Home Blog WordPress Security How to Use WPScan to Find WordPress Vulnerabilities

How to use WPScan to find WordPress vulnerabilities

How to Use WPScan to Find WordPress Vulnerabilities

WPScan is an open-source WordPress security scanner. It is used to scan WordPress websites for known vulnerabilities within the WordPress core and WordPress plugins and themes. It also checks for weak passwords, exposed files, and much more.

Since it is a WordPress black box scanner, it mimics an actual attacker. This means it does not rely on access to your WordPress dashboard or source code to conduct the tests. In other words, if WPScan can find a vulnerability in your WordPress website, so can an attacker.

Accessing WP Scan

The easiest way to access WPScan is directly from the developer’s website. However, to get the full benefits this application offers, you should install WPScan. With several different options available, you can be sure to find a setup that meets your requirements.

Basic command structure

WPScan uses a command-line interface (CLI) to receive and execute commands. While this might seem less friendly if you’re new to CLI, you’ll be able to get the hang of it quickly with some guidance and a bit of practice. This article will provide some guidance; all you need to do is practice!

We will first look at the basic scan command required to initiate a scan. This is as follows:

wpscan --url mywebsite.com

As you can see, the command to run a simple scan on your WordPress site is very simple.

  • wpscan: This tells the machine that we want to run wpscan
  • –url: This tells WPScan that we will be providing the URL of the website we want to scan
  • URL: This tells WPScan the URL of our website, also known as the target website

It is imperative to refrain from running scans on websites you do not own. WPScan is a security tool, and like any other tool, it can be used for benefit or harm.

Adding an API key

WPScan uses a vulnerability database called wpvulndb to check the target for known vulnerabilities. The team that develops WPScan maintains this database. The general public can also submit any WordPress vulnerabilities they come across to be included in the database. It has an ever-growing list of WordPress core, plugin, and theme vulnerabilities.

To access this database, we need an API key. API keys, which are provided by WPScan, give us the ‘right’ to access the information in the database.

You can get an API key for free directly from wpscan.com. Free API keys have limitations that are subject to change from time to time. However, the free API token should be enough for most use cases.Once you get an API key, we need to pass it with our wpscan command as a parameter in the following format:

--api-token enter_your_token_here
  • –api-token: This tells wpscan that we will be providing an API token
  • enter_your_token_here: This is your token, as provided by wpscan.com

So that the entire command now looks like this:

wpscan --url mywebsite.com --api-token enter_your_token_here

Do keep in mind that free API keys might have some limitations.

The random user agent

Let’s dissect this one to make sure we understand what a user agent is.

Let’s say you want to visit melapress.com. To load the homepage of melapress.com, your browser needs to send an HTTP request to the Melpress web server. In this case, it will read something like ‘send me the Contact Us page of melapress.com.’

For the Melapress web server to acknowledge and respond to the HTTP request, it needs to know who it’s coming from. In this case, the request is coming from your web browser, which makes your web browser the user agent.

The user agent (which in this case is your browser) sends information about the web browser itself, the Operating System, and a few other details in the HTTP user-agent header. This header may look something like this:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36

WPScan allows the user agent to be randomized. Thus, it will look like the request came from a different user agent, hiding its true identity. There are several reasons why you might want to do this, including:

  • Mimicking real traffic: This makes it harder for the server to distinguish between legitimate requests and scanner requests
  • Avoiding detection: By hiding its true identity, the scanner can bypass certain firewall restrictions
  • Finding user agent vulnerabilities: Some vulnerabilities can be specific to particular user agents, which this option can help suss out

To instruct WPScan to use a random user agent, we simply add the following option:


Speaking of firewalls, you can also choose to throttle (slow down) the rate at which WPScan makes requests, avoiding rate-limiting checks. This is done by adding the following option:

--throttle numberofmilliseconds

Where numberofmilliseconds is the duration you want to throttle requests for, in milliseconds.


WPScan is able to gather a lot of information about WordPress sites. This is called enumeration, where WPScan lists different attributes and components of the target website. It can enumerate:

  • WordPress version
  • Usernames
  • Media files
  • Plugins
  • Themes
  • Directories
  • Backup files

and much more!

WPScan allows us to specify the detection method. There are three modes we can choose from: Passive, Aggressive, and Mixed. We will discuss these next.

Detection modes (enumeration methods)

WPScan can take different approaches as to how it scans a WordPress site. There are pros and cons to each. However, it is the use case that will largely determine which approach you want to take.


In passive detection, WPScan limits its interaction with the target website. Instead, it largely relies on public information, such as metadata and headers, to learn everything it can about the site it’s scanning.

Passive detection uses less bandwidth and is discreet. It is also useful when you want to avoid sending potentially harmful requests. This limits the information WPScan is able to gather.

To force passive detection mode, use the following option:

--detection-mode passive


As the name suggests, aggressive detection is the opposite of passive enumeration. It uses active scanning and interacts with the website directly. This increases the load on the server, which can alert the target.

Aggressive detection can yield more information than passive mode about the target WordPress and is more likely to uncover any vulnerabilities.

To force aggressive detection mode, use the following option:

--detection-mode aggressive


Mixed detection is the default enumeration method. It tries to achieve a balance between stealth and being thorough. By using both passive and aggressive techniques, it can provide the most results.

Do keep in mind that mixed detection can still put a strain on the server.

To force mixed detection mode, use the following option:

--detection-mode mixed

Pro tip: You can combine passive detection mode with random user agent by using the following option:



In this section, we will be looking at what WPScan can tell us about the WordPress core. The scan will first try to determine which WordPress version is installed. It does this by examining the headers, endpoints, and file structure.

Once it determines the version, it will cross-check against the database to see if there are any vulnerabilities associated with that specific version. This is why it’s important to have a WordPress update strategy and adhere to it at all times.

User enumeration

In user enumeration, WPScan attempts to list the users on the target WordPress site. It does this through several techniques, including checking the author archives, brute force attacks, REST API endpoint interactions, and user ID enumeration.

All users: To enumerate all users, use the option:

--enumerate u

User IDs: To enumerarate user IDs, use the option:

--enumerate u1-10

where the first number is the lowest user ID and the second number is the highest user ID.

User passwords: To try to guess common username and password combinations, use the option:

--enumerate p

WPScan makes enumerating passwords easy, which is why good WordPress password protection is critical. Get Melapress Login Security and ensure WPScan comes back empty-handed.

Themes enumeration

WPScan provides quite a few different options for enumerating themes. The process starts with theme discovery, in which WPScan looks at data such as HTML and CSS to identify themes on the target website. It then extracts metadata to learn more about each theme, detecting the installed version. This allows the software to check for vulnerabilities and issues specific to each theme.

All themes: To look for theme vulnerabilities across all themes, use the option:

--enumerate at

Popular themes: To limit the scan to popular WordPress themes, use the option:

--enumerate t

Vulnerable themes enumeration: To limit the scan to vulnerable WordPress themes, use the option:

--enumerate vt

Plugins enumeration

In plugin enumeration, WPScan attempts to learn everything it can about installed plugins. Much like theme enumeration, plugin enumeration starts by attempting to discover which plugins are installed, including any must-use (mu) WordPress plugins. This is achieved by analyzing paths and files. Next, it attempts to extract metadata and detect the version, which allows WPScan to check if there are any known vulnerabilities or plugin-specific issues.

All plugins: To look for plugin vulnerabilities across all WordPress plugins, use the option:

--enumerate ap

Popular plugins: To limit the scan to popular WordPress plugins, use the option:

--enumerate p

Vulnerable plugins: To limit the scan to vulnerable WordPress plugins, use the option:

--enumerate vp

Media, DB exports, backups, and timthumbs

WPScan can also enumerate:

  • Timthumbs: To enumerate timthumbs, add the tt flag to the enumerate option
  • Config backups: To enumerate WordPress config backups, add the cb flag to the enumerate option
  • Database exports: To enumerate exported database files, add the dbe flag to the enumerate option
  • Media: To enumerate media, add the m flag to the enumerate option

Frequently Asked Questions

What is the use of WPScan?

WPScan is a scanner that looks for security vulnerabilities in WordPress. it is written in the ruby programming language.

Is WPScan free?

WPScan is completely free. However, to get the most out of it, you will also need an API key. At the time of writing, API keys offer 25 free tokens per day. You need one token for WordPress and a separate token for every theme and plugin installed on your website

How many API requests do I get with the free version?

The free version of the WPScan API currently offers 25 requests per day. Remember you need one API request for WordPress and one for each plugin and theme on your website.

What is WPScan in Kali Linux?

Kali Linux is a Linux distribution that is used for pen testing and auditing. It’s based on Debian and comes with security software pre-installed. This software is not exclusive to Kali Linux but comes bundled with it for convenience. WPScan, which is the same WPScan you can download from wpscan.com, is also included in the list of pre-installed software, which is why you’ll find WPScan in Kali Linux.

Posted inWordPress Security
Joel Farrugia
Joel Barbara

Joel is our technical writer responsible for writing the different kinds of content we need. With a background in tech and content, he has a passion for making technology accessible and understandable for everyone. You can reach Joel at joel@melapress.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon

Take the Melapress Security Survey 2024

Share your perspective
and WIN