Wpscan is a WordPress security scanner used to test WordPress installations and WordPress-powered websites. This is a command line tool used in Kali Linux. This tool can be used to find any vulnerable plugins, themes, or backups running on the site.
It basically first detects all the vulnerabilities of a WordPress website. Then try to guess the username. After getting the username it tries to brute force the password with the help of a common wordlist file.
| Remember: we are doing this test, in our local-machine. If you doing this in anyone website, then it might be illegal. Always first get the authority then try to do the penetration testing. |
Use case:
Command 1: wpscan –url https://yoursite.com or, wpscan –url ip-address
This command will bring all the vulnerabilities and other possible information regarding that website.
Command 2: wpscan –url https://yoursite.com -e u or, wpscan –url ip-address -e u
This command helps to detect the username which is used in that WordPress website.
Note: We found a username by ‘meshimanta’ on our localhost wordpress system.
See another command to brute force password.
Command 3: wpscan –url https://yoursite.com -U username -P wordlist.txt
Or, wpscan –url ip-address -U username -P wordlist.txt
Note: you see after brute forcing it found a valid combination, where username – meshimanta & password – charlos.
For information you watch our youtube video: https://www.youtube.com/watch?v=XA9_BWD6Y9o&t=19s