Scan Your WordPress For Security Vulnerabilities With WPScan

Mattias Geniar, Sunday, May 10, 2015 - last modified: Sunday, August 2, 2015

If you're comfortable at the CLI, WPScan is super easy to get going.

The project is open source on Github and uses the WPScan Vulnerability Database, an open dataset of known WordPress vulnerabilities.

Installation on a Mac is a piece of cake. Other methods and operating systems are documented on Github.

$ git clone
$ cd wpscan
$ bundle install --without test

The first time you run wpscan.rb, you'll be prompted to update the vulnerability database.

$ ./wpscan.rb

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]Y

[i] Updating the Database ...
[i] Update completed.

To scan your own site, simply pass the --url parameter.

$ ./wpscan.rb --url
[+] robots.txt available under: ''
[!] The WordPress '' file exists exposing a version number
[+] Interesting header: SERVER: nginx
[+] XML-RPC Interface available under:
[+] WordPress version 4.x.x identified from meta generator
[+] Enumerating plugins from passive detection ...
 | 9 plugins found:

[+] Finished: Sun May 10 16:19:35 2015
[+] Requests Done: 126
[+] Memory used: 20.738 MB
[+] Elapsed time: 00:00:12

It enumerates all known themes and plugins, detects the WordPress version and gives you a nice summary. In my case, I still had to remove a readme.html file that exposes the version number.

If it happens to find a known vulnerability, you'll be notified in the output. Like the example below:

[!] Title: Jetpack <= 3.5.2 - DOM Cross-Site Scripting (XSS)

This was from an old WordPress I had lying around that hadn't been updated in a while.

Very useful tool, I would recommend it to everyone to at least scan your own site once!

Hi! My name is Mattias Geniar. 👋 I'm an independent software developer ⌨️ & Linux sysadmin 👨‍💻, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear! Follow me on Twitter as @mattiasgeniar 🐦.

🔥 If you're stuck with a technical problem, I'm available for hire to help you fix it!

Share this post

Did you like this post? Help me share it on social media! Thanks. 🤗

Have feedback?

New comments have been disabled on this blog, existing comments will remain as-is. Want to give feedback? Is there a mistake in the post?

Send me a tweet on @mattiasgeniar!


BOK Sunday, July 5, 2015 at 12:51 -

FYI there is also a container image available: Saves all the hassle with Gems or rvm.

Inbound links