Is WPScan Open Source?

7 mins

WPScan is a black box WordPress vulnerability scanner that is open source. It can be used to scan for vulnerabilities in WordPress websites and plugins. WPScan is developed by White Hat Security, Inc. as part of their penetration testing services.

It is also used by many security researchers to audit the security of WordPress websites. But is it open source?

Yes. WPScan is released under the GNU General Public License Version 3 (GPLv3). You are free to use, copy, modify, and distribute WPScan as long as you abide by the terms of the GPLv3.

It can also be used to scan local installations for vulnerabilities that have been discovered in the past.

What is WPScan and How Does it Work?

WPScan is a black box WordPress vulnerability scanner that scans for known vulnerabilities within WordPress installations. It can be used to enumerate installed plugins, themes, and other information.

It does not attack WordPress sites itself; instead, it uses public information to find potential targets for attackers. While WPScan is not an official project of the WordPress Foundation, it is endorsed by WordPress co-founder Matt Mullenweg. 

WPScan works by first checking whether a given website is running WordPress. It then enumerates installed plugins and themes, looking for common vulnerabilities.

It can also brute force passwords and usernames, although this feature is disabled by default to prevent abuse. WPScan can run arbitrary PHP code within the context of a WordPress site, allowing for further exploration of vulnerabilities. 

While WPScan can be a valuable tool for security researchers, it can also be misused by attackers. As such, it is important to use WPScan responsibly and only scan systems that you have permission to test.

Is WPScan Open Source?

Yes, WPScan is open source. Anyone can download the software and use it for free. The project is hosted on GitHub, where anyone can contribute code or report issues.

However, WPScan does have a paid version that offers additional features and support. The paid version is available for purchase on the WPScan website. 


Overall, WPScan is a great tool for security researchers and WordPress users alike. Its open-source nature makes it highly adaptable and customizable, while the paid version provides extra peace of mind for those who need it.

What Are The Most Common Uses Of WPScan?

Today, WPScan is widely considered one of the most comprehensive WordPress security scanners. Its main purpose is to detect vulnerabilities within WordPress websites and plugins.

However, it can also be used for other tasks such as enumerating users, brute-forcing passwords, fuzzing, and much more.

Now Let’s take a closer look at some of the most common uses for WPScan.

One of the most popular uses for WPScan is vulnerability scanning. The scanner comes with a large database of known WordPress vulnerabilities, making it easy to identify potential security issues.

Simply point the scanner at a website and it will check for any known vulnerabilities. If any are found, you can then investigate further and take steps to fix the issue.

Another common use for WPScan is an enumeration. This task involves enumerating all the WordPress users on a website. This can be useful for identifying unauthorized access or simply for creating a list of valid usernames. 

To enumerate users, simply run the scanner with the “enumerate u” command line argument.

Additionally, WPScan can also be used for brute forcing passwords. This process involves trying a large number of different passwords in an attempt to guess the correct one.

While this method is not recommended as it can lead to account lockouts, it can be useful in situations where you have exhausted all other avenues. To brute force passwords, use the “–brute force” command line argument.

Finally, WPScan can also be used for fuzzing. This process involves sending random data to an application in an attempt to trigger unexpected behavior. This can be useful for identifying potential security issues such as Cross-Site Scripting (XSS) vulnerabilities.

To fuzz an application, use the “–fuzz” command line argument followed by the URL of the target application.

These are just some of the most common uses for WPScan. As you can see, this versatile tool can be used for a wide range of tasks, making it an invaluable addition to any security toolkit.

Considerable Things While Using WPScan on Your Website

WordPress is one of the most popular content management systems in use today. powering millions of websites around the world. Unfortunately, that popularity also makes WordPress a prime target for hackers and malicious users.

One of the best ways to protect your WordPress site is to use WPScan, a security tool designed specifically for WordPress.

Here are a few things to consider when using WPScan on your website:

First and foremost, WPScan is a command-line tool, which means you’ll need some basic familiarity with the Linux/Unix command line in order to use it. If you’re not comfortable working with the command line, WPScan may not be the right tool for you. 

Secondly, WPScan is designed for security professionals and experienced developers. It’s not a point-and-click security scanner like many other tools on the market. As such, it has a fairly steep learning curve and may not be suitable for beginners. 

Finally, WPScan is an active tool, which means it can actually cause harm to your website if used improperly. Be sure to read the documentation carefully and understand how WPScan works before using it on your live website. 

Used properly, however, WPScan can be an invaluable security tool for any WordPress site. By thoroughly scanning your site for vulnerabilities, WPScan can help you harden your site against the attack and keep your data safe.

How To Use WPScan on Your Website?

WordPress is one of the most popular content management systems (CMS) in the world, powering millions of websites. However, its popularity also makes it a target for hackers. One way to safeguard your WordPress site is to use WPScan, a security tool that can help you identify vulnerabilities.


Here is a step-by-step guide to using WPScan: 

First, you will need to download and install WPScan. This can be done using the WordPress Security Scan plugin or by manually downloading the latest version from the WPScan website. 

After that, once WPScan is installed, you will need to select a target website. This can be done by either entering the URL of the site or by choosing from a list of pre-defined targets. 

Next, you will need to choose which attack type you want to use. WPScan offers three attack types: brute force, dictionary, and plugin enumeration. 

Finally, you will need to launch the attack by clicking on the “Start Attack” button. This will start the scanning process and WPScan will attempt to find any vulnerabilities in the selected target website.

Benefits of Using WPScan On Your Website?

WPScan is a website security tool that helps you scan your site for vulnerabilities and potential threats. It can also help you clean up your site if it has been hacked. WPScan is a great tool for both WordPress beginners and experts.

Here are some benefits of using WPScan on your website: 

WPScan can help you scan your website for vulnerabilities and potential threats. This is a great way to keep your site secure and prevent hackers from breaking in. 

WPScan can also help you clean up your site if it has been hacked. Hackers often leave behind code that can be used to attack other websites. WPScan can help you remove this code and prevent future attacks. 

It’s a great tool for both WordPress beginners and experts. Beginners can use WPScan to find and fix vulnerabilities on their sites. Experts can use WPScan to find and fix complex security issues. 

WPScan is free to use. This makes it an affordable option for website owners who want to keep their sites secure. 

It’s easy to use. The user interface is simple and straightforward. You can get started with scanning your site in just a few minutes. 

WPScan is constantly updated with the latest security information. This ensures that you always have the most up-to-date security information available when you need it

Drawbacks of Using WPScan On Your Website?

WPScan is a black box vulnerability scanner for WordPress websites. It can be used to scan for vulnerabilities such as unpatched versions of WordPress, plugins, and themes.

WPScan is a great tool for security researchers and pen-testers, but it has some drawbacks.

First of all, WPScan is not open source, so you have to trust that the developers are not hiding any malicious code in the scanner.

Secondly, WPScan is only available for Linux and macOS, so Windows users are out of luck.

Finally, WPScan can generate a lot of false positives, so you need to be careful when using it on your website.

Overall, WPScan is a great tool for security researchers, but it has some drawbacks that you should be aware of before using it on your website.

Tip to Avoid The Common Mistakes While Using WPScan

WPScan is a powerful tool that can help you scan WordPress websites for security vulnerabilities. However, it is important to use WPScan responsibly, as misuse can lead to legal trouble. 

Here are some tips for avoiding common mistakes while using WPScan:

1. Do not scan without permission: Unless you have express permission from the website owner, do not scan a WordPress website with WPScan. Doing so may be considered an illegal act, and you could face criminal charges.

2. Do not scan known vulnerable websites: There are a number of WordPress websites that are known to be vulnerable to attack. Do not scan these websites, as you could be held liable if someone uses your scan results to exploit the vulnerability.

3. Do not share scan results without permission: If you do obtain permission to scan a WordPress website, do not share the results without the website owner’s explicit permission. Sharing such information without permission could lead to legal trouble.

By following these simple tips, you can avoid common mistakes while using WPScan. responsible scanning will help ensure that WordPress websites remain secure and minimize the chances of legal trouble.

Bottom Line 

WPScan is a popular WordPress vulnerability scanner that can be used to scan for known vulnerabilities in your WordPress website. It’s important to keep your WordPress site updated and secure, and using WPscan is one way to do that. 

While WPscan has many benefits, it’s also important to be aware of the drawbacks and take precautions while using it. Although by following the given tips above you can reduce its most drawbacks.


Michael Fied

founder of and SpamBurner

Michael Fied is the founder and CEO of and SpamBurner. In addition, he’s an internationally top-rated and award-winning website advisor and website architect with a global team of 55. You can find Michael on LinkedIn or contact him directly here.

Control form spam forever and win. Feel the burn!

Then only $14 / mo.