WPScan – WordPress Scanner
WPScan – WordPress Scanner
WPScan is a powerful command-line tool used to scan WordPress websites for vulnerabilities. It helps security researchers and ethical hackers identify security weaknesses in WordPress installations, plugins, and themes. WPScan is included in Kali Linux and is widely used for penetration testing.
- Detects vulnerable WordPress core versions
- Scans for vulnerable plugins and themes
- Enumerates users and finds weak passwords
- Checks for publicly available WordPress configuration files
- Identifies security misconfigurations
Install WPScan
WPScan comes pre-installed in Kali Linux. However, if you need to install or update it, use the following command:
$ sudo apt update && sudo apt install wpscanBasic Usage
To scan a WordPress website, use the following command:
$ wpscan --url https://example.comThis command scans the target WordPress site and reports vulnerabilities.
Enumerating WordPress Users
To enumerate user accounts on a WordPress site, run:
$ wpscan --url https://example.com --enumerate uScanning for Vulnerable Plugins
To find outdated or vulnerable plugins installed on a WordPress site:
$ wpscan --url https://example.com --enumerate pPerforming a Password Attack
You can perform a brute-force attack to test weak passwords (use ethically and with permission):
$ wpscan --url https://example.com -U admin -P /path/to/password_list.txtLegal disclaimer
Usage of the tool for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws.
WPScan is an essential tool for security professionals working with WordPress sites. It helps identify vulnerabilities and strengthen website security. Always use WPScan responsibly and ensure you have permission before scanning any site.
