Ultimate WPScan Cheat Sheet
The definitive black-box WordPress security scanner.
1. General Scanning
Basic non-intrusive scans to fingerprint the WordPress installation.
Simple Scan
Check WordPress version, theme, and basic vulnerabilities.
Aggressive Detection
Use active probing (mixed) instead of just passive methods.
2. Enumeration (-e)
The -e flag is the core of WPScan. Combine multiple options with commas.
Enumerate Users
Find usernames via Author Archives (ID 1-10).
Enumerate Components
Find vulnerable plugins (vp) and vulnerable themes (vt).
Full Enumeration
Find Users, Vulnerable Plugins, Vulnerable Themes, and Timthumbs (tt).
3. Password Attacks
Perform a dictionary attack against found users or a specific user.
Brute Force All Found Users
Brute Force Specific User
Multithreading
Increase speed with -t (Default is 5). Be careful not to crash the site.
4. Plugins & Themes (Deep Dive)
Aggressive Plugin Detection
By default, WPScan checks ~1,500 popular plugins. To check ALL 80,000+ plugins (slow), use aggressive mode.
Check Specific Plugin
Only scan for plugins in your custom list.
5. WPVulnDB API Token
Critical: Without an API token, WPScan only shows version numbers, NOT the actual vulnerabilities (CVEs).
Register & Get Token
Sign up at wpscan.com/api (Free tier allows 25 requests/day).
Using the Token
Save your token in a config file ~/.wpscan/scan.yml so you don’t have to type it every time.
6. Bypass & Performance
Bypass WAF / User-Agent
Randomize the User-Agent to avoid detection by security plugins (Wordfence, iThemes).
Stealth / Throttle
Wait 500ms between requests.
HTTP Auth
Scan a site behind basic authentication (.htaccess).
Cookie Session
Scan as a logged-in user.