Skip to content

WPScan Cheat Sheet

wpscan is a WordPress security scanner used to enumerate users, plugins, themes, and identify known vulnerabilities in WordPress installations.

Basic Scan

wpscan --url https://example.com

Enumerate Users

wpscan --url https://example.com --enumerate u

Enumerate Plugins

wpscan --url https://example.com --enumerate p

Enumerate vulnerable plugins only: 

wpscan --url https://example.com --enumerate vp

Enumerate Themes

wpscan --url https://example.com --enumerate t

Aggressive Enumeration

wpscan --url https://example.com --enumerate ap,at,cb,dbe,u

Warning

Aggressive mode is noisy and easily detected.

API Token Usage

WPScan requires an API token for vulnerability data.

wpscan --url https://example.com --api-token YOUR_API_TOKEN

Password Attack (Brute Force)

wpscan --url https://example.com -U users.txt -P passwords.txt

Password spray: 

wpscan --url https://example.com -U users.txt -p Password123

Proxy Support

wpscan --url https://example.com --proxy http://127.0.0.1:8080

Random User-Agent

wpscan --url https://example.com --random-user-agent

Output Formats

wpscan --url https://example.com -o result.txt
wpscan --url https://example.com -o result.json --format json

Detection Modes

--plugins-detection mixed
--themes-detection mixed

Typical Workflow

wpscan --url target
Enumerate users
Enumerate plugins/themes
Check vulnerabilities
Manual validation

Common Issues

API rate limit exceeded

Use a valid API token.

Blocked by WAF

Use proxy or random user-agent.

  • nikto
  • burpsuite
  • whatweb
  • nuclei

Use Cases

  • WordPress security audits
  • Plugin vulnerability detection
  • Credential testing
  • Bug bounty reconnaissance

Danger

Use WPScan only on WordPress sites you own or have explicit permission to test.