WordPress powers a huge portion of websites across the internet, which makes it a common target for attackers. Recently, I had the opportunity to explore WPScan as part of the Security Blue Team’s “Introduction to Vulnerability Management” course. I was immediately reminded of a website I had helped build with friends, and I realized it would be a perfect candidate for a security check. Running a scan on a WordPress site can feel overwhelming at first, but understanding how to read a WPScan report and act on its findings is an essential skill for anyone managing a website.

In this post, I’ll walk you through how to safely analyze a WPScan report, identify potential security issues, and take practical steps to harden your WordPress site.

---

What is WPScan?

WPScan is a black-box vulnerability scanner for WordPress. It’s designed to detect:

• Outdated WordPress versions and known vulnerabilities;

• Vulnerable plugins and themes;

• User accounts with weak passwords;

• Publicly accessible configuration files, backups, or logs;

• Media files or directories exposed to public access.

The tool can be run via CLI, Docker, or Homebrew (macOS). It can also be paired with the WPScan API to get up-to-date vulnerability data.

Before you scan any site, keep in mind:

• Only scan websites you own or have permission to test. Scanning other sites without authorization is illegal.

• Use a staging or test environment to avoid disrupting live users.

• Consider anonymizing the scan output if you plan to share your findings publicly.

• CLI scanner process described in this post can be used for free only for non‑commercial purposes.

---

Step 1: Running the Basic Scan

A simple WPScan command looks like this:

wpscan --url YOUR_URL

And in case you installed WPScan using Docker, it will look like this:

docker run -it --rm wpscanteam/wpscan --url YOUR_URL

This checks the WordPress version, lists installed plugins and themes, and identifies simple vulnerabilities.

---

Step 2: Reading the Report of the Basic Scan

A WPScan report can be overwhelming at first glance. Here’s how to break it down:

WordPress Core Vulnerabilities

Check if your WordPress version is outdated. Running the latest version ensures that known security flaws are patched. The latest version at the time of writing this post is 6.8.2. To check yours, look for the following line:

WordPress version XXX identified (Released on XXX).

Action to take

Update to the latest version of WordPress. You can do so in the WordPress Dashboard > Updates.

Plugin Vulnerabilities

Plugins can introduce vulnerabilities even if WordPress itself is up-to-date. Look for outdated versions. Remove unused plugins or replace them with actively maintained alternatives. Look for the following line and investigate the output below it, looking for [!] indicators:

[i] Plugin(s) Identified:

Action to take

Remove unused plugins or replace them with actively maintained alternatives, update the plugins that are currently in use.

Theme Vulnerabilities

Themes, like plugins, can be exploited if they are outdated or poorly coded. Always keep themes updated and remove themes that are not in use. Look for the following line, checking for [!] indicators:

WordPress theme in use: XXX

Action to take

Update the theme currently in use, check your theme list in the WordPress Dashboard and remove any that are sitting there unused.

Exposed Files and Directories

WPScan identifies publicly accessible backups, configuration files (wp-config.php), and error logs. These files can reveal sensitive information if not properly protected. Look for the following line and investigate the output below it:

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

Action to take

Remove unnecessary backup files from the web server.

---

Step 3: Running more In-depth Security Report

If you have followed the recommended actions from your base-level WPScan report, you can now choose to explore more in-depth. This will require a bit more attention, but it will give you important insights into your website's security. If the report shows no issues, congratulations - you have secured most of your weak spots!

What you will need to do first is to register on https://wpscan.com. After logging in with your user account, WPScan will provide you with an API Token you can use to plug-in the WPScan’s vulnerability database. Using this token, input this command into your CLI:

wpscan --url YOUR_URL --enumerate vt,vp,cb,dbe,u --api-token YOUR_TOKEN

Don’t forget to append docker run -it --rm wpscanteam/wpscan to the start of the command in case you have installed WPScan using Docker.

---

Step 4: Reading the report of the In-Depth Scan

Look for any [!] and take action accordingly. The report usually gives details about the vulnerability, and it's up to you to take the necessary steps. For example, if you see the [!] indicator with a vulnerability that was fixed in a later version, you'll know if you need to update or change the plugins or themes you're using. I will discuss user account enumeration in more detail.

User Accounts

Exposed usernames are an easy entry point for attackers. A malicious actor can use a couple of tricks to discover default or predictable usernames from the outside to then brute force their passwords. You can run WPScan with an added argument --enumerate u for it to try some possible actions that an attacker would try. Look for the following line and investigate the output below it:

[i] User(s) Identified:

Action to take

Use publicly visible nicknames that are different from your user IDs and rename the default admin account.

---

You are done - what next?

If you took all the necessary actions, you can congratulate yourself on doing a great job and using a very useful CLI tool. Remember to regularly scan your site - make vulnerability scanning a part of your routine maintenance. WPScan also offers a plugin for WordPress that helps you visualize and automate the security scanning process to stay up-to-date.

Running a vulnerability scan might seem intimidating at first, but with regular maintenance and attention, you can turn insights from WPScan into real, actionable steps to protect your website and users.

Choose a tool you like and keep your websites safe.