WPScan – WordPress Security Scanner

WPScan is a vulnerability scanner which checks the security of WordPress installations using a black box approach – scanning without any prior knowledge of what has been installed.


  •     Username enumeration (from author querystring and location header)
  •     Weak password cracking (multithreaded)
  •     Version enumeration (from generator meta tag)
  •     Vulnerability enumeration (based on version)
  •     Plugin enumeration (2220 most popular by default)
  •     Plugin vulnerability enumeration (based on version) (todo)
  •     Plugin enumeration list generation
  •     Other misc WordPress checks (theme name, dir listing, …)


WPScan requires two non native Ruby gems, typhoeus and xml-simple. It should work on both Ruby 1.8.x and 1.9.x.

sudo apt-get install libcurl4-gnutls-dev
sudo gem install –user-install typhoeus
sudo gem install –user-install xml-simple Continue reading “WPScan – WordPress Security Scanner”