WPScan

WordPress security scanner

Description

WPScan is a free, non-commercial WordPress security scanner. It detects known vulnerabilities in WordPress core, plugins, themes, and user enumeration.

Installation

BASH

                            gem install wpscan

# Using Docker
docker pull wpscanteam/wpscan
                        

Basic Usage

BASH

                            # Basic scan
wpscan --url https://target.com

# Enumerate plugins
wpscan --url https://target.com -e ap
                        

Advanced Usage

                        BASH
                        
                    

                            # Enumerate users
wpscan --url https://target.com -e u

# Aggressive plugin detection
wpscan --url https://target.com -e ap --plugins-detection aggressive

# With API token
wpscan --url https://target.com --api-token YOUR_TOKEN

# Password brute force
wpscan --url https://target.com -U admin -P passwords.txt

# Enumerate everything
wpscan --url https://target.com -e ap,at,u,vp,vt

# Output formats
wpscan --url https://target.com -o report.json -f json
                        

Back to CMS Scanners