Overview
The WordPress Scanner identifies vulnerabilities in WordPress installations, including the core platform, plugins, and themes. It uses WPScan technology to detect security issues specific to the WordPress ecosystem.
The WordPress Scanner is a vulnerability scanner: it actively tests WordPress sites for security weaknesses. It does not add data to your Attack Surface. Identified vulnerabilities are reported as findings.
Supported targets
| Target type | Examples |
|---|
| URL | https://example.com, https://example.com/blog/ |
Provide the complete path to the WordPress installation. If WordPress is installed in a subdirectory (e.g., /blog/), include it in the URL.
Scan types
| Mode | Description | Use case |
|---|
| Light | Passive detection, minimal requests | Quick assessment |
| Deep | Aggressive detection with full enumeration | Full audit |
| Custom | User-configured detection and enumeration | Targeted testing |
Parameters comparison
| Parameter | Light | Deep | Custom |
|---|
| Authentication | ✗ | ✗ | ✓ |
| Detection mode | Passive | Aggressive | Configurable |
| Enumerate users | ✗ | ✓ | ✓ (optional) |
| Enumerate vulnerable plugins | ✗ | ✓ | ✓ (optional) |
| Enumerate vulnerable themes | ✗ | ✓ | ✓ (optional) |
| Enumerate config backups | ✗ | ✓ | ✓ (optional) |
| Enumerate database exports | ✗ | ✓ | ✓ (optional) |
| Enumerate TimThumbs | ✗ | ✓ | ✓ (optional) |
Tests comparison
Core tests
| Test | Light | Deep |
|---|
| WordPress Core Vulnerabilities | ✓ | ✓ |
| Main Theme Vulnerabilities | ✓ | ✓ |
| Test | Light | Deep |
|---|
| Interesting Headers | ✓ | ✓ |
| Robots.txt | ✓ | ✓ |
| WP-Cron Enabled | ✓ | ✓ |
| Readme.html | ✗ | ✓ |
| Directory Listing | ✗ | ✓ |
| XML-RPC Enabled | ✗ | ✓ |
| Must Use Plugins | ✗ | ✓ |
| Test | Light | Deep |
|---|
| User Enumeration | ✗ | ✓ |
| Vulnerable Plugins | ✗ | ✓ |
| Vulnerable Themes | ✗ | ✓ |
| Config Backups | ✗ | ✓ |
| Database Exports | ✗ | ✓ |
| TimThumbs | ✗ | ✓ |
The Deep scan performs aggressive detection and sends numerous requests to the server. It is more likely to be detected by IDS/IPS solutions. Only run it against systems you have authorization to test.
Custom scan
Full control over scan parameters:
| Option | Description |
|---|
| Detection mode | Choose Passive (fewer requests) or Aggressive (better detection) |
| Enumerate users | Discover WordPress usernames |
| Enumerate vulnerable plugins | Find plugins with known vulnerabilities |
| Enumerate vulnerable themes | Find themes with known vulnerabilities |
| Enumerate config backups | Search for wp-config.php backup files |
| Enumerate database exports | Search for exposed database dumps |
| Enumerate TimThumbs | Search for vulnerable TimThumb scripts |
Core tests
Core tests identify the WordPress version and main theme, then check for known vulnerabilities. These tests run in both Light and Deep scans.
| Test | Description |
|---|
| WordPress Core Vulnerabilities | Detects the WordPress version and checks for known CVEs affecting that version |
| Main Theme Vulnerabilities | Identifies the active theme and version, checks for known vulnerabilities |
Interesting findings
Interesting findings detect common WordPress misconfigurations and exposed files. See the tests comparison table for Light vs Deep availability.
| Test | Description |
|---|
| Interesting Headers | Analyzes HTTP headers for security-relevant information (server software, PHP version, etc.) |
| Robots.txt | Checks robots.txt for exposed sensitive paths and directories |
| WP-Cron Enabled | Detects if wp-cron.php is accessible, which can be abused for DoS attacks |
| Readme.html | Checks for exposed readme.html that reveals WordPress version |
| Directory Listing | Detects directory indexes exposing file listings (uploads, plugins, themes) |
| XML-RPC Enabled | Checks if xmlrpc.php is enabled, which can be used for brute-force and DDoS attacks |
| Must Use Plugins | Detects must-use plugins that load automatically and may contain vulnerabilities |
Enumeration tests
Enumeration tests actively search for WordPress components and security issues. These tests are only available in Deep and Custom scans.
| Test | Description |
|---|
| User Enumeration | Discovers WordPress usernames via author archives, REST API, and login error messages |
| Vulnerable Plugins | Enumerates installed plugins and checks versions against the WPScan vulnerability database |
| Vulnerable Themes | Enumerates installed themes and checks versions against the WPScan vulnerability database |
| Config Backups | Searches for wp-config.php backup files (wp-config.php.bak, wp-config.php~, etc.) |
| Database Exports | Searches for exposed database dump files that may contain sensitive data |
| TimThumbs | Searches for vulnerable TimThumb scripts that allow remote code execution |
Plugin and theme vulnerabilities are the most common attack vector for WordPress sites. The Deep scan’s enumeration capabilities are essential for a thorough security assessment.
Authentication
The WordPress Scanner supports HTTP Basic Authentication in Custom scan mode for testing sites protected by server-level authentication.
How to configure:
Select scan type
Choose Custom scan type.
Enable authentication
Enable Authentication in the scan settings.
Enter credentials
Enter your username and password.
Basic Authentication is different from WordPress login credentials. It’s typically configured at the server level (Apache/Nginx) to restrict access to the entire site or wp-admin area.
How it works
The WordPress Scanner uses WPScan technology and works in these steps:
- Version detection: Identifies WordPress core version from meta tags, scripts, and readme files
- Theme detection: Identifies the active theme and its version
- Interesting findings: Checks for misconfigurations and exposed files
- Enumeration: Discovers plugins, themes, users, and sensitive files (Deep/Custom only)
- Vulnerability matching: Cross-references detected versions against the WPScan vulnerability database
- Reporting: Generates findings with CVE details, CVSS scores, and remediation guidance
Vulnerability detection is version-based. The scanner identifies component versions and matches them against known vulnerabilities. Since vulnerabilities are discovered using version-based testing only, the risk level for findings will not exceed ‘high’ severity.
Follow-up actions
After identifying vulnerabilities:
- Update WordPress core: Keep WordPress updated to the latest version
- Update plugins and themes: Apply security patches for all components
- Remove unused plugins: Delete plugins that are not actively used
- Disable XML-RPC: If not needed, disable xmlrpc.php to prevent brute-force attacks
- Hide version information: Remove readme.html and version meta tags
- Scan the web application: Run Website Scanner for full web application testing
- Schedule regular scans: Set up Scheduled scans for continuous monitoring
