Kali Linux


WPScan is a WordPress vulnerability scanner. WPScan is found in the Kali desktop menu 03:Web Application Analysis>Web Vulnerability Scanners.


The following command runs password-attack to wordpress server( –passwords option requires password file that contains a list of passwords to use during the password attack.

One of the easiest ways to prepare the password file is to use Openwall wordlists collection( The following command uses the file named “password” as its list of passwords, which downloaded from /pub/wordlists/passwords directory.

The log shows that wpscan found admin/admin account-password pair in 3 minutes.

Note: wpscan requires internet access to update its database. If the network is unreachable to the database server, wpscan aborted.