Getting to Know WPScan Automated Blackbox Security Scanner for WordPress

Last updated on August 27th, 2019 by Robert Abela. Filed under WordPress Security

WPScan WordPress Security ScannerWPScan is a black box WordPress Security Scanner written in Ruby. Ideal for penetration testers, security professionals and WordPress administrators WPScan can find security weaknesses within a WordPress blog or website.

WPScan WordPress Security Scanner runs on Linux distributions only. Unfortunately it does not support and cannot run on a Windows operating system, yet. WPScan is also pre-installed on BackBox, BackTrack, Pentoo, SamuraiWTF and Kali Linux distributions.

WPScan WordPress security scanner features

Non intrusive WordPress security scan

You can use the WPScan WordPress Security Scanner to launch a non intrusive security scan against a WordPress blog or website. During the security scan WPScan tries to identify plugins and themes that have known vulnerabilities and also security weaknesses. For example it runs a number of checks such as:

  • sensitive information disclosure (via directory listing and similar issues),
  • scans the activated theme for vulnerabilities,
  • checks the version of WordPress
  • what version of TimThumb is installed.

WordPress username enumeration & weak password cracking (bruteforce attack)

WPScan can enumerate all of the WordPress users of the target blog or website. This is useful if you want to then launch a bruteforce attack against a target website; i.e. to check WordPress users are using strong passwords.

 WordPress plugins security – enumeration and vulnerability detection

WPScan WordPress Security Scanner can also check if the installed WordPress plugins are vulnerable or not.  By enabling the enumeration option during a scan, WPScan will enumerate the plugins installed on the target WordPress and advise you if a vulnerable WordPress plugin is detected. WPScan can also enumerate the WordPress themes on a target WordPress installation.

Run frequent WordPress security scans

Installing a WordPress security plugin and applying all security tweaks is one thing, keeping your WordPress blog or website hacker and malware free is another. As a WordPress administrator you should run frequent security scans with WPScan and also:

The WPScan project official website is

WordPress Hosting, Firewall and Backup

This Website is:

Leave a Reply

Your email address will not be published. Required fields are marked *