Skip to content
WPScan is a black box WordPress vulnerability scanner.
Pull request Compare This branch is 2002 commits behind wpscanteam:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

alt text


WPScan - WordPress Security Scanner Copyright (C), 2011-2012 Ryan Dewhurst AKA ethicalhack3r

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see

ryandewhurst at gmail


WPScan comes pre-installed on the following Linux distributions:

WPScan only supports Ruby => 1.9.

Installing on Debian/Ubuntu:

sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby

sudo gem install typhoeus nokogiri json

Installing on other nix: (not tested)

sudo gem install typhoeus nokogiri json

Installing on Mac OSX:

sudo gem install typhoeus nokogiri json


  • Typhoeus segmentation fault Update curl to at least v7.21 (you may have to install it from sources) See

  • If you have one the following errors : "-bash: !t: event not found", "-bash: !u: event not found" It happens with enumeration : just put the 't' or 'u' before the 'p!' : '-e tp!' instead of '-e p!t'


--update  Update to the latest revision

--url   | -u <target url>  The WordPress URL/domain to scan.

--force | -f Forces WPScan to not check if the remote site is running WordPress.

--enumerate | -e [option(s)]  Enumeration.
  option :
    u        usernames from id 1 to 10
    u[10-20] usernames from id 10 to 20 (you must write [] chars)
    p        plugins
    p!       only vulnerable plugins
    t        timthumbs
Multiple values are allowed : '-e tp' will enumerate timthumbs and plugins
If no option is supplied, the default is 'tup!'

--follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not

--wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed

--wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed

--proxy  Supply a proxy in the format host:port (will override the one from conf/browser.conf.json)

--wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.

--threads  | -t <number of threads>  The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)

--username | -U <username>  Only brute force the supplied username.

--help     | -h This help screen.

--verbose  | -v Verbose output.


Do 'non-intrusive' checks...

ruby wpscan.rb --url

Do wordlist password brute force on enumerated users using 50 threads...

ruby wpscan.rb --url --wordlist darkc0de.lst --threads 50

Do wordlist password brute force on the 'admin' username only...

ruby wpscan.rb --url --wordlist darkc0de.lst --username admin

Enumerate installed plugins...

ruby wpscan.rb --url --enumerate p

Run all enumeration tools...

ruby wpscan.rb --url --enumerate

Use custom content directory...

ruby wpscan.rb -u --wp-content-dir custom-content


ruby wpscan.rb --update


--help    | -h   This help screen.
--Verbose | -v   Verbose output.
--update  | -u   Update to the latest revision.
--generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
--gpl  Alias for --generate_plugin_list


Generate a new 'most popular' plugin list, up to 150 pages...

ruby wpstools.rb --generate_plugin_list 150





WPScan is sponsored by the RandomStorm Open Source Initiative.

Something went wrong with that request. Please try again.