How to do WordPress Pen testing using WPScan

WordPress is a open source tool used for blogging & other beautiful websites design. WordPress is a CMS (Content management System) that works through Php & Sql. Here we are going to conduct Wordpress testing using wpscan.

WordPress testing using wpscan

WordPress is so much used by everyone that many questions have arrived in the security of this technology.


WordPress testing using wpscan. WPScan is pen testing tool that is used for checking the vulnerability of a WordPress website. It was developed by Ryan Dewhurst and sponsored by Sucuri. It is pre-installed with many distributions of linux such as BackBox Linux, Kali Linux, Pentoo, SamuraiWTF, BlackArch. WPScan do not support windows.

Wordpress testing using wpscan
WordPress testing using wpscan

WPScan can enumerate theme, plugins, users, HTTP proxy but it does not check the source code of the page.
Also Read : RHEL 6.9 the last version of RHEL family is released

Commands Used in Pen testing WordPress site

One by one all the commands are written below. There are many things which you need to do for the testing of WordPress site.
Enumerate WordPress version, theme and plugin
• wpscan –url –enumerate p
• wpscan –url –enumerate t
Enumerate WordPress users
• wpscan –url –enumerate u

How to pentest your WordPress website

Launch a brute-force attack
wpscan –url –wordlist /root/Desktop/password.txt –username kcwto
Enumerate timthumbs
If you are still using TimThumb, even after a very serious vulnerability, you have one more reason to be concerned.
wpscan –url –enumerate tt
Store the output in a separate File
wpscan –url –debug-output 2>debug.log
Also Read : Learn basics of Linux hacking for hacking aspirants Part 14
Pen testing is an art that depends on the analysis & knowledge of the hacker. The commands given here are the basics of testing. You must be aware about every aspect of the site for which the test is conducted.
Write us in the comment box for any help. Thank You.

Leave a Comment