Wpscan is a WordPress security scanner used to test WordPress installations and WordPress-powered websites. This is a command line tool used in Kali Linux. This tool can be used to find any vulnerable plugins, themes, or backups running on the site.

It basically first detects all the vulnerabilities of a WordPress website. Then try to guess the username. After getting the username it tries to brute force the password with the help of a common wordlist file.

Remember: we are doing this test, in our local-machine. If you doing this in anyone website, then it might be illegal. Always first get the authority then try to do the penetration testing.

Use case:

Command 1: wpscan   –url   https://yoursite.com  or,   wpscan  –url  ip-address

This command will bring all the vulnerabilities and other possible information regarding that website.

Command 2: wpscan   –url  https://yoursite.com  -e  u   or,  wpscan –url   ip-address  -e  u

This command helps to detect the username which is used in that WordPress website.

Note: We found a username by ‘meshimanta’ on our localhost wordpress system.

 See another command to brute force password.

Command 3: wpscan  –url  https://yoursite.com  -U  username  -P  wordlist.txt

Or,    wpscan  –url  ip-address  -U  username  -P  wordlist.txt

Note: you see after brute forcing it found a valid combination, where username – meshimanta & password – charlos.

For information you watch our youtube video:   https://www.youtube.com/watch?v=XA9_BWD6Y9o&t=19s