WordPress powers roughly 40% of the public web, which makes it the single largest attack surface in web application security. WPScan is the de facto standard tool for auditing WordPress installations — it enumerates users, plugins, and themes, then cross-references findings against a continuously updated vulnerability database. If you’re conducting a web application penetration test that includes WordPress, WPScan is non-negotiable.
Installation
WPScan is a Ruby gem and ships with Kali Linux. On other systems:
# Install Ruby gem
gem install wpscan
# Via Docker (no Ruby required)
docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan --url https://target.com
# Update the vulnerability database
wpscan --update
WPScan API Key
WPScan’s vulnerability data is powered by the WPScan Vulnerability Database at wpscan.com. Without an API key, you get basic enumeration but no vulnerability lookups. A free tier provides 25 API calls per day — sufficient for most individual assessments.
Register at https://wpscan.com/register, then use the key:
wpscan --url https://target.com --api-token YOUR_API_TOKEN
Or store it in ~/.wpscan/scan.yml:
cli_options:
api_token: YOUR_API_TOKEN
Basic Scan
wpscan --url https://target.com
This performs a non-aggressive detection of:
- WordPress version
- Active theme and version
- Installed plugins (passively detected)
- Server headers and configuration hints
User Enumeration
WordPress historically leaks usernames through author archive pages and the REST API. WPScan automates this:
wpscan --url https://target.com --enumerate u
WPScan tries multiple methods:
/?author=1 redirects revealing the username in the URL
/wp-json/wp/v2/users REST API endpoint
- Login error messages differentiating valid vs. invalid usernames
Discovered usernames become targets for password attacks or credential stuffing.
Plugin Enumeration
Plugins are the most common source of WordPress vulnerabilities. Enumerate them aggressively:
wpscan --url https://target.com --enumerate p --plugins-detection aggressive
Detection modes:
| Mode | Speed | Accuracy |
|---|
passive | Fast | Low — only what’s in page source |
mixed | Medium | Medium |
aggressive | Slow | High — probes known plugin paths |
Aggressive mode sends requests to common plugin file paths (e.g., /wp-content/plugins/contact-form-7/readme.txt) to confirm installation and version. Combined with the API key, WPScan reports whether that version has known CVEs.
Theme Enumeration
wpscan --url https://target.com --enumerate t --plugins-detection aggressive
Themes frequently expose version information in style.css. Outdated or abandoned themes with known vulnerabilities are a common entry point.
Full Enumeration
Run everything in one command:
wpscan --url https://target.com \
--enumerate u,p,t,tt,cb,dbe \
--plugins-detection aggressive \
--api-token YOUR_API_TOKEN \
-o report.json \
--format json
Enumeration targets:
u — users
p — plugins
t — themes
tt — timthumbs (old vulnerable script)
cb — config backups
dbe — DB exports (accessible .sql files)
Interpreting Vulnerability Output
With an API token, WPScan maps findings to the vulnerability database:
[!] Plugin: contact-form-7 4.9.1
| [!] Title: Contact Form 7 < 5.3.2 - Unrestricted File Upload
| Fixed in: 5.3.2
| References:
| - https://wpscan.com/vulnerability/...
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35489
Each finding links to full details including CVSS score, proof-of-concept availability, and affected versions. Prioritize findings with available exploits and high CVSS scores.
Password Attacks
Once you have a username, WPScan can attack the login form:
wpscan --url https://target.com \
--username admin \
--passwords /usr/share/wordlists/rockyou.txt \
--password-attack wp-login
WPScan also supports XML-RPC as an attack vector, which allows multiple password attempts per request and can bypass basic rate limiting:
wpscan --url https://target.com \
--usernames admin \
--passwords /usr/share/wordlists/rockyou.txt \
--password-attack xmlrpc-multicall
Note: Password attacks generate significant noise. Only use these against systems you’re explicitly authorized to test.
| Finding | Impact | Remediation |
|---|
| Outdated plugin with CVE | High — often RCE or SQLi | Update immediately |
| User enumeration enabled | Medium — aids credential attacks | Disable REST API user endpoint, use security plugin |
readme.html present | Low — reveals WordPress version | Delete file, keep WordPress updated |
| XML-RPC enabled | Medium — enables brute force | Disable if not needed |
| Directory listing enabled | Medium — exposes file structure | Add Options -Indexes to .htaccess |
Accessible wp-config.php backup | Critical — exposes DB credentials | Remove all backup files from web root |
Automating with Scripts
For recurring assessments, pipe WPScan output into a processing script:
wpscan --url https://target.com \
--api-token $WPSCAN_TOKEN \
--format json \
-o /tmp/scan.json
# Extract high-severity findings with jq
jq '.plugins[] | select(.vulnerabilities | length > 0) | {name: .slug, vulns: .vulnerabilities}' /tmp/scan.json
Legal and Ethical Scope
WPScan’s aggressive enumeration generates hundreds of HTTP requests. Always confirm you have written authorization before running it against any WordPress installation. Running WPScan against a production site without permission is unauthorized computer access regardless of the tool’s legitimate purpose.
Used within scope, WPScan is an invaluable part of any web application assessment — it turns hours of manual plugin research into a five-minute automated audit.