Sharing notes from my ongoing learning journey — what I build, break and understand along the way.
WordPress Security Scanning with WPScan: Step-by-Step Pentest Guide
Scanning WordPress with WPScan – A Realistic Pentest Walkthrough
In this post, I’ll walk through how I used WPScan to assess a WordPress installation in a controlled pentest lab environment.
The goal? Understand what WPScan reveals, identify common WordPress misconfigurations, and learn how to secure them — all within a safe, offline testing setup.
What is WPScan?

WPScan is a black-box WordPress vulnerability scanner used by security professionals to audit WordPress websites. It can:
- Detect WordPress version
- Enumerate users, themes, and plugins
- Identify common misconfigurations
- Highlight known CVEs (Common Vulnerabilities & Exposures)
- Perform brute-force login testing (when authorized)
- Note: Always get permission before scanning any live system. This post describes tests done in an isolated lab for educational purposes.
How I Used WPScan
With a WordPress site running locally on my testing machine, I executed:
wpscan --url http://localhost
To enumerate usernames:
wpscan --url http://localhost --enumerate u
WPScan quickly began collecting data about the site configuration and components.
Common Issues Detected by WPScan
Even in a basic WordPress setup, WPScan may identify issues like:
xmlrpc.php
endpoint exposedreadme.html
file revealing WordPress version- Directory listing enabled on
/wp-content/uploads/
- Public usernames discoverable via
/author=1
- WordPress version shown in meta tags or RSS feeds
- Theme and plugin versions easily fingerprinted
These are not necessarily vulnerabilities, but information exposures that can assist an attacker during reconnaissance.
How to Fix Them
Below are the actions I took to close those exposures.
Disable XML-RPC
In the .htaccess
file (WordPress root):
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
Remove readme.html
sudo rm [wordpress_directory]/readme.html
Disable Directory Listing
Create or edit a .htaccess
file in the /uploads/
folder:
Options -Indexes
Hide Author Usernames
In your theme’s functions.php
, add:
add_action('template_redirect', 'block_author_enum');
function block_author_enum() {
if (is_author()) {
wp_redirect(home_url());
exit;
}
}
Remove WordPress Version Info
Also in functions.php
:
remove_action('wp_head', 'wp_generator');
Disable WP-Cron (Optional)
In wp-config.php
, add:
define('DISABLE_WP_CRON', true);
Protecting Against Brute-Force Attacks
To prevent unauthorized login attempts, I recommend using a lightweight security plugin that:
- Limits login retries
- Temporarily blocks IPs after multiple failures
- Optionally hides or renames the login page
Alternatively, restrict login access at the web server level:
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
This is especially useful in local environments or when access is only needed from specific IPs.
Final Verification
After applying these fixes, I re-ran WPScan:
wpscan --url http://localhost
The scan no longer reported:
- Exposed usernames
- Public access to
xmlrpc.php
- Directory listing
- Version leaks
Success!
WPScan is a powerful tool for understanding the surface area of a WordPress site. While it doesn’t exploit vulnerabilities directly, it provides deep visibility into misconfigurations and risky exposures.