WordPress Security Scanning with WPScan: Step-by-Step Pentest Guide

Scanning WordPress with WPScan – A Realistic Pentest Walkthrough

In this post, I’ll walk through how I used WPScan to assess a WordPress installation in a controlled pentest lab environment.

The goal? Understand what WPScan reveals, identify common WordPress misconfigurations, and learn how to secure them — all within a safe, offline testing setup.

What is WPScan?

WPScan is a black-box WordPress vulnerability scanner used by security professionals to audit WordPress websites. It can:

  • Detect WordPress version
  • Enumerate users, themes, and plugins
  • Identify common misconfigurations
  • Highlight known CVEs (Common Vulnerabilities & Exposures)
  • Perform brute-force login testing (when authorized)
    • Note: Always get permission before scanning any live system. This post describes tests done in an isolated lab for educational purposes.

How I Used WPScan

With a WordPress site running locally on my testing machine, I executed:

wpscan --url http://localhost

To enumerate usernames:

wpscan --url http://localhost --enumerate u

WPScan quickly began collecting data about the site configuration and components.

Common Issues Detected by WPScan

Even in a basic WordPress setup, WPScan may identify issues like:

  • xmlrpc.php endpoint exposed
  • readme.html file revealing WordPress version
  • Directory listing enabled on /wp-content/uploads/
  • Public usernames discoverable via /author=1
  • WordPress version shown in meta tags or RSS feeds
  • Theme and plugin versions easily fingerprinted

These are not necessarily vulnerabilities, but information exposures that can assist an attacker during reconnaissance.

How to Fix Them

Below are the actions I took to close those exposures.

Disable XML-RPC

In the .htaccess file (WordPress root):

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

Remove readme.html

sudo rm [wordpress_directory]/readme.html

Disable Directory Listing

Create or edit a .htaccess file in the /uploads/ folder:

Options -Indexes

Hide Author Usernames

In your theme’s functions.php, add:

add_action('template_redirect', 'block_author_enum');
function block_author_enum() {
if (is_author()) {
wp_redirect(home_url());
exit;
}
}

Remove WordPress Version Info

Also in functions.php:

remove_action('wp_head', 'wp_generator');

Disable WP-Cron (Optional)

In wp-config.php, add:

define('DISABLE_WP_CRON', true);

Protecting Against Brute-Force Attacks

To prevent unauthorized login attempts, I recommend using a lightweight security plugin that:

  • Limits login retries
  • Temporarily blocks IPs after multiple failures
  • Optionally hides or renames the login page

Alternatively, restrict login access at the web server level:

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>

This is especially useful in local environments or when access is only needed from specific IPs.

Final Verification

After applying these fixes, I re-ran WPScan:

wpscan --url http://localhost

The scan no longer reported:

  • Exposed usernames
  • Public access to xmlrpc.php
  • Directory listing
  • Version leaks

Success!

WPScan is a powerful tool for understanding the surface area of a WordPress site. While it doesn’t exploit vulnerabilities directly, it provides deep visibility into misconfigurations and risky exposures.

Leave a Reply

Your email address will not be published. Required fields are marked *