WPSCAN

Security Scanner

Wpscan is a WordPress security scanner used to test WordPress installations and WordPress-powered websites. This is a command line tool used in Kali Linux. This tool can be used to find any vulnerable plugins, themes, or backups running on the site. It is usually used by individual WordPress site owners to test their own websites for vulnerabilities and also by large organizations to maintain a secure website. This tool can also be used to enumerate users and perform brute-force attacks on known WordPress users. In this article, We are going to take you through different commands of wpscan tool, the most commonly used attacks on WordPress sites, and tips to defend against them. The below functionalities of this tool can be used from the point of view of a hacker or even just someone who wants to test if their WordPress site is secure enough.

DOWNLOADS

SYSTEM REQUIREMENTS

RAM : Minimum 500 MB (more required for large scans).

Storage : Minimum 50 MB for Installation (more required for scans).

OS : Linux, macOS, and Windows (via Docker or Ruby).

Architecture : Compatible with x86 and x64 systems.

Available On : PC


ADDITIONAL INFORMATION

Published By

WPScan Team.

Release Date

Around 2011.

Approximate Size

19 MB

Publisher Info

WPScan Team is a group of security researchers and developers.

Supported Languages

English

Last Update

24 February 2025, version 3.8.28

Programming Language

Primarily written in Ruby.

Operating System

Cross-platform

License

Open-source (GNU General Public License).

  • WordPress vulnerability scanner: WPScan checks for security vulnerabilities in your WordPress installation, including outdated WordPress versions, outdated plugins, and themes with known security issues.
  • User enumeration: WPScan can be used to check if a WordPress site is susceptible to user enumeration, which is a technique used by attackers to identify valid usernames.
  • Plugin and theme enumeration: WPScan can enumerate plugins and themes installed on a WordPress site, which can help identify potential security issues.

  • Basic Scan: To perform a basic scan of a WordPress site.
  • Enumerate Plugins: To enumerate installed plugins on a target WordPress site.
  • User Enumeration: WPScan’s enumeration tool can be used to check if your WordPress site is susceptible to user enumeration.
  • Customization: WPScan offers many configuration options, like timeout settings, connecting timeout, TLS checks, and proxy settings. Use these options to fine-tune the tool’s behavior according to your use case.

  • WordPress vulnerability scanner: WPScan can be used to identify potential security issues within your WordPress setup, including outdated core, themes, and plugins with known vulnerabilities.
  • User enumeration: WPScan’s enumeration tool helps check if your WordPress site is susceptible to user enumeration, which is a technique used by attackers to identify valid usernames.
  • Detecting weak passwords: WPScan can perform a brute force attack to test the strength of WordPress user passwords, which helps identify weak passwords that could be easily cracked.
  • Stealthy scanning: With the --stealthy or --random-user-agent flag, WPScan can scan your WordPress site more discreetly, making it harder for malicious users to detect the scanning activity.
  • WPScan in Kali Linux: WPScan is pre-installed in Kali Linux, making it easily accessible for penetration testing and security assessments on WordPress websites. Additionally, you can use Docker to run WPScan on other Linux distributions.
  • Offline scanning: WPScan can be used offline, which is useful when you need to scan a WordPress website without an internet connection, for example, if the site is on a private network or Intranet.

WPScan is a powerful tool for scanning WordPress websites for vulnerabilities. Here are some examples of its usage :

  1. Basic Scan : To perform a basic scan of a WordPress site, use : wpscan --url http://example.com

    2. This command checks for vulnerabilities in the WordPress core, plugins, and themes.

  2. Enumerating Plugins : To identify vulnerable plugins, use : wpscan --url http://example.com --enumerate vp

    3. This scans for plugins with known vulnerabilities.

  3. Password Brute-Force Attack : To test login credentials, use :

    4. wpscan --url http://example.com --passwords passwords.txt --usernames admin

    This attempts to log in using a list of passwords.

  4. Custom Content Directory : If the WordPress site uses a non-standard content directory, specify it :

    5. wpscan --url http://example.com --wp-content-dir custom-content
  5. Stealth Mode : To minimize detection, use : wpscan --url http://example.com --stealthy

    6. This randomizes user agents and uses passive detection techniques.

These examples highlight WPScan's versatility in identifying security issues in WordPress sites.

  • Ruby
  • gem

Terminal Installation Commands ...

$ sudo apt-get update

$ git clone https://github.com/wpscanteam/wpscan.git

GUI Installation Steps ...
Linux
  1. Update the package list : sudo apt update
  2. Install WPScan : sudo apt install wpscan

    3. WPScan will be installed and ready to use.

Windows

Installation using Docker

  1. Install Docker Desktop from Docker's official site.
  2. Pull the WPScan Docker image : docker pull wpscanteam/wpscan
  3. Run WPScan : docker run -it wpscanteam/wpscan --help

Installation using WSL

  1. Enable WSL : wsl --install
  2. Install Ubuntu from the Microsoft Store.
  3. Follow the Linux installation steps (e.g., sudo apt install wpscan for Ubuntu).
MacOS

Using Homebrew (Recommended)

  1. Install Homebrew (if not already installed) :

    2. $ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  2. Install WPScan : brew install wpscanteam/tap/wpscan

Using RubyGems

  1. Install dependencies : brew install ruby
  2. Install WPScan : gem install wpscan

Terminal Uninstallation Commands ...

$ sudo apt-get remove wpscan

$ sudo apt autoclean && apt autoremove

GUI Uninstallation Steps ...
Linux
  1. Remove WPScan : sudo apt remove wpscan
  2. Remove dependencies that are no longer needed : sudo apt autoremove
  3. Purge WPScan configuration files (optional) : sudo apt purge wpscan
Windows
  1. Docker : Remove the WPScan image : docker rmi wpscanteam/wpscan
  2. WSL : Uninstall WPScan inside WSL using : sudo apt remove wpscan
MacOS

Homebrew

  1. To remove WPScan : brew uninstall wpscanteam/tap/wpscan

RubyGems

  1. To uninstall WPScan : gem uninstall wpscan

Copyright © 2025 HACKERSPOT

All original content, including tools, software, and other information, is protected by copyright and remains the property of its respective owners.

Subscribe for more Information
HACKERSPOT

HackerSpot is an informational platform that offers resources such as tools, software, courses, internships, and various other materials aimed at supporting individuals passionate about CyberSecurity and IT.

About Us
Docs / Links

Documentation

Tools

Softwares

Operating Systems

Learning

Courses

Internships

Virtual Labs

Colleges

Youtube Channels

Resources

Devices & Hardware

Browsers

Cyber Threat Maps

Other Resources

Contacts

Bapatla, Andhrapradesh, India 237101

bablunannam@gmail.com

+91 7995819235