wpscan
Scan WordPress sites for vulnerabilities
TLDR
Update the vulnerability database
Scan a WordPress website
Scan a WordPress website, using random user agents and passive detection
Scan a WordPress website, checking for vulnerable plugins and specifying the path to the wp-content directory
Scan a WordPress website through a proxy
Perform user identifiers enumeration on a WordPress website
Execute a password guessing attack on a WordPress website
Scan a WordPress website, collecting vulnerability data from the WPVulnDB (
SYNOPSIS
wpscan --url <target_url> [options]
wpscan --update
wpscan --help
PARAMETERS
--url
Specifies the target WordPress website URL to scan.
Example: https://www.example.com
--update
Updates the WPScan vulnerability database to the latest version.
--enumerate
Enumerates various items.
Common items include: u
(users), vp
(vulnerable plugins), ap
(all plugins), vt
(vulnerable themes), at
(all themes), dbe
(database exports). Can be combined, e.g., u,vp,vt
.
--plugins-detection
Sets the plugin detection mode.
Modes: passive
(default, faster), aggressive
(more thorough, slower).
--api-token
Provides your WPScan API token for full vulnerability database access and higher rate limits.
--wp-content-dir
Specifies a custom path for the wp-content directory if it's not in its default location.
--proxy
Routes all requests through a specified proxy server.
Example: http://127.0.0.1:8080
or socks5://127.0.0.1:9050
--random-agent
Uses a random User-Agent for each request to potentially evade detection.
--force
Forces the scan to run even if WPScan cannot confidently identify the target as a WordPress site.
--verbose
Displays verbose output, showing more details about the scanning process.
--format
Specifies the output format for the scan results.
Formats: json
, cli-no-color
.
--output
Saves the scan results to the specified file.
DESCRIPTION
wpscan is a powerful, free for non-commercial use, black-box WordPress security scanner designed for penetration testers and security professionals.
It helps identify security weaknesses in WordPress installations, including the core, plugins, and themes. wpscan operates by enumerating various components like users, installed plugins, and themes, and then cross-referencing their versions against a comprehensive database of known vulnerabilities. It can detect common misconfigurations, weak passwords, exposed debug files, and sensitive information disclosure, providing valuable insights into a WordPress site's security posture. It requires regular updates to its vulnerability database to remain effective.
CAVEATS
WPScan's free version is for non-commercial use only. Commercial use or full API access requires an API token, which may be subject to subscription or rate limits.
It is a black-box scanner, meaning it interacts with the web application externally without access to server logs or internal configurations, which limits its depth of analysis.
Scans can be detected by Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) if not performed carefully (e.g., without proxies or stealth options).
The effectiveness of WPScan heavily relies on its vulnerability database being up-to-date, requiring regular use of the --update
option.
WPSCAN API TOKEN
To leverage WPScan's full potential, especially for up-to-date vulnerability detection, an API token is highly recommended. It grants access to the most comprehensive vulnerability database and increases the rate limits for scans. A free token is available for personal, non-commercial use, typically allowing a certain number of API requests per day. Users can register on the WPScan website to obtain their token.
INSTALLATION
WPScan is primarily distributed as a Ruby gem, making its installation straightforward on systems with Ruby installed. It can often be installed via package managers on various Linux distributions (e.g., apt install wpscan
on Debian/Ubuntu or gem install wpscan
). Ensuring the correct Ruby version and dependencies are met is crucial for a smooth setup.
HISTORY
WPScan was originally created around 2011 by a team of ethical hackers as an open-source project dedicated to enhancing WordPress security. Over the years, it gained significant popularity within the cybersecurity community for its effectiveness and regular updates. The project transitioned to be maintained by the WPScan team and eventually became part of Rapid7, a leading cybersecurity company. The introduction of the WPScan API token was a key development, allowing the project to fund the maintenance of its extensive vulnerability database and provide advanced features and higher rate limits to users, ensuring its continued development and reliability.