WPScan is a black box WordPress security scanner that can be used to scan remote WordPress installations to find security issues. This document provides instructions for installing, configuring, and running WPScan with specific scan profiles.
gem install wpscan
docker pull wpscanteam/wpscan
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
bundle install
wpscan --version
--api-token parameter for enhanced vulnerability detectionwpscan --url https://example.com
Using an API token significantly improves the quality of scan results by allowing access to the WPScan vulnerability database:
wpscan --url https://example.com --api-token YOUR_API_TOKEN
WPScan supports different enumeration options:
vp: Vulnerable pluginsvt: Vulnerable themesu: User enumerationap: All pluginsat: All themesBelow is a sample script for running multiple WPScan profiles against a target domain:
#!/bin/bash
domain="$1"
mkdir -p ./$domain
cd ./$domain
api_token="EqOaeF8IHoGTk8UyHC2nZc3apeB4qeI9MciZBTlVsU0"
# Scan for vulnerable plugins
wpscan --url https://$domain --api-token $api_token -e vp \
--plugins-detection aggressive \
--detection-mode aggressive \
--interesting-findings-detection passive \
--wp-version-detection passive \
--main-theme-detection passive \
--exclude-content-based 'xmlrpc.php,readme.html,wp-content/uploads,wp-cron.php' \
-f json -o wpscan_${domain}_vp.json
# Scan for vulnerable themes
wpscan --url https://$domain --api-token $api_token -e vt \
--plugins-detection aggressive \
--interesting-findings-detection passive \
--wp-version-detection passive \
--main-theme-detection passive \
--exclude-content-based 'xmlrpc.php,readme.html,wp-content/uploads,wp-cron.php' \
-f json -o wpscan_${domain}_vt.json
# Scan for users
wpscan --url https://$domain --api-token $api_token -e u \
--interesting-findings-detection passive \
--wp-version-detection passive \
--main-theme-detection passive \
--exclude-content-based 'xmlrpc.php,readme.html,wp-content/uploads,wp-cron.php' \
-f json -o wpscan_${domain}_u.json
Usage:
chmod +x scan_script.sh
./scan_script.sh example.com
| Option | Description |
|---|---|
--url |
Target WordPress URL |
--api-token |
WPScan API Token for vulnerability data |
-e |
Enumeration option (vp, vt, u, etc.) |
--plugins-detection |
Detection mode for plugins (passive, aggressive, mixed) |
--detection-mode |
Overall detection mode |
--interesting-findings-detection |
Mode for detecting interesting findings |
--wp-version-detection |
WordPress version detection mode |
--main-theme-detection |
Main theme detection mode |
--exclude-content-based |
Exclude specific URLs from content-based checks |
-f |
Output format (json, cli, etc.) |
-o |
Output file |
The script creates three JSON output files:
wpscan_domain_vp.json: Vulnerable plugins scan resultswpscan_domain_vt.json: Vulnerable themes scan resultswpscan_domain_u.json: User enumeration scan resultsAPI Rate Limiting
Target Unreachable
WAF/Firewall Blocking
--random-user-agent--disable-tls-checks for self-signed certificates--throttle to slow down requests and avoid triggering security measures--random-user-agent to bypass simple user-agent filtering