Usage: wpscan [options] --url URL

[!] wpscan --update #If the vulnerability database is outdated

Options	Description
-h, --help	Display the simple help and exit.
--url	The URL of the WordPress blog to scan, including http/https. Example: --url https://example.com
-e, --enumerate	Enumeration options: vp (vulnerable plugins), ap (all plugins), vt (vulnerable themes), at (all themes), u (usernames), m (media), cb (config backups), dbe (db exports), ...
--api-token	API token to access WPScan Vulnerability Database. Used for checking vulnerabilities.
-P, --passwords Disabled	List of passwords to use during the password attack.
-U, --usernames Disabled	List of usernames to use during the password attack.
--wordlist Disabled	Alias for --passwords.
--random-user-agent	Use a random user-agent string.
--proxy	Proxy to use for requests (e.g. http://127.0.0.1:8080).
--proxy-auth	Proxy authentication credentials.
--request-timeout	Request timeout in seconds. Default: 60.
--connect-timeout	Connection timeout in seconds. Default: 30.
-t, --max-threads Disabled	The maximum number of threads to use. Default: 5.
--output, -o Disabled	Output to file.
--format	Output format. Choices: cli, json, cli-no-color.
--disable-tls-checks	Disables SSL/TLS certificate checks (useful for self-signed certs).
--headers	Custom headers to include in all HTTP requests. Example: 'X-My-Header: value'
--user-agent	Custom user-agent string.
--cookie	Custom cookie string to include in all HTTP requests.
--force	Forces WPScan to continue on warnings (like invalid TLS cert).
--throttle	Milliseconds to wait before each HTTP request.
--scope Disabled	Limit testing to the given scope, e.g. 'wp-content/plugins/'.
--update, --no-update	Whether or not to update the Database

WPScan online

Tool for scanning WordPress websites for security vulnerabilities. It can detect known plugin and theme issues, enumerate users, and check for outdated core versions, making it useful for security assessments and hardening WordPress installations.

Homepage

Star

v3.8.28