Ethical Hacking #wpscan#wordpress#web-security

WPScan: WordPress Penetration Testing Guide

Audit WordPress sites with WPScan. Enumerate users, plugins, and themes, detect vulnerabilities, use the API key, and understand remediation steps.

7 min read

WordPress powers roughly 40% of the public web, which makes it the single largest attack surface in web application security. WPScan is the de facto standard tool for auditing WordPress installations — it enumerates users, plugins, and themes, then cross-references findings against a continuously updated vulnerability database. If you’re conducting a web application penetration test that includes WordPress, WPScan is non-negotiable.

Installation

WPScan is a Ruby gem and ships with Kali Linux. On other systems:

# Install Ruby gem
gem install wpscan

# Via Docker (no Ruby required)
docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan --url https://target.com

# Update the vulnerability database
wpscan --update

WPScan API Key

WPScan’s vulnerability data is powered by the WPScan Vulnerability Database at wpscan.com. Without an API key, you get basic enumeration but no vulnerability lookups. A free tier provides 25 API calls per day — sufficient for most individual assessments.

Register at https://wpscan.com/register, then use the key:

wpscan --url https://target.com --api-token YOUR_API_TOKEN

Or store it in ~/.wpscan/scan.yml:

cli_options:
  api_token: YOUR_API_TOKEN

Basic Scan

wpscan --url https://target.com

This performs a non-aggressive detection of:

  • WordPress version
  • Active theme and version
  • Installed plugins (passively detected)
  • Server headers and configuration hints

User Enumeration

WordPress historically leaks usernames through author archive pages and the REST API. WPScan automates this:

wpscan --url https://target.com --enumerate u

WPScan tries multiple methods:

  • /?author=1 redirects revealing the username in the URL
  • /wp-json/wp/v2/users REST API endpoint
  • Login error messages differentiating valid vs. invalid usernames

Discovered usernames become targets for password attacks or credential stuffing.

Plugin Enumeration

Plugins are the most common source of WordPress vulnerabilities. Enumerate them aggressively:

wpscan --url https://target.com --enumerate p --plugins-detection aggressive

Detection modes:

ModeSpeedAccuracy
passiveFastLow — only what’s in page source
mixedMediumMedium
aggressiveSlowHigh — probes known plugin paths

Aggressive mode sends requests to common plugin file paths (e.g., /wp-content/plugins/contact-form-7/readme.txt) to confirm installation and version. Combined with the API key, WPScan reports whether that version has known CVEs.

Theme Enumeration

wpscan --url https://target.com --enumerate t --plugins-detection aggressive

Themes frequently expose version information in style.css. Outdated or abandoned themes with known vulnerabilities are a common entry point.

Full Enumeration

Run everything in one command:

wpscan --url https://target.com \
  --enumerate u,p,t,tt,cb,dbe \
  --plugins-detection aggressive \
  --api-token YOUR_API_TOKEN \
  -o report.json \
  --format json

Enumeration targets:

  • u — users
  • p — plugins
  • t — themes
  • tt — timthumbs (old vulnerable script)
  • cb — config backups
  • dbe — DB exports (accessible .sql files)

Interpreting Vulnerability Output

With an API token, WPScan maps findings to the vulnerability database:

[!] Plugin: contact-form-7 4.9.1
 | [!] Title: Contact Form 7 < 5.3.2 - Unrestricted File Upload
 | Fixed in: 5.3.2
 | References:
 |  - https://wpscan.com/vulnerability/...
 |  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489

Each finding links to full details including CVSS score, proof-of-concept availability, and affected versions. Prioritize findings with available exploits and high CVSS scores.

Password Attacks

Once you have a username, WPScan can attack the login form:

wpscan --url https://target.com \
  --username admin \
  --passwords /usr/share/wordlists/rockyou.txt \
  --password-attack wp-login

WPScan also supports XML-RPC as an attack vector, which allows multiple password attempts per request and can bypass basic rate limiting:

wpscan --url https://target.com \
  --usernames admin \
  --passwords /usr/share/wordlists/rockyou.txt \
  --password-attack xmlrpc-multicall

Note: Password attacks generate significant noise. Only use these against systems you’re explicitly authorized to test.

Common Findings and Remediation

FindingImpactRemediation
Outdated plugin with CVEHigh — often RCE or SQLiUpdate immediately
User enumeration enabledMedium — aids credential attacksDisable REST API user endpoint, use security plugin
readme.html presentLow — reveals WordPress versionDelete file, keep WordPress updated
XML-RPC enabledMedium — enables brute forceDisable if not needed
Directory listing enabledMedium — exposes file structureAdd Options -Indexes to .htaccess
Accessible wp-config.php backupCritical — exposes DB credentialsRemove all backup files from web root

Automating with Scripts

For recurring assessments, pipe WPScan output into a processing script:

wpscan --url https://target.com \
  --api-token $WPSCAN_TOKEN \
  --format json \
  -o /tmp/scan.json

# Extract high-severity findings with jq
jq '.plugins[] | select(.vulnerabilities | length > 0) | {name: .slug, vulns: .vulnerabilities}' /tmp/scan.json

WPScan’s aggressive enumeration generates hundreds of HTTP requests. Always confirm you have written authorization before running it against any WordPress installation. Running WPScan against a production site without permission is unauthorized computer access regardless of the tool’s legitimate purpose.

Used within scope, WPScan is an invaluable part of any web application assessment — it turns hours of manual plugin research into a five-minute automated audit.

#cms #vulnerability-scanning #web-security #wordpress #wpscan