How to Audit WordPress Security from the Command Line with WpScan

Using WpScan to Audit WordPress Security From the Command Line

WPScan is a Ruby-based WordPress security scanner that is run from the command line and used to detect vulnerabilities on a WordPress installation.

While there are plenty of plugins out there that do the same job, it makes a lot of sense for server administrators to scan their installations from the backend and not the frontend, so WPScan could be really handy for them and people who just love the terminal.


WPScan is shipped by default on a couple of Linux distributions such as Kali Linux and BlackBox Linux. You can also install on the popular distros such as Ubuntu and Arch Linux.

Windows is not supported, so if you’re hoping to make use of WPScan, your server has to be running either Linux or Mac OS X.

While WPScan installation is fairly simple, there are a couple of prerequisites and dependencies to set up before attempting installation.


  • Ruby – v1.92 and later (Recommended 2.2.3)
  • Curl – 7.21 and later (Recommended latest)
  • RubyGems – Recommended latest
  • Git

Installation on Ubuntu

Since WPScan is hosted on Git, we must install Git first by running the following command:

sudo apt-get install git

Then we need to install the needed dependencies for WPScan,

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential

and then clone WPScan from Git.

git clone

Enter the newly-created WPScan directory and use bundler to install the necessary Ruby gems

cd wpscan
sudo gem install bundler && bundle install --without test development

Installation on Arch Linux

You can run the following commands in turn to get WPScan on Arch Linux. Make sure Ruby and Git are installed first though.

pacman -Syu ruby
pacman -Syu libyaml
git clone
cd wpscan
sudo gem install bundler && bundle install --without test
gem install typhoeus
gem install nokogiri

Using WPScan

WPScan is very simple to use. All you need to do is type in the appropriate commands for enumerating plugins and themes or for performing non-intrusive checks on your WordPress website.

Make sure you are in the WPScan directory before attempting to use the tool:

cd wpscan

To enumerate all your installed plugins, run the following command:

ruby wpscan.rb --url --enumerate p

Replace “” with your website URL. The –enumerate p flag stands for enumerate plugins.

To display only vulnerable plugins, use:

ruby wpscan.rb --url --enumerate vp

Sample output:

[!] Title: W3 Total Cache - Remote Code Execution
[i] Fixed in:
[!] Title: WordPress SEO by Yoast <= - Blind SQL Injection
[i] Fixed in: 1.7.4

From the sample output above, we can see that WordPress SEO by Yoast is vulnerable to Blind SQL injection and the W3 Total Cache is vulnerable to Remote Code Execution. Both vulnerabilities have been patched in this case, so it is recommended to update the plugins.

In addition, WPScan can be used to check all installed themes

ruby wpscan.rb --url --enumerate t

or just vulnerable themes.

ruby wpscan.rb --url --enumerate vt

In the same manner, you can perform non-intrusive checks on your installation with the following command:

ruby wpscan.rb --url

Finally, to update WPScan’s database, run:

ruby wpscan.rb --update


The security of your WordPress website is very important, and tools like WPScan are extremely helpful for running checks to help find and fix vulnerabilities and prevent hackers from exploiting them.

Have you used WPScan? Share your experiences in the comments section below.

Ayo Isaiah
Ayo Isaiah

Ayo Isaiah is a freelance writer from Lagos who loves everything technology with a particular interest in open-source software. Follow him on Twitter.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox