server itself. Given just a URL, it can identify:
- The WordPress version (and whether it’s vulnerable)
- Installed plugins and their versions
- Installed themes and their versions
- Usernames (via author enumeration and the REST API)
- Exposed configuration files, debug logs, and backup files
- Directory listing and other misconfigurations
- Known vulnerabilities in WordPress core, plugins, and themes (with API key)
As always โ only scan WordPress installations you own or have explicit written permission to test.
Installation
WPScan is pre-installed on Kali Linux. To update it to the latest version:
sudo gem update wpscan
On other Debian-based systems, install it via RubyGems (WPScan is now a Ruby gem rather than a raw Ruby script):
sudo apt install ruby ruby-dev build-essential libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev zlib1g-dev sudo gem install wpscan
Once installed, update the local database of WordPress vulnerabilities:
wpscan --update
The WPScan API Key (Essential for Vulnerability Data)
This is the most important change since the early days of WPScan: vulnerability data now requires an API key. Without one, WPScan will still enumerate plugins, themes, and users โ but it won’t tell you whether any of them are actually vulnerable. For security assessments, the API key is effectively essential.
Getting a key is straightforward and the free tier is generous enough for most use cases:
- Register for a free account at wpscan.com/register
- Confirm your email address
- Log in and navigate to your profile โ your API token is displayed there
The free tier allows 25 API requests per day, which covers most individual assessments. Paid plans are available if you’re scanning at scale or running automated pipelines.
Once you have your key, pass it to WPScan with the --api-token flag:
wpscan --url https://example.com --api-token YOUR_API_TOKEN_HERE
Alternatively, add it to WPScan’s config file so you don’t have to type it every time. Create or edit ~/.wpscan/scan.yml:
cli_options: api_token: YOUR_API_TOKEN_HERE
With the API token configured, WPScan will pull live vulnerability data for every plugin, theme, and core version it detects, including CVE references and links to advisories.
Basic Usage
A standard scan with vulnerability checking enabled:
wpscan --url https://example.com --api-token YOUR_TOKEN
This will detect the WordPress version, enumerate a default set of plugins and themes, check for known vulnerabilities, and report any interesting findings like exposed files or directory listing.
For more verbose output to see what’s happening in real time:
wpscan --url https://example.com --api-token YOUR_TOKEN -v
Enumeration Options
By default WPScan runs a passive scan. You can control what it enumerates with the --enumerate (or -e) flag:
pโ Popular plugins (top ~1,800)apโ All plugins (aggressive, slower)tโ Popular themesatโ All themesuโ User enumerationvpโ Vulnerable plugins onlyvtโ Vulnerable themes only
You can combine these. For example, to enumerate all plugins and users:
wpscan --url https://example.com --api-token YOUR_TOKEN --enumerate ap,u
To enumerate only vulnerable plugins and themes (faster, lower API usage):
wpscan --url https://example.com --api-token YOUR_TOKEN --enumerate vp,vt
Username Enumeration and Password Brute Forcing
WPScan can enumerate WordPress usernames via the author archive pages and the REST API. Combine this with a wordlist to brute force login credentials:
wpscan --url https://example.com --enumerate u
Once you have usernames, brute force with a wordlist:
wpscan --url https://example.com --usernames admin --passwords /usr/share/wordlists/rockyou.txt --threads 10
Keep thread counts reasonable โ hammering a login page with 50+ threads will trigger lockouts and is easy to detect.
Saving Output
WPScan can export results in JSON format, which is useful for parsing or feeding into a report:
wpscan --url https://example.com --api-token YOUR_TOKEN --output results.json --format json
Supported formats are json, cli, and cli-no-colour.
Scanning Through a Proxy
Like Nikto, WPScan supports routing traffic through a proxy โ handy if you want to capture requests in Burp Suite or route through a VPN:
wpscan --url https://example.com --proxy http://127.0.0.1:8080 --api-token YOUR_TOKEN
Interpreting the Results
WPScan colour-codes its output: red items are high-priority findings, yellow are informational. With an API key, vulnerable plugins and themes will be listed with the specific CVE, a severity rating, and a link to the advisory. Pay particular attention to plugins with unauthenticated vulnerabilities โ these are the ones that can be exploited without needing valid WordPress credentials.
Common high-value findings to look out for include outdated plugins with known remote code execution or SQL injection vulnerabilities, XML-RPC being enabled (which can be abused for credential brute forcing and DDoS amplification), user enumeration being possible (which makes brute force attacks easier), and exposed readme.html or license.txt files that reveal the exact WordPress version.
Practising Safely
If you want to practise WPScan without scanning a live site, spin up a vulnerable WordPress instance locally using DVWP (Damn Vulnerable WordPress) via Docker, or use one of the WordPress-focused machines on Hack The Box or TryHackMe. The Kioptrix series is also worth working through if you’re building out your enumeration skills more broadly.
You might also find the Nikto tutorial useful alongside this โ Nikto gives you a broader web server perspective, while WPScan goes deep on the WordPress layer specifically.
Leave a Reply
You must be logged in to post a comment.