Black Box WordPress Vulnerability Scanner – WPScan

Last Release: 04/04/2022     Last Commit: 08/22/2022

Black Box WordPress Vulnerability Scanner – WPScan


WPScan is a free and automated black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. You can use it to remotely scan WordPress installations, to find vulnerabilities within the core version, plugins, and themes. It’s maintained by the WPScan Team.

WPScan Logo

WPScan v3.3.2 Released!

Disclaimer: Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.

WPScan: Black Box WordPress Vulnerability Scanner

WPScan is one of the best vulnerability scanner that allows attackers, pentesters/security professionals to perform enumeration attacks against the WP websites, in order to identify possible vulnerabilities. The enumeration attacks include enumerating installed themes, plugins, user accounts (brute force login credentials) and WordPress misconfigurations.

If you’re a WordPress developer or maintainer and you want to prevent hackers to exploit your website, this tool is a must-have. It works from the terminal (Linux & Mac OSX).


  • Detects known vulnerabilities in the WordPress core, plugins and themes,
  • Detects weak user’s credentials (usernames & passwords),
  • Checks overall WordPress security (mis)configuration,
  • Runs brute force penetration testings,
  • WordPress Version enumeration (from generator meta tag),
  • It can perform full server headers scanning,
  • Also performs miscellaneous WordPress checks (directory used, theme names, custom dirs, etc.).
  • It has vulnerability database, which is regularly updated.


This very popular scanner is not available for the Windows users, so if you want to perform WP vulnerability scanning you’ll need Linux OS or some UNIX flavor, such as: Ubuntu, CentOS, Debian, Fedora, Mac OSX.

It comes preinstalled on the following Linux distributions:

  • BackBox Linux, Kali Linux, Pentoo, ArchAssault, BlackArch.
  • mac OS X (WPScan is packaged by Homebrew as wpscan)


  • Ruby 2.3+
  • Curl 7.21+  (FYI the 7.29 has a segfault)
  • RubyGems 
  • git
* It’s recommended to use latest versions of listed prerequisites.

Install on Linux

Step 1 –  install dependencies.


$ sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev


$ sudo apt-get install gcc git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev


$ sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build


$ yum -y install gcc ruby-devel rubygem-bundler libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch git

Step 2 – Install it from the RubyGems or from the source:

From RubyGems:

$ gem install wpscan

From source – clone it from the github repo:

$ git clone
$ cd wpscan/
$ bundle install && rake install --without test


$ docker pull wpscanteam/wpscan


To see all available options, type --help:

ruby wpscan.rb --help
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.3.2
          Sponsored by Sucuri -
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

Usage: wpscan [options]
       --url URL			The URL of blog to scan
					Allowed Protocols: http, https
					Default Protocol if none provided: http
					This option is mandatory unless update or help or version is/are suplied
    -h, --help				Display the help and exit
	--version			Displaythe version and exit
	--ignore-main-redirect		Ignore the main redirect (if any) and scan the target url
    -v, --verbose			Verbose mode
	--[no-]banner			Wheater or not to display the banner
					Default: true
    -o, --output FILE			Output to FILE
    -f, --format FORMAT			Output results in the format supplied
					Available choices: cli-no-colour, cli-no-color, json, cli
	--detetion-mode MODE		Default: mixed
					Available choices: mixed, passive, aggressive
	--scope DOMAINS			Comma separated (sub-)domains to consider in scope.
					Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld
					Separator to use between the values: ','	 

Before you start with scan, update the vulnerability database:

$ ruby wpscan.rb --update

To start the scanner, run:

$ ruby wpscan.rb --url exampleblog.tld

To check plugin vulnerabilities, run:

$ ruby wpscan.rb --url exampleblog.tld --enumerate p
Documentation Box
Download Box