What is WPScan?
WPScan is a security tool specializing in vulnerability scanners for WordPress sites. It is developed in Ruby and is designed to detect common vulnerabilities in WordPress installations, such as plugins, themes, and weak configurations. WPScan is widely used by security professionals, pentesters, and system administrators to assess the security of WordPress sites.
Concept Behind WPScan
WordPress is the most popular content management system (CMS) on the internet, making it a frequent target of attacks. WPScan automates the process of identifying security issues in:
- WordPress Version: Checks if the installed version is vulnerable to known attacks.
- Plugins: Checks installed plugins and their versions for known vulnerabilities.
- Themes: Checks installed themes and their versions for known vulnerabilities.
- Users: Enumerates WordPress users for potential brute force attacks. - Weak Configurations: Identifies exploitable configurations.
WPScan uses a database of known vulnerabilities (which is regularly updated) to compare against components detected on the target site.
Preference Usage
wpscan --url http://target.com -e ap,t,tt,u --disable-tls-checks --api-token $WPSCANKEY| Command Part | Meaning | What It Does |
|---|---|---|
| wpscan | Tool | Launches the WordPress security scanner. |
| --url http://target.com | Target | Sets the address of the WordPress site to be scanned. |
| ap | All Plugins | Lists all installed plugins, not just popular or vulnerable ones. |
| -e | Enumeration Mode | Enables enumeration, which is the process of discovering site-specific information. |
| t | Popular Themes | Lists only installed popular themes. |
| tt | Timthumbs | Searches for vulnerable versions of the timthumb.php script, known for security flaws. |
| u | Users | Lists site users, attempting to discover valid login names. |
| --disable-tls-checks | TLS/SSL Option | Disables SSL/TLS certificate validation. This is useful when scanning sites that use self-signed, expired, or mismatched SSL certificates, which is common in development or testing environments. |
| --api-token | API | Get a Free API Token: To have WPScan display vulnerability details (not just list components), register at wpscan.com to get a free API token (25 requests per day). Add the token to the command. |
Basic Usage
wpscan --url http://example.com #Basic WordPress Scan
wpscan --url http://example.com --enumerate u #Enumerate Users
wpscan --url http://example.com --api-token <YOUR_API_KEY> #Use API Token for More Requests
wpscan --update # Update the databaseTarget Enumeration
wpscan --url http://example.com --enumerate #Enumerate Everything
wpscan --url http://example.com --enumerate u #Enumerate Users
wpscan --url http://example.com --enumerate p #Enumerate Plugins
wpscan --url http://example.com --enumerate vp #Enumerate Vulnerable Plugins
wpscan --url http://example.com --enumerate ap #Enumerate All Plugins (Not Just Active)
wpscan --url http://example.com --enumerate vt #Enumerate Vulnerable Themes
wpscan --url http://example.com --enumerate at #Enumerate All Themes
wpscan --url http://example.com --enumerate c #Enumerate Config BackupsBrute-Forcing WordPress Logins
wpscan --url http://example.com -U admin -P rockyou.txt #Brute-Force Admin Password
wpscan --url http://example.com --usernames users.txt --passwords passwords.txt #Multi-User Brute-Force
wpscan --url http://example.com --usernames admin --passwords passwords.txt --max-threads 10 #Speed Up Brute-Force
wpscan --url http://example.com --usernames admin --passwords rockyou.txt --throttle 1 #Add 1-Second Delay Between RequestsDetecting Vulnerabilities
wpscan --url http://example.com --enumerate vp #Enumerate Vulnerable Plugins
wpscan --url http://example.com --enumerate vt #Enumerate Vulnerable Themes
wpscan --url http://example.com --api-token <YOUR_API_KEY> #Use API for Latest Vulnerability Data
wpscan --url http://example.com --detection-mode aggressive #Aggressive Detection ModeUser Enumeration and Exploitation
wpscan --url http://example.com --enumerate u #Enumerate Users
wpscan --url http://example.com --enumerate u --wp-content-dir wp-content #Custom WordPress Directory
wpscan --url http://example.com -U admin -P passwords.txt --force #Force Login Brute-Force
wpscan --url http://example.com --wp-content-dir custom-dir #Scan Custom WordPress InstallationPlugin and Theme Analysis
wpscan --url http://example.com --enumerate p #Enumerate Installed Plugins
wpscan --url http://example.com --enumerate ap #Enumerate All Plugins (Active & Inactive)
wpscan --url http://example.com --enumerate vp #Enumerate Vulnerable Plugins
wpscan --url http://example.com --enumerate vt #Enumerate Vulnerable ThemesConfiguration and Backup Files Enumeration
wpscan --url http://example.com --enumerate c #Enumerate Config Backups
wpscan --url http://example.com --enumerate db #Enumerate Database Dumps
wpscan --url http://example.com --enumerate med #Enumerate Media FilesPerformance Tuning
wpscan --url http://example.com --max-threads 20 #Increase Scan Speed
wpscan --url http://example.com --throttle 1 #Add Delay Between Requests
wpscan --url http://example.com --random-user-agent #Use Random User-Agents
wpscan --url http://example.com --request-timeout 10 #Set Request TimeoutBypassing Security Measures
wpscan --url http://example.com --proxy http://127.0.0.1:8080 #Use Proxy
wpscan --url http://example.com --proxy socks5://127.0.0.1:9050 #Use SOCKS5 Proxy
wpscan --url http://example.com --random-user-agent #Spoof User-Agent
wpscan --url http://example.com --headers "X-Forwarded-For: 127.0.0.1" #Bypass WAFStealth Mode and Obfuscation
wpscan --url http://example.com --quiet #Silent Mode (No Output)
wpscan --url http://example.com --random-user-agent #Use Random User-Agent
wpscan --url http://example.com --proxy http://127.0.0.1:8080 #Route Through Proxy
wpscan --url http://example.com --throttle 5 #Add Delay to Reduce DetectionSaving and Exporting Results
wpscan --url http://example.com -o results.txt #Save Results to File
wpscan --url http://example.com -o results.json --format json #Save Results as JSON
wpscan --url http://example.com --log wpscan.log #Save Scan LogCombining Multiple Options
wpscan --url http://example.com --enumerate u,p,vp --max-threads 15 --random-user-agent #Multi-Enumeration with Speed & Stealth
wpscan --url http://example.com -U admin -P rockyou.txt --proxy socks5://127.0.0.1:9050 --random-user-agent #Brute-Force via Proxy with Spoofed User-AgentTroubleshooting and Debugging
wpscan --url http://example.com --debug-output debug.log #Enable Debug Logging
wpscan --url http://example.com --disable-tls-checks #Ignore SSL/TLS ErrorsBest Practices
wpscan --url http://example.com --enumerate u,p,vp,vt --api-token YOUR_API_KEY --max-threads 20 #Full Scan with API Data
wpscan --url http://example.com -U admin -P rockyou.txt --max-threads 10 --throttle 1 #Slow Brute-Force to Avoid Lockouts
wpscan --url http://example.com --random-user-agent --proxy socks5://127.0.0.1:9050 #Stealth Scan via Proxy