1. General Scanning

Basic non-intrusive scans to fingerprint the WordPress installation.

Simple Scan

Check WordPress version, theme, and basic vulnerabilities.

Aggressive Detection

Use active probing (mixed) instead of just passive methods.

2. Enumeration (-e)

The -e flag is the core of WPScan. Combine multiple options with commas.

Enumerate Users

Find usernames via Author Archives (ID 1-10).

Enumerate Components

Find vulnerable plugins (vp) and vulnerable themes (vt).

Full Enumeration

Find Users, Vulnerable Plugins, Vulnerable Themes, and Timthumbs (tt).

3. Password Attacks

Perform a dictionary attack against found users or a specific user.

Brute Force All Found Users

Brute Force Specific User

Multithreading

Increase speed with -t (Default is 5). Be careful not to crash the site.

4. Plugins & Themes (Deep Dive)

Aggressive Plugin Detection

By default, WPScan checks ~1,500 popular plugins. To check ALL 80,000+ plugins (slow), use aggressive mode.

Check Specific Plugin

Only scan for plugins in your custom list.

5. WPVulnDB API Token

Critical: Without an API token, WPScan only shows version numbers, NOT the actual vulnerabilities (CVEs).

Register & Get Token

Sign up at wpscan.com/api (Free tier allows 25 requests/day).

Using the Token

6. Bypass & Performance

Bypass WAF / User-Agent

Randomize the User-Agent to avoid detection by security plugins (Wordfence, iThemes).

Stealth / Throttle

Wait 500ms between requests.

HTTP Auth

Scan a site behind basic authentication (.htaccess).

Cookie Session

Scan as a logged-in user.