Introducing WPScan – WordPress Security Scanner

After creating the WordPress Brute Force Tool last weekend, I decided to create a bigger project out of it, called WPScan.

WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.

Features include:

Username enumeration
Weak password cracking (multithreaded)
Version enumeration
Vulnerability enumeration (based on version)
Plugin enumeration (todo)
Plugin vulnerability enumeration (based on version) (todo)
Other miscellaneous checks



**Please use the up to date instructions found here; http://wpscan.org/

WPScan requires two non native Ruby gems, typhoeus and xml-simple. It should work on both Ruby 1.8.x and 1.9.x.

sudo apt-get install libcurl4-gnutls-dev
sudo gem install –user-install typhoeus
sudo gem install –user-install xml-simple

(I developed WPScan on Backtrack5 Gnome 32bit, if installing on another OS, you may not need the –user-install option when installing the non native gems)


WPScan will be hosted on Google Code GitHub at https://github.com/wpscanteam/wpscan.

You can download and start running WPScan ALPHA by checking out cloning the SVN trunk git trunk.
“svn checkout http://wpscan.googlecode.com/svn/trunk/ wpscan-read-only”
git clone https://github.com/wpscanteam/wpscan.git

Example usage:

ruby wpscan.rb –url http://www.example.com
ruby wpscan.rb –url http://www.example.com –wordlist darkc0de.lst –threads 50
ruby wpscan.rb –url http://www.example.com –wordlist darkc0de.lst –username admin

Contributions, feedback, comments are welcome.

Happy Hacking!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s