loading
loading
Scanners
WordPress security scanner for testing the security of WordPress sites.
overview
wpscan is a WordPress security scanner that fingerprints the CMS version, then enumerates plugins, themes, users, and interesting files against a maintained vulnerability database. Point it at a blog URL and it reports outdated components and known CVEs when an API token is present.
Enumeration is selective: --enumerate chooses vulnerable or popular plugins and themes, user ID ranges, config backups, and more. --stealthy switches to a quieter passive profile, while --detection-mode and per-component detection flags trade coverage for noise.
On Trickest the Scanners node takes a URL plus enumerate options and writes a file and a folder of findings. Use it when the target is confirmed WordPress; for many sites at once, prefer wpscan-loop.
source github.com/wpscanteam/wpscan
use cases
Run against a single --url with an --api-token so plugin and theme versions map to vulnerability data.
Use --enumerate u to recover author IDs and usernames that feed a later password attack or phishing check.
Enable --stealthy or --plugins-detection passive when you need coverage without aggressive probing.
Set --format json so downstream nodes can parse plugins, themes, and users without scraping CLI text.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | The URL of the blog to scan (http or https). Mandatory. |
| enumerate | STRING | --enumerate | Enumeration process: vp, ap, p, vt, at, t, tt, cb, dbe, u, m (comma separated). |
| api-token | STRING | --api-token | WPScan API token used to display vulnerability data. |
| format | STRING | --format | Output format: cli, json, cli-no-colour, or cli-no-color. |
| stealthy | BOOLEAN | --stealthy | Quiet profile: random UA, passive detection, passive plugin version checks. |
| detection-mode | STRING | --detection-mode | Global detection mode: mixed, passive, or aggressive (default mixed). |
| plugins-detection | STRING | --plugins-detection | Plugin enumeration mode: mixed, passive, or aggressive (default passive). |
| max-threads | STRING | --max-threads | Maximum concurrent threads (default 5). |
Showing key inputs. wpscan exposes 68 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | The URL of the blog to scan. Allowed Protocols: http, https. Default Protocol if none provided: http. This option is mandatory. |
| force | BOOLEAN | --force | Do not check if the target is running WordPress or returns a 403 |
| proxy | STRING | --proxy | Format: protocol://IP:port |
| scope | STRING | --scope | 'Comma separated (sub-)domains to consider in scope. Wildcard(s) allowed in the trd of valid domains, e.g: *.target.tld. Separator to use between the values: ',' |
| vhost | STRING | --vhost | The virtual host (Host header) to use in requests |
| format | STRING | --format | Output results in the format supplied. Available choices: cli, json, cli-no-colour, cli-no-color |
| server | STRING | --server | Force the supplied server module to be loaded. Available choices: apache, iis, nginx |
| headers | STRING | --headers | Additional headers to append in requests |
| verbose | BOOLEAN | --verbose | Verbose mode |
| stealthy | BOOLEAN | --stealthy | Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive |
| throttle | STRING | --throttle | Milliseconds to wait before doing another web request. If used, the max threads will be set to 1. |
| api-token | STRING | --api-token | The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile |
| cache-dir | STRING | --cache-dir | Default: /tmp/wpscan/cache |
| enumerate | STRING | --enumerate | Enumeration Process. Available Choices: vp (Vulnerable plugins), ap (All plugins), p (Popular plugins), vt (Vulnerable themes), at (All themes), t (Popular themes), tt (Timthumbs), cb (Config backups), dbe (Db exports), u (User IDs range. e.g: u1-5. Range separator to use: '-'. Value if no argument supplied: 1-10), m (Media IDs range. e.g m1-15. Note: Permalink setting must be set to 'Plain' for those to be detected. Range separator to use: '-'. Value if no argument supplied: 1-100). Separator to use between the values: ','. Default: All Plugins, Config Backups. Value if no argument supplied: vp,vt,tt,cb,dbe,u,m. |
| http-auth | STRING | --http-auth | Format: login:password |
| login-uri | STRING | --login-uri | The URI of the login page if different from /wp-login.php |
| no-banner | BOOLEAN | --no-banner | Don't display the banner |
| no-update | BOOLEAN | --no-update | Do not update the Database. |
| passwords | FILE | --passwords | List of passwords to use during the password attack. If no --username/s option supplied, user enumeration will be run. |
| proxy-auth | STRING | --proxy-auth | Format: login:password |
| user-agent | STRING | --user-agent | User agent |
| clear-cache | BOOLEAN | --clear-cache | Clear the cache before the scan |
| max-threads | STRING | --max-threads | The max threads to use. Default: 5 |
| cookie-string | STRING | --cookie-string | Cookie string to use in requests, format: cookie1=value1[; cookie2=value2 |
| detection-mode | STRING | --detection-mode | Default: mixed. Available choices: mixed, passive, aggressive |
| timthumbs-list | FILE | --timthumbs-list | List of timthumbs' location to use |
| usernames-file | FILE | --usernames | List of usernames to use during the password attack. |
| wp-content-dir | STRING | --wp-content-dir | The wp-content directory if custom or not detected, such as "wp-content" |
| wp-plugins-dir | STRING | --wp-plugins-dir | The plugins directory if custom or not detected, such as "wp-content/plugins" |
| wp-version-all | BOOLEAN | --wp-version-all | Check all the version locations |
| db-exports-list | FILE | --db-exports-list | List of DB exports' paths to use |
| password-attack | STRING | --password-attack | Force the supplied attack to be used rather than automatically determining one. Multicall will only work against WP < 4.4. Available choices: wp-login, xmlrpc, xmlrpc-multicall |
| request-timeout | STRING | --request-timeout | The request timeout in seconds. Default: 60 |
| users-detection | STRING | --users-detection | Use the supplied mode to enumerate Users, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| users-list-file | FILE | --users-list | List of users to check during the users enumeration from the Login Error Messages |
| medias-detection | STRING | --medias-detection | Use the supplied mode to enumerate Medias, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| themes-detection | STRING | --themes-detection | Use the supplied mode to enumerate Themes, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| themes-list-file | FILE | --themes-list | List of themes to enumerate. |
| themes-threshold | STRING | --themes-threshold | Raise an error when the number of detected themes via known locations reaches the threshold. Set to 0 to ignore the threshold. Default: 20 |
| user-agents-list | FILE | --user-agents-list | List of agents to use with --random-user-agent |
| usernames-string | STRING | --usernames | List of usernames to use during the password attack. Examples: 'a1', 'a1,a2,a3' |
| exclude-usernames | STRING | --exclude-usernames | Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required. |
| max-scan-duration | STRING | --max-scan-duration | Abort the scan if it exceeds the time provided in seconds |
| plugins-detection | STRING | --plugins-detection | Use the supplied mode to enumerate Plugins. Default: passive. Available choices: mixed, passive, aggressive |
| plugins-list-file | FILE | --plugins-list | List of plugins to enumerate. |
| plugins-threshold | STRING | --plugins-threshold | Raise an error when the number of detected plugins via known locations reaches the threshold. Set to 0 to ignore the threshold. Default: 100 |
| random-user-agent | BOOLEAN | --random-user-agent | Additional headers to append in requests. Separator to use between the headers: '; '. Examples: 'X-Forwarded-For: 127.0.0.1', 'X-Forwarded-For: 127.0.0.1; Another: aaa' |
| users-list-string | STRING | --users-list | List of users to check during the users enumeration from the Login Error Messages. Examples: 'a1', 'a1,a2,a3' |
| cache-time-to-live | STRING | --cache-ttl | The cache time to live in seconds. Default: 600 |
| connection-timeout | STRING | --connect-timeout | The connection timeout in seconds. Default: 30 |
| disable-tls-checsk | BOOLEAN | --disable-tls-checks | Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter) |
| themes-list-string | STRING | --themes-list | List of themes to enumerate. Examples: 'a1', 'a1,a2,a3' |
| themes-version-all | BOOLEAN | --themes-version-all | Check all the themes version locations according to the choosen mode (--detection-mode, --themes-detection and --themes-version-detection) |
| config-backups-list | FILE | --config-backups-list | List of config backups' filenames to use' |
| plugins-list-string | STRING | --plugins-list | List of plugins to enumerate. Examples: 'a1', 'a1,a2,a3' |
| plugins-version-all | STRING | --plugins-version-all | Check all the plugins version locations according to the choosen mode (--detection-mode, --plugins-detection and --plugins-version-detection) |
| timthumbs-detection | STRING | --timthumbs-detection | Use the supplied mode to enumerate Timthumbs, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| db-exports-detection | STRING | --db-exports-detection | Use the supplied mode to enumerate DB Exports, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| ignore-main-redirect | BOOLEAN | --ignore-main-redirect | Ignore the main redirect (if any) and scan the target url |
| main-theme-detection | STRING | --main-theme-detection | Use the supplied mode for the Main theme detection, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| wp-version-detection | STRING | --wp-version-detection | Use the supplied mode for the WordPress version detection, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| exclude-content-based | STRING | --exclude-content-based | Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration. Both the headers and body are checked. Regexp delimiters are not required. |
| multicall-max-passwords | STRING | --multicall-max-passwords | Maximum number of passwords to send by request with XMLRPC multicall. Default: 500 |
| config-backups-detection | STRING | --config-backups-detection | Use the supplied mode to enumerate Config Backups, instead of the global (--detection-mode) mode. Available choices: mixed, passive, aggressive |
| themes-version-detection | STRING | --themes-version-detection | Use the supplied mode to check themes versions instead of the --detection-mode or --themes-detection modes. Available choices: mixed, passive, aggressive |
| file-to-read-write-cokies | FILE | --cookie-jar | File to read and write cookies |
| plugins-version-detection | STRING | --plugins-version-detection | Use the supplied mode to check plugins versions. Default: mixed. Available choices: mixed, passive, aggressive |
| interesting-findings-detection | STRING | --interesting-findings-detection | Use the supplied mode for the interesting findings detection. Available choices: mixed, passive, aggressive |
example
# enumerate vulnerable plugins/themes and users on a WordPress sitewpscan --url https://example.com --enumerate vp,vt,u --format json --no-update[+] URL: https://example.com/[+] Started: Wed Jul 15 12:00:00 2026[+] Interesting Finding(s): | WordPress version 6.4.2 identified[+] Enumerating Vulnerable Plugins | Name: akismet - v5.3[+] Enumerating Users | id: 1 | login: admin[+] Finished: https://example.com/guidance
Use wpscan when the target is a WordPress site and you want plugin, theme, user, and vulnerability coverage in one pass. To scan many WordPress URLs at once, use wpscan-loop. For non-WordPress apps, use a template scanner such as nuclei.
Same scanner over a file of URLs. Use it to scan many WordPress sites in one node instead of one --url.
Template-based scanner across any stack. Broader coverage, but not WordPress-specialized like wpscan.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A blog URL feeds wpscan, which enumerates plugins, themes, and users, checks them against the vulnerability database, and writes the findings as a queryable output.
Facts on this page come from the live Trickest tool library.