How To

Install and Use WPScan WordPress Security Scanner

Klinsmann Öteyo Updated Mar 24, 2026 · 2 min read

WPScan is a security scanner designed specifically for WordPress sites. It checks for known vulnerabilities in WordPress core, plugins, and themes using the WPScan Vulnerability Database. Security teams and site administrators use it during penetration tests and routine audits to find weak spots before attackers do.

Original content from computingforgeeks.com - post 112418

This guide covers installing WPScan on Ubuntu 24.04, Rocky Linux 10, and Kali Linux, including scanning your own WordPress sites for vulnerabilities.

Prerequisites

  • A Linux system (Ubuntu 24.04, Rocky Linux 10, Kali, or any distro with Ruby)
  • Ruby 2.7 or later with development headers
  • A WordPress site you have authorization to scan (scanning sites you do not own is illegal)
  • A free WPScan API token from wpscan.com (optional but needed for vulnerability data)

Install WPScan on Ubuntu 24.04

Install Ruby and the required development libraries:

sudo apt update
sudo apt install -y ruby ruby-dev libcurl4-openssl-dev make gcc

Install WPScan via RubyGems:

sudo gem install wpscan

Verify the installation:

wpscan --version

Install WPScan on Rocky Linux 10 / AlmaLinux 10

Install Ruby and development tools:

sudo dnf install -y ruby ruby-devel gcc make libcurl-devel

Install WPScan:

sudo gem install wpscan

Install WPScan on Kali Linux

WPScan comes pre-installed on Kali Linux. Update it to the latest version:

sudo gem update wpscan

Install via Docker

WPScan also has an official Docker image, which avoids Ruby dependency issues:

docker pull wpscanteam/wpscan

Run a scan via Docker:

docker run -it --rm wpscanteam/wpscan --url https://example.com

Configure API Token

WPScan needs an API token to look up vulnerability data for plugins and themes. Register for a free token at wpscan.com/register. The free plan includes 25 API requests per day.

Pass the token with every scan:

wpscan --url https://example.com --api-token YOUR_TOKEN

Or set it permanently in the config file:

echo "cli_options:" > ~/.wpscan/scan.yml
echo "  api_token: YOUR_TOKEN" >> ~/.wpscan/scan.yml

Scanning Your WordPress Site

Basic scan

Run a default scan that checks WordPress version, server headers, installed themes, and plugins:

wpscan --url https://example.com

Enumerate plugins

Aggressively detect all installed plugins:

wpscan --url https://example.com -e ap --plugins-detection aggressive

Enumerate users

Discover WordPress usernames (useful for testing password policies):

wpscan --url https://example.com -e u

Check for vulnerable plugins and themes

Enumerate all plugins and themes with vulnerability data (requires API token):

wpscan --url https://example.com -e ap,at,cb --api-token YOUR_TOKEN

Flags: ap = all plugins, at = all themes, cb = config backups.

Save results to a file

wpscan --url https://example.com -o report.txt --format cli

For JSON output (easier to parse programmatically):

wpscan --url https://example.com -o report.json --format json --api-token YOUR_TOKEN

Conclusion

WPScan is a focused, effective tool for WordPress security auditing. Run it regularly against your own sites to catch outdated plugins and known vulnerabilities before they get exploited. For automated scanning, schedule WPScan in a cron job and pipe the JSON output to your monitoring system. Refer to the WPScan GitHub repository for the full list of options and advanced usage.

Klinsmann Öteyo

A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.

Related Articles

Security Yubo’s First-Ever Hackathon Showcased Team Members’ Skills While Generating Creative Solutions FreeBSD FreeBSD 15.0 New Features: pkgbase, Post-Quantum Crypto, ZFS 2.4 FreeBSD Managing SSH Connections on Linux/Unix Using SSH Config file Networking Installing pfSense Firewall on Proxmox Hetzner root server

Leave a Comment

Press ESC to close