WPScan is a powerful vulnerability scanner designed for WordPress websites. Trusted by ethical hackers and security professionals, WPScan helps identify vulnerable plugins, themes, and core files. This cheatsheet includes essential commands, usage options, API integration, and real-world tips to secure WordPress efficiently.
WPScan Cheatsheet
The Ultimate WordPress Security Scanner Reference Guide
Basic WPScan Commands
Basic Scan
wpscan --url https://example.com
Performs a basic scan of the WordPress site.
Update Database
wpscan --update
Updates the WPScan vulnerability database.
Help Menu
wpscan --help
Displays all available options.
Version Check
wpscan --version
Displays the current WPScan version.
Disable SSL Verification
wpscan --url https://example.com --disable-tls-checks
Disables SSL/TLS certificate verification.
Scan with Random User Agent
wpscan --url https://example.com --random-user-agent
Uses a random user agent for each request.
Enumeration Options
Enumerate Users
wpscan --url https://example.com --enumerate u
Enumerates WordPress users.
Enumerate Plugins
wpscan --url https://example.com --enumerate p
Enumerates installed plugins.
Enumerate Themes
wpscan --url https://example.com --enumerate t
Enumerates installed themes.
Enumerate Timthumbs
wpscan --url https://example.com --enumerate tt
Enumerates timthumb files.
Enumerate Config Backups
wpscan --url https://example.com --enumerate cb
Looks for configuration backup files.
Enumerate DB Exports
wpscan --url https://example.com --enumerate dbe
Looks for database exports.
Enumerate Media
wpscan --url https://example.com --enumerate m
Enumerates media files.
Aggressive Enumeration
wpscan --url https://example.com --enumerate
Runs all enumeration methods except brute force.
Vulnerable Plugins Only
wpscan --url https://example.com --plugins-detection mixed
Only checks for plugins with known vulnerabilities.
Limit Enumeration
wpscan --url https://example.com --enumerate u --limit 10
Limits user enumeration to first 10 users.
Brute Force Attacks
Password Attack
wpscan --url https://example.com --passwords passwords.txt
Performs password attack against all users.
Username/Password Attack
wpscan --url https://example.com --usernames users.txt --passwords passwords.txt
Performs attack with username/password combinations.
Specific User Attack
wpscan --url https://example.com --username admin --passwords passwords.txt
Targets a specific username.
Multi-threaded Attack
wpscan --url https://example.com --username admin --passwords passwords.txt --max-threads 10
Increases threads for faster brute force.
Password Attack with Cookies
wpscan --url https://example.com --passwords passwords.txt --cookie-string "wordpress_logged_in=..."
Uses cookies for authenticated brute force.
WP XML-RPC Brute Force
wpscan --url https://example.com --passwords passwords.txt --wp-content-dir custom-wp --multicall-max-passwords 50
Uses XML-RPC for more efficient brute force.
Vulnerability Scanning
Check for Vulnerabilities
wpscan --url https://example.com --plugins-detection mixed
Checks only for vulnerable plugins.
Vulnerable Plugins Only
wpscan --url https://example.com --plugins-detection passive
Only checks installed plugins against vulnerability DB.
Check Specific Plugin
wpscan --url https://example.com --plugin hello-dolly
Checks a specific plugin for vulnerabilities.
Check Specific Theme
wpscan --url https://example.com --theme twentytwenty
Checks a specific theme for vulnerabilities.
Vulnerability API Token
wpscan --url https://example.com --api-token YOUR_API_TOKEN
Uses WPScan API for vulnerability data.
Ignore SSL Errors
wpscan --url https://example.com --disable-tls-checks
Ignores SSL certificate errors.
Advanced Options
Custom Request Rate
wpscan --url https://example.com --throttle 100
Limits requests to 100ms between them.
Custom User Agent
wpscan --url https://example.com --user-agent "Mozilla/5.0"
Uses a custom user agent.
Proxy Configuration
wpscan --url https://example.com --proxy http://127.0.0.1:8080
Routes traffic through a proxy.
Basic Authentication
wpscan --url https://example.com --basic-auth user:password
Uses basic HTTP authentication.
Custom WordPress Path
wpscan --url https://example.com/blog --wp-content-dir custom-wp
Scans WordPress in a custom directory.
Stealthy Scan
wpscan --url https://example.com --stealthy
Uses stealthy techniques to avoid detection.
Force Detection
wpscan --url https://example.com --force
Forces detection even if site doesn’t look like WordPress.
Custom Cookies
wpscan --url https://example.com --cookie-string "wordpress_logged_in=..."
Uses custom cookies for authenticated scanning.
Output Options
Save Output to File
wpscan --url https://example.com --output scan.txt
Saves output to a text file.
Format Output
wpscan --url https://example.com --format json
Outputs results in JSON format.
Verbose Output
wpscan --url https://example.com --verbose
Provides detailed output.
Debug Mode
wpscan --url https://example.com --debug
Shows debug information.
Colorized Output
wpscan --url https://example.com --no-color
Disables color output (useful for logging).
Quiet Mode
wpscan --url https://example.com --quiet
Suppresses banner and other non-essential output.
Common Scan Combinations
Full Vulnerability Scan
wpscan --url https://example.com --enumerate u,p,t --plugins-detection mixed
Comprehensive scan for users, plugins, themes and vulnerabilities.
Stealthy Vulnerability Scan
wpscan --url https://example.com --stealthy --random-user-agent --throttle 500
Slower scan to avoid detection.
Quick Security Check
wpscan --url https://example.com --plugins-detection passive --format json --output results.json
Quick check for vulnerable plugins with JSON output.
Authenticated Scan
wpscan --url https://example.com --cookie-string "wordpress_logged_in=..." --enumerate vp,vt
Scan with authenticated session for more detailed results.
