How to Audit WordPress Security from the Command Line with WpScan

Using WpScan to Audit WordPress Security From the Command Line

WPScan is a Ruby-based WordPress security scanner that is run from the command line and used to detect vulnerabilities on a WordPress installation.

While there are plenty of plugins out there that do the same job, it makes a lot of sense for server administrators to scan their installations from the backend and not the frontend, so WPScan could be really handy for them and people who just love the terminal.


WPScan is shipped by default on a couple of Linux distributions such as Kali Linux and BlackBox Linux. You can also install on the popular distros such as Ubuntu and Arch Linux.

Windows is not supported, so if you’re hoping to make use of WPScan, your server has to be running either Linux or Mac OS X.

While WPScan installation is fairly simple, there are a couple of prerequisites and dependencies to set up before attempting installation.


  • Ruby – v1.92 and later (Recommended 2.2.3)
  • Curl – 7.21 and later (Recommended latest)
  • RubyGems – Recommended latest
  • Git

Installation on Ubuntu

Since WPScan is hosted on Git, we must install Git first by running the following command:

Then we need to install the needed dependencies for WPScan,

and then clone WPScan from Git.

Enter the newly-created WPScan directory and use bundler to install the necessary Ruby gems

Installation on Arch Linux

You can run the following commands in turn to get WPScan on Arch Linux. Make sure Ruby and Git are installed first though.

Using WPScan

WPScan is very simple to use. All you need to do is type in the appropriate commands for enumerating plugins and themes or for performing non-intrusive checks on your WordPress website.

Make sure you are in the WPScan directory before attempting to use the tool:

To enumerate all your installed plugins, run the following command:

Replace “” with your website URL. The –enumerate p flag stands for enumerate plugins.

To display only vulnerable plugins, use:

Sample output:

From the sample output above, we can see that WordPress SEO by Yoast is vulnerable to Blind SQL injection and the W3 Total Cache is vulnerable to Remote Code Execution. Both vulnerabilities have been patched in this case, so it is recommended to update the plugins.

In addition, WPScan can be used to check all installed themes

or just vulnerable themes.

In the same manner, you can perform non-intrusive checks on your installation with the following command:

Finally, to update WPScan’s database, run:


The security of your WordPress website is very important, and tools like WPScan are extremely helpful for running checks to help find and fix vulnerabilities and prevent hackers from exploiting them.

Have you used WPScan? Share your experiences in the comments section below.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox