WPScan

Overview

WPScan is a free, open-source WordPress security scanner that identifies vulnerable plugins, themes, weak passwords, and WordPress core vulnerabilities. It integrates with WPVulnDB, a comprehensive vulnerability database, to provide actionable security insights for WordPress administrators and security researchers.

Installation

Via RubyGems

gem install wpscan

Verify installation:

wpscan --version

Via Docker

docker pull wpscanteam/wpscan:latest

# Run WPScan in Docker
docker run -it --rm wpscanteam/wpscan:latest --url http://target.com

Via Package Manager (Linux)

# Ubuntu/Debian
sudo apt-get install wpscan

# Kali Linux (pre-installed)
wpscan --version

Manual Installation from Source

git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
bundle install
./wpscan.rb --version

API Token Setup

Obtaining a Free API Token

Register at wpscan.com
Verify your email
Copy your API token from the dashboard
Limit: 25 requests/day (free tier)

Configuring API Token

Store token in ~/.wpscan/scan.json:

mkdir -p ~/.wpscan
cat > ~/.wpscan/scan.json << 'EOF'
{
  "general_settings": {
    "api_token": "YOUR_API_TOKEN_HERE"
  }
}
EOF

Or pass token via command line:

wpscan --url http://target.com --api-token YOUR_API_TOKEN

Basic Scanning

Simple Target Scan

# Basic scan (no API token)
wpscan --url http://target.com

# Scan with API token
wpscan --url http://target.com --api-token YOUR_TOKEN

Specify WordPress Path

# Target is at /wordpress/wp-admin
wpscan --url http://target.com/wordpress --api-token YOUR_TOKEN

Follow Redirects

wpscan --url http://target.com --follow-redirects --api-token YOUR_TOKEN

Enumeration Options

Enumerate WordPress Version

wpscan --url http://target.com --enumerate vp

Enumerate Plugins

# All plugins
wpscan --url http://target.com --enumerate p

# Vulnerable plugins only
wpscan --url http://target.com --enumerate vp

# Popular plugins (default: 100)
wpscan --url http://target.com --enumerate p --plugins-detection aggressive

Enumerate Themes

# All themes
wpscan --url http://target.com --enumerate t

# Vulnerable themes only
wpscan --url http://target.com --enumerate vt

Enumerate Users

# Enumerate usernames
wpscan --url http://target.com --enumerate u

# Enumerate specific user range
wpscan --url http://target.com --enumerate u --detection-mode passive

Enumerate All Components

# Shorthand: v = vulnerable, p = plugins, t = themes, u = users, tt = timthumbs, cb = config backups
wpscan --url http://target.com --enumerate vp,vt,u

Detection Modes

Mode	Speed	Accuracy	Use Case
`passive`	Fast	Low	Quick reconnaissance
`aggressive`	Slow	High	In-depth testing (authorized only)
`mixed`	Medium	Medium	Balanced approach

# Passive enumeration (stealthy)
wpscan --url http://target.com --enumerate p --detection-mode passive

# Aggressive enumeration (thorough, detectable)
wpscan --url http://target.com --enumerate p --detection-mode aggressive

Version Detection

Core WordPress Version

wpscan --url http://target.com --enumerate vp

Plugin Versions

wpscan --url http://target.com --enumerate p

Theme Versions

wpscan --url http://target.com --enumerate t

Check Against CVE Database

# Requires API token for vulnerability matching
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKEN

Password Attacks

Brute Force Attack

# Using rockyou.txt wordlist
wpscan --url http://target.com --usernames admin --passwords /usr/share/wordlists/rockyou.txt

# Brute force specific user
wpscan --url http://target.com --usernames admin --wordlist /path/to/wordlist.txt

Multiple Users

# Try multiple usernames from file
wpscan --url http://target.com --usernames-list users.txt --passwords passwords.txt

Custom Wordlists

# Generate custom wordlist
wpscan --url http://target.com --usernames admin,editor,test --passwords passwords.txt

# Single password, multiple users
wpscan --url http://target.com --usernames admin --passwords password123

Throttling and Rate Limiting

# Throttle requests (milliseconds between requests)
wpscan --url http://target.com --usernames admin --passwords passwords.txt --throttle 100

# Max threads (default: 5)
wpscan --url http://target.com --usernames admin --passwords passwords.txt --max-threads 10

Vulnerability Detection

Vulnerable Plugins

# Enumerate and check for vulnerabilities
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKEN

Vulnerable Themes

wpscan --url http://target.com --enumerate vt --api-token YOUR_TOKEN

Vulnerable Core

# WordPress core vulnerabilities
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKEN

Common Vulnerabilities Found

Type	Severity	Example
SQL Injection	High	Easily exploitable injection flaws in plugins
Arbitrary File Upload	High	Unprotected upload endpoints
Privilege Escalation	High	Unauthenticated admin account creation
Cross-Site Scripting (XSS)	Medium	Stored/reflected XSS in plugin output
Local File Inclusion (LFI)	Medium	Directory traversal via plugin paths
Authentication Bypass	High	Weak authentication mechanisms
Insecure Deserialization	High	PHP object injection

Output Formats

JSON Output

wpscan --url http://target.com --api-token YOUR_TOKEN --format json -o report.json

CLI Output (Default)

wpscan --url http://target.com --api-token YOUR_TOKEN

HTML Report

wpscan --url http://target.com --api-token YOUR_TOKEN --format html -o report.html

Export and Parse Results

# Parse JSON report
cat report.json | jq '.vulnerabilities'

# Count vulnerabilities
cat report.json | jq '.vulnerabilities | length'

# Extract plugin vulnerabilities
cat report.json | jq '.plugins | keys'

Stealthy Scanning

Random User Agent

wpscan --url http://target.com --random-user-agent

Passive Detection Only

wpscan --url http://target.com --enumerate u --detection-mode passive

Slow Throttling

# 500ms delay between requests
wpscan --url http://target.com --enumerate p --throttle 500

Avoid Detection

# Combine techniques for stealth
wpscan --url http://target.com \
  --enumerate p,u \
  --detection-mode passive \
  --random-user-agent \
  --throttle 300 \
  --api-token YOUR_TOKEN

Common Findings and Exploitation

Admin User Enumeration

Finding: Usernames admin, administrator, root discovered

Exploitation: Brute force password, check for weak credentials

wpscan --url http://target.com --usernames admin --passwords common.txt

Outdated WordPress Core

Finding: WordPress 5.x.x detected (vulnerable version available)

Exploitation: Apply security patch or update via WordPress admin panel

Vulnerable Plugin (Example: Elementor < 3.0)

Finding: Elementor 2.9.14 detected (SQL injection in CVE-2021-12345)

Exploitation: Update plugin or disable until patch available

# Confirm via WPVulnDB API
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKEN

XML-RPC Enabled

Finding: /xmlrpc.php accessible

Exploitation: Disable XML-RPC if not needed

# Detect XML-RPC
curl -I http://target.com/xmlrpc.php

Directory Listing Enabled

Finding: /wp-content/ directory browsable

Exploitation: Add .htaccess to restrict directory listing

# Create .htaccess in WordPress root
cat > /var/www/html/.htaccess << 'EOF'
<FilesMatch "^\.">
  Deny from all
</FilesMatch>
EOF

WPScan API

API Endpoints

Get vulnerability information for specific plugins:

curl "https://vulners.com/search?type=wordpress-plugin&q=plugin-name"

Query WPVulnDB via WPScan

# Check specific plugin version for vulnerabilities
wpscan --url http://target.com --enumerate vp --api-token YOUR_TOKEN

CI/CD Integration

GitHub Actions

name: WPScan
on: [push]
jobs:
  wpscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run WPScan
        uses: wpscanteam/action-wpscan@master
        with:
          url: 'http://target.com'
          token: ${{ secrets.WPSCAN_TOKEN }}

Jenkins Pipeline

pipeline {
  agent any
  stages {
    stage('WPScan') {
      steps {
        sh '''
          wpscan --url http://target.com \
            --api-token ${WPSCAN_TOKEN} \
            --format json -o wpscan-report.json
        '''
      }
    }
  }
}

Docker Compose for Testing

version: '3'
services:
  wordpress:
    image: wordpress:latest
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_DB_USER: wp
      WORDPRESS_DB_PASSWORD: password
    ports:
      - "8080:80"
  wpscan:
    image: wpscanteam/wpscan:latest
    depends_on:
      - wordpress
    command: --url http://wordpress

Advanced Options

Proxy Configuration

# Use HTTP proxy
wpscan --url http://target.com --proxy http://127.0.0.1:8080

# Use SOCKS5 proxy
wpscan --url http://target.com --proxy socks5://127.0.0.1:1080

Custom Headers

# Add custom header (e.g., for bypass)
wpscan --url http://target.com --headers "X-Custom-Header: value"

SSL/TLS Configuration

# Disable SSL verification (not recommended)
wpscan --url https://target.com --disable-ssl-verification

# Use specific certificate
wpscan --url https://target.com --certificate /path/to/cert.pem

Aggressive Scanning with All Options

wpscan --url http://target.com \
  --enumerate vp,vt,u,cb,dbe,m,wp \
  --detection-mode aggressive \
  --api-token YOUR_TOKEN \
  --random-user-agent \
  --max-threads 10 \
  --format json -o full-report.json

Best Practices

Practice	Benefit
Use API token	Unlock vulnerability database matching
Scan authorized targets only	Legal and ethical compliance
Test in staging environment	Avoid production impact
Regular scanning	Catch new vulnerabilities early
Update plugin/theme list	Ensure current vulnerability data
Combine with manual review	Find logic flaws WPScan misses
Monitor WordPress updates	Patch promptly when available

Common Issues and Troubleshooting

Target Not Reachable

# Test connectivity first
curl -I http://target.com

# Specify timeout
wpscan --url http://target.com --request-timeout 15

API Token Limit Reached

# Without token (limited data)
wpscan --url http://target.com --enumerate p

# Purchase premium token for higher limits
# Visit: https://wpscan.com

False Positives in Results

# Manually verify findings
curl http://target.com/wp-content/plugins/plugin-name/

# Check WPVulnDB database for confirmation

Slow Scanning

# Increase threads for faster enumeration
wpscan --url http://target.com --max-threads 25 --enumerate p

Resources

Official Documentation: https://github.com/wpscanteam/wpscan
WPVulnDB Database: https://www.wpvulndb.com
WPScan Website: https://wpscan.com
Vulnerability Reporting: https://wpscan.com/report
Community: https://www.wordpress.org/support/