Manual enumeration

  • Enumerate users by reviewing the archives and taking note of authors of blog posts

  • If you identify a login page, attempt to login with common credentials (admin, password, etc.).

    • Pay attention to errors produced through failed logins


wpscan is an open source scanner included with Kali.

If you use another distro you can download it here: https://github.com/wpscanteam/wpscan

Documentation here: https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation

Enumerating users

wpscan --url https://target.tld/ --enumerate u
wpscan --url example.com -e u
wpscan --url https://target.tld/ --enumerate u1-100

Brute force

wpscan --url example.com -e u --passwords /path/to/password_file.txt
wpscan --url example.com --passwords /usr/share/wordlists/rockyou.txt --usernames admin --max-threads 50

Scanning plugins

wpscan --url example.com -e vp --plugins-detection mixed --api-token YOUR_TOKEN

Enumeration modes

To enumerate version, plugins or themes, select from three modes: passive, aggressive, mixed. The default is mixed for most items, and passive for plugin detection. To override the default use the--plugins-detection option.

Mixed - provides the most results
Passive - useful when server overload is a concern
Aggressive - most aggressive

Other enumeration options

The following enumeration options are available and should be preceded by the -e flag. If no additional options are provided the default is: vp,vt,tt,cb,dbe,u,m

  • vp (Vulnerable plugins)

  • ap (All plugins)

  • p (Popular plugins)

  • vt (Vulnerable themes)

  • at (All themes)

  • t (Popular themes)

  • tt (Timthumbs)

  • cb (Config backups)

  • dbe (Db exports)

  • u (User IDs range. e.g: u1-5)

  • m (Media IDs range. e.g m1-15

Last updated