WPScan Command Cheatsheet

Basic Scanning:

wpscan --url <target>

Enumeration:

WordPress Username Enumeration:

wpscan --url <target> --enumerate u

Enumerate usernames with user IDs 1 to 5:

wpscan --url <target> --enumerate u1-5

Enumerate passwords for user IDs 1 to 5:

wpscan --url <target> --enumerate p1-5

Plugin and Theme Version Enumeration:

wpscan --url <target> --enumerate vp,vt

User-Agent Fuzzing:

wpscan --url <target> --fuzz-user-agents

Timthumb Scanner:

wpscan --url <target> --enumerate tt

XML-RPC Enumeration:

wpscan --url <target> --enumerate x

Advanced Scanning Options:

Set the number of threads for parallel scanning:

wpscan --url <target> --threads <num>

Use a proxy for scanning:

wpscan --url <target> --proxy <proxy-url>

Perform scans with HTTP Basic Authentication:

wpscan --url <target> --basic-auth "<username>:<password>"

Send custom headers with requests:

wpscan --url <target> --headers "<header1>:<value1>,<header2>:<value2>"

Set a custom User-Agent string for requests:

wpscan --url <target> --user-agent "Custom-User-Agent"

Save scan results to a file:

wpscan --url <target> --output <output-file>

Utility and Information:

Display WPScan version information:

wpscan --version

Update the WPScan database and tool:

wpscan --url <target> --update

Display the help menu with available options:

wpscan --url <target> --help

Proxy and Tor:

Use a specified proxy during scanning:

wpscan --url <target> --proxy <proxy-url>

Disable checking for Tor exit nodes:

wpscan --url <target> --disable-tor-check

Security and Bypassing Techniques:

Disable SSL/TLS certificate checks for the target site:

wpscan --url <target> --disable-tls-checks

Disable malware checks:

wpscan --url <target> --disable-malware-check

Spoofing and Headers:

Set a custom User-Agent string for requests:

wpscan --url <target> --user-agent "Custom-User-Agent"

Send custom headers with requests:

wpscan --url <target> --headers "<header1>:<value1>,<header2>:<value2>"

Disable HTTP compression:

wpscan --url <target> --disable-accept-encoding

Disable the Referer header in requests:

wpscan --url <target> --disable-referer

Advanced Configuration:

Follow HTTP redirects during scanning:

wpscan --url <target> --follow-redirection

Set a delay between HTTP requests:

wpscan --url <target> --request-timeout <seconds>

Exclude specific plugins or themes based on content patterns:

wpscan --url <target> --exclude-content-based <pattern>

Specify a custom path for the wp-content directory:

wpscan --url <target> --wp-content-dir <path>

Enumerate vulnerable versions of plugins:

wpscan --url <target> --enumerate vvp

Specify a custom wordlist for password brute-forcing:

wpscan --url <target> --wordlist <wordlist>

Export scan results in CSV format:

wpscan --url <target> --export-csv <output.csv>

Run WPScan in quiet mode with minimal output:

wpscan --url <target> --quiet

Include custom cookies in requests:

wpscan --url <target> --cookie "[cookie-name]=[cookie-value]"

Disable verbose output:

wpscan --url <target> --disable-verbose-mode

Disable checking common file and directory locations:

wpscan --url <target> --disable-common-locations

Set the detection mode (passive or aggressive):

wpscan --url <target> --detection-mode [mode]

Disable following 404 redirects:

wpscan --url <target> --disable-404-redirect

Ignore the main redirection to a login page:

wpscan --url <target> --ignore-main-redirect

Disable checking for Tor exit nodes:

wpscan --url <target> --disable-tor-check

Disable SSL certificate checks for HTTPS requests:

wpscan --url <target> --disable-ssl-checks

Disable malware checks:

wpscan --url <target> --disable-malware-check

Disable checking for WPScan updates:

wpscan --url <target> --disable-version-check

Force the scan even if the target doesn't appear to be vulnerable to WPScan:

wpscan --url <target> --force

User Enumeration:

Password Brute-Force Attack on Specific User:

wpscan --url <target> --username <username> --wordlist <wordlist>

Password Brute-Force Attack on XML-RPC:

wpscan --url <target> --enumerate x --wordlist <wordlist>

Plugin and Theme Enumeration:

Enumerate all plugins:

wpscan --url <target> --enumerate ap

Enumerate all themes:

wpscan --url <target> --enumerate at

Enumerate vulnerable themes:

wpscan --url <target> --enumerate vt

Enumerate all TimThumb files:

wpscan --url <target> --enumerate tt

Database Enumeration:

Enumerate WordPress database users:

wpscan --url <target> --enumerate dbe

Enumerate database version:

wpscan --url <target> --enumerate dbv

Enumerate all plugins and themes with versions:

wpscan --url <target> --enumerate vp,vt

Enumerate config backups:

wpscan --url <target> --enumerate cb

Enumerate database tables:

wpscan --url <target> --enumerate dbt

Custom Scan Configuration:

Specify a custom plugin directory:

wpscan --url <target> --wp-plugins-dir <path>

Specify a custom theme directory:

wpscan --url <target> --wp-themes-dir <path>

Set request delay between scanning requests (in seconds):

wpscan --url <target> --request-timeout 5

Output Options:

Export scan results in JSON format:

wpscan --url <target> --output <output-file>.json

Export scan results in XML format:

wpscan --url <target> --output <output-file>.xml

Export scan results in HTML format:

wpscan --url <target> --output <output-file>.html

Advanced Configuration:

Set maximum redirections to follow:

wpscan --url <target> --max-redirects 10

Exclude plugins or themes by name:

wpscan --url <target> --exclude-content-based "akismet,hello-dolly"

Custom Headers:

Include custom Referer header in requests:

wpscan --url <target> --referer "https://custom-referer.com"

Include custom cookies in requests:

wpscan --url <target> --cookie "cookie-name=cookie-value"

Include custom Accept-Language header:

wpscan --url <target> --accept-language "en-US,en;q=0.8"

Enumeration and Analysis:

Enumerate configuration issues:

wpscan --url <target> --enumerate c

Enumerate vulnerable TimThumb versions:

wpscan --url <target> --enumerate tt

Bypassing Techniques:

Bypassing a Web Application Firewall (WAF):

Bypassing WAF often requires crafting HTTP requests to evade detection. This should be done with caution and only for legitimate testing purposes with proper authorization.

Advanced Scanning:

Use custom User-Agent for scanning:

wpscan --url <target> --user-agent "Custom-User-Agent"

Logging:

Enable logging to a file:

wpscan --url <target> --log <log-file>

Specify log level (e.g., Debug):

wpscan --url <target> --log <log-file> --log-level debug

Custom 404 Handling:

Disable following 404 redirects:

wpscan --url <target> --disable-404-redirect

Other Advanced Techniques:

Use custom HTTP methods (e.g., PUT, DELETE):

wpscan --url <target> --method PUT

Enumerate installed SSL/TLS ciphers:

wpscan --url <target> --enumerate ciphers

Using Tor:

Use Tor proxy for scanning:

wpscan --url <target> --proxy socks5://127.0.0.1:9050

URL Fuzzing:

Fuzz for interesting URLs:

wpscan --url <target> --fuzz

Fuzz for interesting URL parameters:

wpscan --url <target> --fuzz-parameter

Fuzz for interesting HTTP methods:

wpscan --url <target> --fuzz-method

Payload Testing:

Test for Remote Code Execution (RCE) vulnerabilities:

wpscan --url <target> --payloads php/rce

Test for SQL Injection vulnerabilities:

wpscan --url <target> --payloads sql/sqli

Test for Cross-Site Scripting (XSS) vulnerabilities:

wpscan --url <target> --payloads xss/xss

Authentication Testing:

Perform authentication testing:

wpscan --url <target> --auth <username>:<password>

Advanced Reconnaissance:

Enumerate WPScan databases:

wpscan --enumerate dbe

Enumerate installed web servers:

wpscan --enumerate ws

Enumerate installed PHP versions:

wpscan --enumerate pv

Enumerate installed MySQL versions:

wpscan --enumerate pv

Enumerate installed CMS versions (Non-WP):

wpscan --enumerate cv

Enumerate installed PHP modules:

wpscan --enumerate pm