Scan your WordPress site for security loopholes before hackers do it

Have you ever tested your WordPress in terms of security? If not, do it right now with this tutorial before some school kid will hack you!

At the beginning I would like to present you some general statistics. WordPress is currently the most popular blogging platform around the world:

About 80 million pages powered by WordPress
1 420 000 new posts are published each day
30 000 plugins – and still growing!
46 million downloads of WordPress

I think that those statistics are showing the exact level of WordPress popularity. On the other hand, large popularity also means a great threat of hacking attacks. There is are a lot of plugins and extensions which are promising you security, but to be honest - they could only ensure you the mitigation of attack risk, but none of them secures you at 100%. Of course, you can order a professional penetration test for your website, but today I would like to present you an alternative, free and fast way to perform a basic test, which allows you to gather some information about your WordPress. I am talking about WPScan – a free application for non-commercial usage. In this tutorial I will show you, how to use it on Kali Linux, but if you prefer Debian or Mac OS, please follow this instruction to install the WPScan on your favorite operating system.

Kali Linux is an operating system based on Debian, mostly used for penetration testing and full of by applications for hacking.

To run the WPScan and see some examples of usage, you have to open the terminal on your Kali Linux machine and just type wpscan phrase


As you can see, WPScan is able to perform some tricks, like enumerating plugins, themes, users and even login with brute force method (you can check it for didactic purposes on your own WordPress – everything what you need to do is to prepare a password list in .txt file, or to download it from the Internet. That is the one of the main reasons why your password have to be really strong. Okay, let’s proceed with some real cases.

To perform a basic test of your site, you have to run the following command:

wpscan --url

and wait a while. When the scan is finished, you will see the results, similar to those below.


First of all, WPScan will try to verify whether some of the popular files – like robots.txt or URL’s – readme.html - are available for chosen site. Then application identifies the – in our case you can find information about the server and PHP version. What does it say to potential attacker? He is able to match specific exploit ( to your configuration. Next, WPScan will try to identify the WordPress version and additionally will show you the known vulnerabilities for this version – including references to the articles, which describe you how to compromise your website, using those bugs or even to the exact exploit. In this case everything what attacker has to do, is to download the exploit, type victim address and click „attack” button.

WPScan will do the same information gathering for installed themes:


At the beginning I told you that WPScan is also able to enumerate users. In order to do that, you have to modify the command by adding --enumerate u at the end, so the full command looks like a following

wpscan --url --enumerate u


Currently, at the end of the report you can to see the table, with real user logins and user names. Remember, that knowledge of user login is the 50% of successful brute force attack! What’s more, there are also user names which could contains first name and surname – this information will help the attackers a lot with the gathering the information, to prepare suitable password list.

As you can see, the whole test takes about 3 minutes, is free and gives us very valuable information about our site, but remember - it also means, that everyone else could do the same. So the fundamental question is how to mitigate the risk of an attack? First of all make sure that your WordPress is always updated to the latest version! Previous versions, usually have confirmed zero day security bugs. The same situation applies to themes and plugins. Before using them, make sure, that chosen plugins and themes don’t have any reported security bugs. To do that, you can use WPScan Vulnerability Database.

This article was written for the didactic purposes, and its goal is to inform users and WordPress administrators about the potential threats of using an unprotected WordPress CMS. Please remember that you should obtain the necessary permits before WPScan test run.