Saturday, December 2, 2023

WPScan – Penetration Testing Tool to Find The Security Vulnerabilities in Your WordPress Websites

WPScan is a WordPress security scan for detecting and reporting WordPress vulnerabilities.

WordPress is a free online Open source content Managed system focused on PHP and MySQL. It is one of the most powerful and most used blogging tools.

As there are too many up’s and downs in WordPress usage, it requires security improvement, so WordPress Penetration testing is essential to find the vulnerabilities and secure your WordPress-powered Website.

WordPress Penetration testing with WPScan

It is a WordPress vulnerability scanner created by Ryan Dewhurst and it was sponsored by Sucuri.

It comes pre-installed with BackBox Linux, Kali Linux, Pentoo, SamuraiWTF, and BlackArch and it will not support Windows.

With this tool, we can enumerate themes, plugins, users, and HTTP proxy and will not check the source code of the page.


git clone

cd wpscan/

bundle install && rake install

To Enumerate WordPress versions, themes and plugin

wpscan –url –enumerate p wpscan –url –enumerate t

Penetration testing

To Enumerate WordPress Users

wpscan –url –enumerate u

Penetration testing

To launch a brute-force attack

wpscan –url –wordlist /root/Desktop/password.txt –username kcwto

Penetration testing

To Enumerate timthumbs

If you are still using TimThumb, even after a very serious vulnerability, you have one more reason to be concerned.

wpscan –url –enumerate tt

Penetration testing

To store Output in a separate File

wpscan –url –debug-output 2>debug.log

Penetration testing is an art and the active analysis depends upon the security researcher, here we evaluated some of the basic and important checks that need to be done on the WordPress-powered website.


This article with WPScan was created only for legal security testing, you should use the tool only for Testing purposes and you are not intended to use them against any unknown websites. Misuse of the information on this website can result in criminal charges brought against the persons in question. The Authors and  will not be held responsible in the event any criminal charges be brought against any individuals misusing the information on this website to break the law.

Also Read:


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles