Step 1: WPScan CLI Scanner
This was the first product developed by WPScan. It is a free WordPress black‑box vulnerability scanner. You can find documentation for it on Github. The CLI scanner can be used on its own but is often used together with the companion WPScan API, as without the API, the scanner doesn’t inform you of vulnerabilities in WordPress plugins and themes.
What does WPScan check for?
- The version of WordPress installed and any associated vulnerabilities
- What plugins are installed and any associated vulnerabilities
- What themes are installed and any associated vulnerabilities
- Username enumeration
- Users with weak passwords via password brute forcing
- Backed up and publicly accessible wp‑config.php files
- Database dumps that may be publicly accessible
- If error logs are exposed by plugins
- Media file enumeration
- Vulnerable Timthumb files
- If the WordPress readme file is present
- If WP‑Cron is enabled
- If user registration is enabled
- Full Path Disclose
- Upload directory listing
- And much more…
Ruby Gem
WPScan is shipped as a Ruby gem, and can be installed with the following command:
gem install wpscan
Docker
We also support Docker. Pull the repo with:
docker pull wpscanteam/wpscan
Example Docker command to enumerate usernames:
docker run -it --rm wpscanteam/wpscan --url https://example.com/ --enumerate u
Homebrew (macOS)
brew install wpscanteam/tap/wpscan
to install the latest stable version
brew install wpscanteam/tap/wpscan --HEAD
to install the latest code from the master branch
Updating WPScan
To update the WPScan software:
gem update wpscan
You can install the WPScan CLI Scanner and find it valuable without installing other WPScan components. However, the WPScan API is most often installed as well.
Recommended Step 2: WordPress Vulnerability Database & API
The API collects reports of WordPress vulnerabilities that could be used hand in hand with the CLI scanner. Create an account and receive an API token here. For WPScan to retrieve the vulnerability data an API token must be supplied via the --api-token
option, or via a configuration file.
You must send this API token with every request in the Authorization HTTP Header, as seen below.
Authorization: Token token=API_TOKEN
cURL example:
curl -H "Authorization: Token token=API_TOKEN" https://wpscan.com/api/v3/wordpresses/494
Up to 25 API requests per day are given free of charge, that should be suitable to scan most WordPress websites at least once per day. If there is no paid plan, when the daily 25 API requests are exhausted, WPScan will continue to work as normal but without any vulnerability data.
For full technical details, including endpoints and response data, refer to our official API documentation.
Optional Step 3: WPScan WordPress plugin
For site managers who prefer the simplicity of plugins, The WPScan WordPress plugin is also available for enterprise customers and uses your API token directly.
Optional Step 4: Pentesting Integrations
There are many popular distributions and kits that integrate the WPScan options listed above, including Kali Linux, Dradis, BackBox Linux, Pentoo, Samurai WTF, BlackArch, and more.
All set up?