WordPress-specific vulnerability scanner — versions, plugins, themes, user enumeration, and CVE matching.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Ruby gem
gem install wpscanLinux (apt)
sudo apt install wpscanDocker
docker run -it --rm wpscanteam/wpscan --url https://target.comGet free API token
Register at wpscan.com (free tier: 25 requests/day)Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Default scan
wpscan --url https://target.comEnumerate plugins + themes + users
wpscan --url https://target.com -e ap,at,u --api-token YOUR_TOKENBrute force users via xmlrpc
wpscan --url https://target.com -P passwords.txt -U admin --max-threads 10Aggressive enumeration
wpscan --url https://target.com -e ap,at,u --plugins-detection aggressive --api-token TOKENOutput JSON
wpscan --url https://target.com -o report.json -f jsonPerformance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- API token (free) is mandatory for vulnerability data — without it you get fingerprint only, no CVEs.
--plugins-detection passivedefault — checks JS/CSS hints.aggressivebrute-forces all plugin paths (slow but thorough).--max-threads 5default — bump only if target tolerates. WordPress sites often choke at 20+.--throttle 250adds 250ms delay between requests — useful for fragile targets.--random-user-agentrotates UA — sometimes bypasses naive WAF rules.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- XMLRPC brute-force is loud — Wordfence and modern WAFs detect this in seconds.
-e aphits every/wp-content/plugins/X/readme.txtin the dictionary — that’s thousands of requests, easy to log.- Free API tier (25/day) runs out fast on big assessments. Pro is $59/mo for 750/day.
- Some plugins lie about version in readme.txt — fingerprint via JS file hashes for accuracy.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Nuclei + WordPress templates — same coverage, cleaner integration.
- CMSeek — multi-CMS (Joomla, Drupal, WP).
India context and engagement notes
Most Indian SMB websites are WordPress. WPScan + Nuclei wp-* templates is the 80/20 of finding their actual exposure. The CVE database is the value here, not the scanner itself.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.