How to use WPScan | Scanning for WordPress vulnerabilities


It is important to protect your WordPress website from cyber threats. Hackers often target WordPress sites, looking for vulnerabilities to exploit. This is where WPScan comes in useful. It is a tool that helps you in finding and fixing vulnerabilities before hackers exploit them. In this article, we will walk you through How to use WPScan to improve the security of your WordPress website.

What is WPScan?

WPScan for WordPress vulnerabilities

WPScan is a free security scanner designed to perform security audits and vulnerability assessments on WordPress websites. It is a powerful tool that helps website administrators, security professionals, and developers identify and resolve WordPress safety issues. 

WPScan is a free, open-source security tool designed for WordPress sites. It allows users to scan for WordPress vulnerabilities, identifying flaws in plugins, themes, and even core installs that could be exploited by hackers.

How to Use WPScan?

Using WPScan requires some setup and understanding of how it works. In this part, we’ll take you through the process of using WPScan.

1. Create an account

Get API Token of WPScan

The first step is to obtain an API token, you must first register an account with WPScan. This token is required to access the scanning services, track usage, and prevent misuse. Visit the WPScan website and register. After registering, get your API token in your profile settings.

2. WPScan Installation for WordPress Websites

There are two methods for installation.

Method 1: Using the WPScan Plugin

How to use WPScan Plugin
  • Go to your WordPress dashboard> Plugins > search for the WPScan plugin, and then install and activate it.
  • Obtain your WPScan API key and enter it into the plugin settings in the WordPress admin area.
WPScan Plugin Settings
  • Uncheck the elements (themes, plugins) you do not want to include in your scans. Remember that the free WPScan version has API call limits, so prioritize your choices based on your update frequency.

Method 2: Installing WPScan Using WP-CLI

Depending on your operating system, execute the installation command shown below.

  • Windows: gem install wpscan
  • MacOS: brew install wpscanteam/tap/wpscan
WPScan CLI Instllation

3. Using WPScan to Scan Your Website

If You are Using the Plugin:

  • Daily scans are automatically scheduled by WPScan. 
  • To manually start a scan, go to the WPScan section of your dashboard and select Run All.
WPScan Dashbaord
  • Check scan results for each plugin and theme. The plugin gives vulnerability information and recommended actions, which often include updating the affected element.
Check scan results for each plugin and theme of WPScan

If You are Using the WP-CLI:

  • Use this command to run a basic scan: wpscan –url <your-site-URL>
  • This command verifies that themes and plugins are up to date. WPScan also supports several commands for additional in-depth scans and security checks, including brute force testing. API tokens may be required for certain commands.

4. Additional Hardening Measures

WPScan reports can assist in identifying extra security measures in addition to basic scanning:

  • Debug.log Files: Ensure that no sensitive information is accessible through debug logs.
  • wp-config.php Backups: Safeguard your wp-config.php file since it holds important site data.
  • XML-RPC Status: Disable XML-RPC if not in use to reduce login attack vectors.
  • Database Export Files: Prevent unauthorized access to your backup files.
  • Password Strength: Ensure every user account has a strong, complicated password.
  • HTTPS Configuration: To encrypt data transmission, ensure SSL is enabled on your website.
WPScan Security Checks

By following these steps, you can use WPScan on your website.

Tips on how to make your WordPress Website secure


WPScan can be a crucial tool for anyone responsible for maintaining a WordPress website. It gives you the information you need to protect your website from possible attacks and maintain its integrity. WPScan is an important step toward a more secure online presence.


Does WPScan require technical expertise to use?

Basic knowledge of WordPress architecture and terminal commands may be necessary to take advantage of advanced features using the command line. However, basic scans can be completed with little technical expertise, especially when using the WPScan plugin.

Can WPScan fix vulnerabilities it finds?

No, vulnerabilities are not fixed by WPScan. It is a diagnostic tool meant to find possible security flaws. Manually update or configure the relevant components or use additional security techniques to fix the vulnerabilities.

Does WPScan work with all hosting platforms?

WPScan can be used on any WordPress website, regardless of the hosting platform. However, the ability to install the WPScan plugin or conduct command-line actions may be limited by the hosting provider’s restrictions and your level of server access.

Where can I go to get assistance or support for using WPScan?

The WPScan website has documentation and assistance; there are numerous online forums and communities where people exchange advice and suggestions. Consider contacting security professionals or consulting the WPScan instructions for more detailed assistance.

About the author

Editorial Team

Add Comment