WPScan WordPress Security Scanner

The WPScan CLI tool is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites. The WPScan CLI tool uses our database of 24,495 WordPress vulnerabilities.

Install now by running: gem install wpscan

What does WPScan check for?

  • The version of WordPress installed and any associated vulnerabilities
  • What plugins are installed and any associated vulnerabilities
  • What themes are installed and any associated vulnerabilities
  • Username enumeration
  • Users with weak passwords via password brute forcing
  • Backed up and publicly accessible wp-config.php files
  • Database dumps that may be publicly accessible
  • If error logs are exposed by plugins
  • Media file enumeration
  • Vulnerable Timthumb files
  • If the WordPress readme file is present
  • If WP-Cron is enabled
  • If user registration is enabled
  • Full Path Disclose
  • Upload directory listing
  • And much more...

WPScan Screenshots