WPScan
WPScan is the most used tool to enumerate and attack WordPress. You can also use their API to automatically detect vulnerabilities.
- GitHub (8.2k β)
- User Documentation (βͺ)
Before every scan, update the local metadata database:
$ wpscan --update # may be automatically performed
$ wpscan --url URL
By default, it uses -e/--enumerate with vp,vt,tt,cb,dbe,u,m.
$ wpscan --url URL -e t,vt # themes | vulnerable themes
$ wpscan --url URL -e ap # all plugins
$ wpscan --url URL -e p,vp # popular plugins | vulnerable plugins
$ wpscan --url URL -e u # users
You can select aggressive/passive when scanning. Try both if you can.
$ wpscan --url URL -e t --plugins-detection aggressive
$ wpscan --url URL -e t --plugins-detection passive
You can try to brute force accounts:
$ wpscan --url URL -P wordlist -U username # ", username2, etc."
You can increase the number of threads:
$ wpscan [...] -t 5 # default
You may have to add --random-user-agent to bypass a simple WAF:
$ wpscan [...] --random-user-agent