Scan WordPress site Vulnerabilities using WPScan

July 14th, 2019 by

WPScan is a tool we can use to scan the WordPress websites for security flaws. It is free for non-commercial use. It is important to scan your WordPress website for vulnerabilities because we do not want to lose countless hours of work writing blog posts.

In this tutorial, we only need Kali Linux. WPScan is pre-installed in Kali.


Step 1: Update the local database.

Step 2: Scan a WordPress website

Replace the blog.tld with the desired domain name. Please ensure you have permission with the site owner before scanning their website.

If you encounter that error, you can try adding the –random-user-agent option.

We can see some information on the server, what version WordPress is currently running, plugins and more. This is important when doing reconnaissance since we need information like server info/plugins, and use that information to exploit vulnerable plugins or configurations.


Enumerating Users

You can use this command to enumerate all the username in the blog.

We can also limit the number of user WPScan will find.



For more option, you can execute to see more options you can use.


Step 3: Anonymity with TOR

We can preserve our anonymity by installing tor and making it work with WPScan. First, we need to install and start TOR Service

We need to use the –proxy option to allow us to use TOR with WPScann


Securing WordPress Website

There are tons of WordPress plugins which help improve our website security. We can use “Bulletproof Security Plugin” to scan our website for malware, restrict access for certain routes and monitor malicious user logins.

Spread the love


Leave a Reply

Your email address will not be published. Required fields are marked *