WPScan 101: The Definitive Guide to WordPress Vulnerability Scanning

wpscan --url target.com --enumerate p --api-token $WPSCAN_API_TOKEN

0x01. Introduction to the Apex Predator of CMS Auditing

When analyzing the attack surface of a web application, generalized network scanners like Nmap or generic web vulnerability scanners like Nikto and Nessus often fall short against specialized Content Management Systems. They rely on broad signature matching and lack the contextual awareness required to parse the intricate, dynamic architecture of WordPress.

To conduct a professional, surgical assessment of a WordPress environment, operators require a specialized toolchain. WPScan is the undisputed industry standard for this task.

Maintained by the security team at Automattic (the corporate entity behind WordPress.com), WPScan is a highly aggressive, black-box vulnerability scanner written entirely in Ruby. It is engineered specifically to interact with WordPress infrastructure, mapping core versions, enumerating plugins and themes, extracting user data, and cross-referencing findings against the world's most comprehensive database of WordPress vulnerabilities.

This first installment of our WordPress Hacking series serves as the foundational manual. We will cover the underlying architecture of the scanner, deployment protocols for operational security (OPSEC), API integration, and the execution of baseline reconnaissance to map the target's exterior defenses.

0x02. Under the Hood: The CMS Scanner Framework

Before deploying any offensive security tool, a professional operator must understand how it functions at the code level. WPScan is not a simple script; it is a complex piece of software built atop the CMS Scanner Framework.

The Architecture of Detection

WPScan operates completely externally (black-box). It does not require source code access, FTP credentials, or database hooks. Instead, it utilizes an advanced HTTP request engine (powered by the Typhoeus Ruby gem, which acts as a wrapper for libcurl) to send specifically crafted GET, POST, and HEAD requests to the target.

It then analyzes the HTTP responses—evaluating status codes, parsing DOM structures, dissecting server headers, and calculating MD5 hashes of static assets (like CSS and JavaScript files)—to fingerprint the environment.

Passive vs. Aggressive Capabilities

WPScan divides its operational logic into two distinct methodologies:

1. Passive Detection: The scanner acts like a standard web browser. It visits the homepage, parses the HTML source code, and looks for explicit references to WordPress footprints. For example, it will identify links pointing to wp-content/plugins/ or wp-content/themes/ to passively document active assets without triggering anomalous intrusion detection system (IDS) alerts.
2. Aggressive Detection: The scanner abandons stealth and attempts to brute-force the existence of known vulnerable plugins or themes by requesting thousands of direct file paths (e.g., target.com/wp-content/plugins/revslider/readme.txt). If the server returns a 200 OK or 403 Forbidden, WPScan infers the plugin's existence, even if it is not actively referenced on the frontend.

0x03. Tactical Deployment and Environment Staging

For professional engagements, environment isolation is critical. We strongly recommend utilizing Docker for deployment.

Method A: The Docker Deployment (Recommended)

# 1. Install Docker Engine
sudo apt update && sudo apt install docker.io -y

# 2. Pull the Official Image
sudo docker pull wpscanteam/wpscan

# 3. Executing an Ephemeral Scan
sudo docker run -it --rm wpscanteam/wpscan --url https://target-site.com

Method B: Native Kali Linux Installation

sudo apt update && sudo apt install wpscan

Database Synchronization

WPScan relies on a local SQLite database. Update it before every engagement.

wpscan --update

0x04. Weaponizing the Intelligence: API Token Integration

To unlock vulnerability mapping (CVE correlation), you must integrate with the WPVDB API.

Integrating the Token securely

Method: Environment Variable (Recommended)

export WPSCAN_API_TOKEN="YOUR_SECRET_TOKEN_HERE"

Note for Docker Users: Pass the variable into the container:

docker run -it --rm -e WPSCAN_API_TOKEN=$WPSCAN_API_TOKEN wpscanteam/wpscan --url https://target-site.com

0x05. Phase 1 Execution: Baseline Reconnaissance

The Command

wpscan --url https://target-site.com --api-token $WPSCAN_API_TOKEN

Analyzing Telemetry Output

1. Server Header Fingerprinting

[+] URL: https://target-site.com/ [192.168.1.100]
[+] Headers
 | Interesting Entry: Server: nginx/1.18.0 (Ubuntu)
 | Found By: Headers (Passive Detection)

2. XML-RPC Exposure

[+] xmlrpc.php found
 | URL: https://target-site.com/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)

3. WordPress Core Fingerprinting

[+] WordPress version 6.3.1 identified (Insecure).
 | [!] 12 vulnerabilities identified:
 | [!] Title: WordPress Core < 6.4.2 - Unauthenticated RCE via POP Chain

0x06. Bypassing Caching and WAF Obfuscation

Bypassing Minification/Caching

wpscan --url https://target-site.com --wp-version-all

Bypassing WAF/User-Agent Filtering

wpscan --url https://target-site.com --random-user-agent

0x07. Strategic Transition

In the next installment, we move from passive reconnaissance to active exploitation.

WordPress Hacking Article 02: Advanced WPScan Enumeration, WAF Evasion, and Brute-Force Techniques

/// INITIATE SECURE COMMS ///

Are your WordPress assets hardened? Mobile Hacker For Hire provides elite, objective-based penetration testing and zero-day research.

Contact Mobile Hacker For Hire for a Professional Infrastructure Assessment