Request a Demo Contact Us
Bugcrowd Acquires Informer to Enhance Offerings Across Attack Surface Management and Penetration Testing
Learn More

WPScan Security Scanner

WPScan is a security scanner designed for testing the security of websites built using WordPress.

WPScan is a security scanner designed for testing the security of websites built using WordPress. WPScan was developed using the Ruby programming language and then released in the first version in 2019. The WPScan security scanner is primarily intended to be used by WordPress administrators and security teams to assess the security status of their WordPress installations. It is used to scan WordPress websites for known vulnerabilities both in WordPress and commonly used WordPress plugins and themes. The code base for WPScan is licensed under GPLv3.

WPScan is a WordPress black box scanner. The goal for using WPScan is to execute the activities of a real threat actor. WPScan does not require access to the source code or the WordPress dashboard.  WPScan uses the vulnerability database which is a comprehensive list of WordPress core, plugin, and theme vulnerabilities. Frequently running WPScan is important to make sure that plug-ins and themes have no exposed vulnerabilities. Once set up, WPScan will run automatically on a daily basis. 

WPScan is a Ruby application and can be run on Linux (and macOS also) by installing the Ruby gem. You can also run it by cloning the corresponding WPScan Github repository. A quick start can be done by installing the WPScan plugin on the WordPress website. Alternatively, you can use a Docker image. WPScan is also included in Linux distributions including Kali Linux and Pentoo. 

WPScan has a strong feature set which includes, but is not limited to:

Username enumeration. Enumeration attacks involve an attacker trying to determine if a target exists on the target system. The threat actor tries to detect which users exist on a website. The threat actor can then use this information as part of a larger attack chain. WPScan will utilize enumeration techniques just like a real threat actor.  In a user enumeration attack, a threat actor will identify the variations in how WordPress responds to specific requests. Depending on the response received, the attacker can determine  if the user exists. The threat actor may be able to use this information as part of a larger attack. Standard WordPress installations are often vulnerable to user enumeration, so you will need to protect against this attack vector. WPScan can quickly identify if this vulnerability exists. WPScan will try to enumerate all users on a given WordPress installation. 

Version detection. WPScan can detect the versions of WordPress core, plugins and themes,

Publicly accessible sensitive data. WPScan can check for publicly accessible wp-config.php backups and other database exports.

Password cracking. WPScan also has a password cracker. This can help you check your website for weak authentication credentials. You would need to provide WPScan with a password dictionary of your choosing. In an online method, repeatedly try to log in using a login form displayed by the targeted website. Success is just a matter of time for threat actors to break weak passwords. In contrast, in an offline attack, threat actors attack hashes which they downloaded from a hacked target on their servers. The use of offline password cracking is much faster. But without a copy of your WordPress database, they have no choice but to try for an online attack. Brute force attacks are also an option, but generally take too much time and effort. Dictionary attacks generally provide the best return on time invested for a threat actor. A dictionary attack relies on the use of a list of commonly harvested passwords. Attackers have a lot of passwords available at their disposal as a result of all the data breaches major websites have faced over the years.

Version enumeration. WPScan can check theme and plugin versions against the WordPress vulnerability database. WPScan will also flag if the version of WordPress you are running contains security vulnerabilities. This results in a prompt to upgrade to the current version of WordPress.


WPScan is actually not Open Source software. WPScan is licensed with a custom license that requires a fee to be paid if used commercially. Please check the WPScan website here for the best data: 

Other important security considerations for WordPress sites

  • Maintenance of a WordPress audit trail of all WordPress website activity and changes.
  • A WordPress firewall helps filter incoming traffic to WordPress websites. Good traffic is allowed to access the website, while malicious and suspect traffic and bots are blocked. WordPress firewalls can also be configured to stop attacks on specific targeted entry points and other vulnerabilities within a WordPress website.
  • The establishment of strong WordPress authentication and password policies
  • The use of two-factor authentication.


Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.

Get started with Bugcrowd

Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.