Sinch Blog
Published in

Sinch Blog

The most powerful scanner for WordPress.

Among the various challenges we have at Wavy, sometimes we need to perform some tests on platforms with WordPress and for this our security team usually uses WPscan.

WordPress is today the largest blogging platform and website used on the internet and being the largest or being among the largest, is always the target of crackers. To help Penetration Testers and developers keep their applications secure, a team of researchers developed the WPScan.

The WPscan (Wordpress Security Scanner) as his name implies, is a tool to perform pentests BlackBox type in Wordpress platform.

It was developed and is maintained by the own WPscan Team and receives sponsorship from Sucuri Company.

As the vast majority of pentest tools, the WPscan comes installed in major distributions aimed at the realization of Pentest, like Kali Linux and BackBox.


If you prefer to perform a manual installation of the tool, you can follow the steps below:

First, install the dependencies:

** For the article, will be used as an example the Ubuntu and Fedora, other distros and info can be found in the article reference links


sudo apt-get install libcurl4-OpenSSL-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev


sudo dnf install gcc ruby-devel libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch rpm-build

Now we can do the direct clone from GitHub:

git clone

cd wpscan

sudo gem install bundler && bundle install — without test

If you prefer, we still have the option of using the Docker. Download the WPscan image straight from the repository Docker following the steps below:

docker pull wpscanteam/wpscan

To run, follows sample line

docker run -it — rm wpscanteam/wpscan -u


As we can see the WPscan has many options, but we will demonstrate the use of three options in that article, which are: BruteForce, Enumerate users and plugins.

Our target is the site running in

The first time you run WPscan, you will be asked if you want to check if there is any update.

Passing only the URL, without using the options, the WPscan brings us some interesting information, such as version of WordPress vulnerable version of web server and other important information about the server and about the theme installed.

We did a passive attack and from now on we do tests and more intrusive attacks and for this I recommend use of SOCKS5, when using the tool outside of your lab tests, which allow us to perform the WPscan through the TOR network.

** We could use proxychains to such activity.

Let’s enumerate users and system plugins.

$ wpscan -u -e u,p — log wordpress.pwned

Now we have some more interesting information about our target.

For example, we now have active plugin information

When we have a plugin active and with a vulnerability published, it is reported by the WPscan, but it’s not our case.

And we have a list of users, that we use to make our brute force attack.

To execute the attack having a single user targets, use the following command:

$ wpscan -u — wordlist /root/wordlist.lst — username admin

If we want to use all the users that were listed, simply omit the — user option.

$ wpscan -u — wordlist /root/wordlist.lst

* Important pass the full path of the wordlist file, otherwise the WPscan will get the default path that is/usr/share/wpscan/, or you can copy your wordlist to it.


As we can see the wpscan is a very useful and effective tool for attacks on top of platforms WordPress.

A very complete tool that allows us to go from a single fingerprint to brute force attacks.

Has several options that can help you in day to day problems of Penetration Testers, allowing various types of obfuscation of the attacks.




Chatbots, Conversational Channels, Artificial Intelligence, Products and Engineering are our passions. See stories by Sinchers about it and our Culture. Dream Big, Win Together, Kep It Simple and Make It Happen: this is how we create experiences.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store