WPSCAN(1) User Commands WPSCAN(1)
NAME
wpscan - WordPress Security Scanner
SYNOPSIS
wpscan [options]
DESCRIPTION
WordPress Security Scanner by the WPScan Team
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
OPTIONS
--url URL
The URL of the blog to scan Allowed Protocols: http, https Default Pro‐
tocol if none provided: http This option is mandatory unless update or
help or hh or version is/are supplied
-h, --help
Display the simple help and exit
--hh Display the full help and exit
--version
Display the version and exit
-v, --verbose
Verbose mode
--[no-]banner
Whether or not to display the banner Default: true
-o, --output FILE
Output to FILE
-f, --format FORMAT
Output results in the format supplied Available choices: cli-no-colour,
cli-no-color, json, cli
--detection-mode MODE
Default: mixed Available choices: mixed, passive, aggressive
--user-agent, --ua VALUE
--random-user-agent, --rua
Use a random user-agent for each scan
--http-auth login:password
-t, --max-threads VALUE
The max threads to use Default: 5
--throttle MilliSeconds
Milliseconds to wait before doing another web request. If used, the max
threads will be set to 1.
--request-timeout SECONDS
The request timeout in seconds Default: 60
--connect-timeout SECONDS
The connection timeout in seconds Default: 30
--disable-tls-checks
Disables SSL/TLS certificate verification
--proxy protocol://IP:port
Supported protocols depend on the cURL installed
--proxy-auth login:password
--cookie-string COOKIE
Cookie string to use in requests, format: cookie1=value1[;
cookie2=value2]
--cookie-jar FILE-PATH
File to read and write cookies Default: /tmp/wpscan/cookie_jar.txt
--force
Do not check if the target is running WordPress
--[no-]update
Whether or not to update the Database
--wp-content-dir DIR
--wp-plugins-dir DIR
-e, --enumerate [OPTS]
Enumeration Process Available Choices:
vp Vulnerable plugins
ap All plugins
p Plugins
vt Vulnerable themes
at All themes
t Themes
tt Timthumbs
cb Config backups
dbe Db exports
u User IDs range. e.g: u1-5 Range separator to use: '-' Value if no ar‐
gument supplied: 1-10
m Media IDs range. e.g m1-15 Note: Permalink setting must be set to
"Plain" for those to be detected Range separator to use: '-' Value if
no argument supplied: 1-100
Separator to use between the values: ',' Default: All Plugins, Config
Backups Value if no argument supplied: vp,vt,tt,cb,dbe,u,m Incompatible
choices (only one of each group/s can be used):
- vp, ap, p - vt, at, t
--exclude-content-based REGEXP_OR_STRING
Exclude all responses matching the Regexp (case insensitive) during
parts of the enumeration. Both the headers and body are checked. Reg‐
exp delimiters are not required.
--plugins-detection MODE
Use the supplied mode to enumerate Plugins, instead of the global
(--detection-mode) mode. Default: passive Available choices: mixed,
passive, aggressive
--plugins-version-detection MODE
Use the supplied mode to check plugins versions instead of the --detec‐
tion-mode or --plugins-detection modes. Default: mixed Available
choices: mixed, passive, aggressive
-P, --passwords FILE-PATH
List of passwords to use during the password attack. If no --user‐
name/s option supplied, user enumeration will be run.
-U, --usernames LIST
List of usernames to use during the password attack. Examples: 'a1',
'a1,a2,a3', '/tmp/a.txt'
--multicall-max-passwords MAX_PWD
Maximum number of passwords to send by request with XMLRPC multicall
Default: 500
--password-attack ATTACK
Force the supplied attack to be used rather than automatically deter‐
mining one. Available choices: wp-login, xmlrpc, xmlrpc-multicall
--stealthy
Alias for --random-user-agent --detection-mode passive --plugins-ver‐
sion-detection passive
To see full list of options use --hh.
wpscan March 2019 WPSCAN(1)