WPScan: A Comprehensive Guide to WordPress Vulnerability Scanning 2023

wpscan check versioin

Millions of Websites are running on WordPress CMS today, Is your website one of them? If Yes, Do you know about vulnerabilities exist on your website?

Think Again!! Is your WordPress website is hackable?

Check Again! Your WordPress website for vulnerabilities.

Today’s topic is wpscan Kali Linux Tutorial to Scan WordPress Website for Known Vulnerability. Yes, we are going to find out vulnerable WordPress core files, Plugins, and themes.

Wpscan a small tool written in ruby and preinstalled in Kali Linux, if you are using another Linux distribution, then install wpscan first.
I was checking my client’s website without any potential purpose, suddenly one question arises in my mind lets check the security. I had installed Kali Linux on a VirtualBox So I had started wpscan to scan the website for getting details about plugin and themes.

Trust me I found lots off aggressive detection, for example, open files, files access directly in browser, usernames and more.

Wpscan Kali Linux Tutorial

Wpscan is used to scan the wordpress website for known vulnerabilities within WordPress core files, plugin, and themes. you can enumerate users for a weak password, users and security misconfiguration.

I am going to tell you all the steps on how to use wpscan in Kali Linux.

In Kali Linux just open terminal and write following syntax to run wpscan


One of the following options is required: URL, update, help, hh, version, or use –help option.

So I used following command to check for available options in wpscan,

#wpscan –help

For Check the version

#wpscan –version

Next step to update wpscan, The database used by wpscan is wpvulndb.com maintains by the team and ever-growing list of vulnerabilities.

#wpscan –update

Scan complete website by giving url followed by –url option

#wpscan –url https://www.yourwebsite.com

If you want to scan website for checking vulnerable Plugin add the –enumerate vp argument

#wpscan –url https://www.yourwebsite.com –enumerate vp

Check the result carefully and you will find lots of information about plugins, if any vulnerable plugin exists, you will see red exclamation icon and relate information.

Do you find any vulnerable plugin?

If Yes.
Update the plugin as soon as possible, if you cannot update, plugins should be replaced or removed permanently.

Scan vulnerable Themes

Similar as plugin scan you need to add –enumerate vt argument to check your website for vulnerable themes.

#wpscan –url https://www.yourwebsite.com –enumerate vt

If you get results with red exclamation icons, it means your theme is vulnerable. You will find url and more information.

Do you have a vulnerable theme?
Update / Replace /Remove whatever you can.

WordPress User Enumeration by Wpscan

A small question for you:
“What if hackers know your WordPress website’s username?”
Will he hack your website?
What impact on your website?

Reply in the comment box.

By the way, it is easy to getting username list and their permissions by using a simple argument –enumerate u

#wpscan –url https://www.yourwebsite.com –enumerate u

If you are using Website firewall you will get error and wpscan will stop.

Brute Force Attack on WordPress website by using Wpscan

Password guessing in old technique to get the right password, and very hard if you are doing manually.

It is easy!

If you are using tool and a word-list.

At the end of tutorial, I am going to say a single phrase.
Don’t use your knowledge unethically.

If you have any questions tell me in the comment box.


If Appreciate My Work, You should consider:

3 thoughts on “WPScan: A Comprehensive Guide to WordPress Vulnerability Scanning 2023

  1. wpscan needs an api to fully work, I was looking for a beginner tutorial for how to include the api key I downloaded.
    I found that in kali it was necessary to add two dashes to the commands you have shown. So wpscan –version works. The tutorial looks like one dash, wpscan -version, which gives the error, Scan Aborted: –enumerate Unknown choice: rsion

    1. You’re correct. I was searching google for a tutorial on how to ad my API key to Wpscan and came across this. And while a decent tutorial it IS a bit dated. The older versions of wpscan used the syntax shown here… now days its 2 dashes ( — ) before “url”, and instead of using “–password, –username, etc, they have simplified it to be “-P, -U, and alot of other things..so its worth typing “wpscan –help”, or even “man wpscan” (opens the wpscan manual, with alot more info than “–help” has) and reading the current syntax.

  2. Hey, thanks for the tutorial. U said ‘wpscan’ won’t work if firewall is on, so it is necessary to close it or is there any other way to make ‘wpscan’ work.

Leave a Reply

Your email address will not be published. Required fields are marked *