WPScan is a tool used for scanning WordPress website for existing vulnerabilities.

It allows to scan for the whole WordPress website including hidden web pages that only the admin can see, user enumeration by gathering username and email, and brute forcing a user by proving a text filed filled with passwords.

Type in the following command in Kali Linux’s command line, where url is the target URL, it has to be powered by WordPress and enumerate u enumerates the users and all pages of targeted WordPress website.

wpscan --url team3.pentest.id --enumerate u

Wait until the process is completed and interesting informations along with users are displayed in the command line.

WPscan detecting hidden WordPress pages
WPscan also tells the information of WordPress plugin used
WPscan enumerating username and email

You can also brute force WordPress login by using wpscan by simply typing the following command, but a text document filled with possible passwords are required to do brute forcing.

wpscan –url team3.pentest.id –passwords passwordlist.txt –usernames @user3

WPscan brute forcing targeted user with given possible passwords

If login successful, WPscan will output username with correct password.