CyberCheatsheets

WPScan Cheat Sheet

WordPress security scanner for users, plugins, themes, and known vulnerabilities.

Web Application SecuritycmsenumerationwordpressUpdated 2026-06-02

Overview

WPScan enumerates WordPress version, users, plugins, and themes and checks against vulnerability databases. Use on authorized WordPress targets during recon and vulnerability validation.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y wpscan

or

gem install wpscan
docker pull wpscanteam/wpscan

Essential commands

Basic enumeration (API token recommended for vuln data)

wpscan --url https://target.example

Aggressive enumeration with API token

wpscan --url https://target.example --api-token YOUR_TOKEN -e ap,at,u

Common workflows

Full enumeration —

wpscan --url https://target.example --api-token $WPSCAN_API_TOKEN
-e vp,vt,u,cb,dbe --plugins-detection aggressive

Password attack (only if in scope) —

wpscan --url https://target.example -U admin,user1 -P /usr/share/wordlists/rockyou.txt
--passwords 100 -t 5

Enumerate users and target weak logins —

wpscan --url https://target.example -e u --users-list 1-50
wpscan --url https://target.example --random-user-agent

Docker run —

docker run --rm wpscanteam/wpscan --url https://target.example
--api-token $WPSCAN_API_TOKEN -e vp,vt

Flags reference

--url

Target WordPress URL

--api-token

WPScan vulnerability API token

-e

Enumerate (vp, vt, u, ap, at, cb, dbe)

--plugins-detection

passive, aggressive, mixed

-U

Usernames or range

-P

Password wordlist

-t

Threads

--random-user-agent

Rotate User-Agent

-o

Output file

--format

cli, json

--proxy

HTTP proxy URL

--force

Scan even if not WordPress

Tips

  • Register free API token at [wpscan.com](https://wpscan.com) for CVE/plugin data.
  • -e ap,at with aggressive detection is noisy; confirm scope allows active checks.
  • Combine discovered plugin versions with manual exploit validation, not blind exploitation.
  • Use --proxy http://127.0.0.1:8080 to review requests in Burp.

References

Related cheat sheets