Listen to this Post

Introduction:
The official release of WPScan 4.0.0 by Automattic marks a significant evolution in WordPress security scanning. After addressing over 75 community issues, this version introduces explicit scan control, authentication‑based enumeration, and real‑time result streaming, transforming the tool from a resource‑intensive scanner into a highly efficient, user‑driven security solution. Built on a consolidated codebase with modern CI/CD practices, WPScan 4.0.0 empowers security professionals to conduct precise, low‑impact audits while leveraging the WordPress Vulnerability Database (WPVulnDB) for real‑time threat intelligence.
Learning Objectives:
- Master Explicit Scan Control: Learn how to tailor scans to specific components using new flags like
-e vp, eliminating unnecessary API requests and reducing scan time. - Implement Authentication‑Based Enumeration: Understand how to use WordPress Application Passwords with the `–wp-auth` flag for zero‑guess, authoritative detection of all installed plugins and themes.
- Leverage Real‑Time and Resilient Scanning: Use JSONL streaming with `–format jsonl` for live result monitoring and implement resume features to handle network interruptions during long brute‑force attacks.
You Should Know:
- Explicit Scan Control: Stop Wasting API Requests and Time
The number one complaint with earlier versions was the automatic, aggressive scanning of plugins and configuration files, which burned through API rate limits and prolonged scan durations. WPScan 4.0.0 solves this by performing only a minimal default scan that checks the WordPress version, active theme, and basic security findings. All other enumeration must be explicitly requested using the `-e` (enumerate) flag, giving you complete control over scan scope.
Step‑by‑step guide:
- Minimal default scan (no plugin enumeration):
`wpscan –url https://example.com`
– Enumerate only vulnerable plugins:
`wpscan –url https://example.com -e vp` - Enumerate all installed plugins using aggressive detection (closer to old 3.x behaviour):
`wpscan –url https://example.com -e ap –plugins-detection passive`
– Enumerate all themes and config backups:
`wpscan –url https://example.com -e at,cb`This approach not only conserves your daily API token quota (free tier allows 25 requests/day) but also drastically reduces scan duration on large sites.
2. Authentication‑Based Scanning: Zero Guessing, Zero False Negatives
Traditional fingerprinting methods miss components that are not publicly linked. The new `–wp-auth` flag changes the game by accepting a WordPress Application Password and querying the REST API directly, retrieving the authoritative list of every installed plugin and theme, active or inactive.
Step‑by‑step guide:
- Generate an Application Password in WordPress:
Navigate to Users → Your Profile → Application Passwords in the WordPress admin dashboard. Enter a name (e.g., “WPScan”) and click Add New Application Password. Copy the generated password string. - Run an authenticated scan:
`wpscan –url https://example.com –wp-auth admin:”xxxxxxx”`
Replace `admin` with your username and `xxxxxxx` with the copied application password. - Combine with enumeration for comprehensive audit:
`wpscan –url https://example.com –wp-auth admin:”xxxxxxx” -e ap,at,cb`
This provides a complete inventory of all plugins, themes, and configuration backups, with zero false negatives.
3. Real‑Time Results and Scan Resilience
Long scans are painful when you are waiting for output. The new JSONL streaming format (--format jsonl) outputs findings as they are discovered, allowing you to monitor progress in real time or pipe the data into automation pipelines. Additionally, brute‑force attacks can be resumed from a specific line using --wordlist-skip, and failed requests can be automatically retried.
Step‑by‑step guide:
- Stream results in real time and pretty‑print with jq:
`wpscan –url https://example.com -e ap –format jsonl | jq .`
– Resume a password brute‑force attack from line 5000 after a network glitch:
`wpscan –url https://example.com -P wordlist.txt –wordlist-skip 5000`
– Automatically retry failed requests up to 3 times:
`wpscan –url https://example.com -P wordlist.txt –max-retries 3`
4. Installation and API Token Configuration
WPScan 4.0.0 requires Ruby 3.3 or higher. It can be installed via Ruby gem, Docker, or as a pre‑installed tool on Kali Linux. An API token is required to retrieve vulnerability data from the WPVulnDB (free tier: 25 requests/day).
Step‑by‑step guide:
- Installation via Ruby gem (Ubuntu/Debian):
sudo apt update sudo apt install ruby ruby-dev build-essential libcurl4-openssl-dev -y sudo gem install wpscan wpscan --version
- Installation via Docker (no dependencies):
docker pull wpscanteam/wpscan docker run -it --rm wpscanteam/wpscan --url https://example.com
- Set up API token permanently:
mkdir -p ~/.wpscan echo "cli_options:" > ~/.wpscan/scan.yml echo " api_token: YOUR_API_TOKEN_HERE" >> ~/.wpscan/scan.yml
- Pass API token on the command line (single scan):
`wpscan –url https://example.com –api-token YOUR_API_TOKEN`
5. Advanced Enumeration and Vulnerability Detection
WPScan’s enumeration system is its core strength, allowing comprehensive discovery of WordPress components. The tool integrates with the WPVulnDB API to cross‑reference detected components against known CVEs, including critical vulnerabilities with scores up to 9.0/10.
Step‑by‑step guide:
- Enumerate all plugins with aggressive detection:
`wpscan –url https://example.com -e ap –plugins-detection aggressive`
– Enumerate users (useful for auditing account hygiene):
`wpscan –url https://example.com -e u`
– Check for vulnerable plugins and themes (requires API token):
`wpscan –url https://example.com -e ap,at,cb –api-token YOUR_TOKEN`
Flags: `ap` = all plugins, `at` = all themes, `cb` = config backups. - Save results to a structured file:
`wpscan –url https://example.com -o report.json –format json –api-token YOUR_TOKEN`
6. WordPress Hardening Checklist: Mitigating Identified Vulnerabilities
Discovering vulnerabilities is only half the battle. Once WPScan identifies weak points, you must harden your WordPress installation to prevent exploitation. Below is a prioritised hardening checklist derived from industry best practices.
Step‑by‑step hardening guide:
- Authentication & Access Control:
- Enforce strong unique passwords (minimum 12 characters).
- Mandate Two‑Factor Authentication (2FA) for all administrator and editor accounts.
- Change the default `admin` username and limit login attempts to 3‑5 failures before lockout.
- Regularly audit and remove unused user accounts.
- File & Configuration Hardening:
- Set file permissions: directories to
755, files to644. - Secure `wp‑config.php` with permissions `600` or `640` and add `.htaccess` blocks to prevent direct browser access.
- Disable the built‑in WordPress file editor by adding `define(‘DISALLOW_FILE_EDIT’, true);` to
wp‑config.php. - Block PHP execution in the `/uploads/` folder using server rules.
- Server & Network Hardening:
- Force HTTPS traffic with a valid SSL certificate and enable HSTS.
- Implement a Web Application Firewall (WAF) to block malicious requests.
- Regularly update WordPress core, plugins, and themes; delete unused plugins entirely.
- Use SFTP exclusively for file transfers to prevent credential sniffing.
7. Windows and Cross‑Platform Usage
While WPScan is a Ruby‑based tool, it runs seamlessly on Windows through Ruby installation or Docker, making it accessible to all security professionals regardless of their preferred operating system.
Step‑by‑step guide (Windows):
- Install Ruby on Windows: Download and run the RubyInstaller from rubyinstaller.org, ensuring you check “Add Ruby executables to your PATH” during setup.
- Install WPScan: Open a command prompt as administrator and run:
`gem install wpscan`
- Run a scan from PowerShell or CMD:
`wpscan –url https://example.com -e ap –api-token YOUR_TOKEN`
– Alternative Docker on Windows (if Ruby issues arise):
Install Docker Desktop, then run:
`docker run -it –rm wpscanteam/wpscan –url https://example.com`
What Undercode Say:
- WPScan 4.0.0 represents a paradigm shift from “scanner‑driven” to “user‑driven” security auditing, putting control back into the hands of penetration testers and site administrators.
- The introduction of authentication‑based enumeration (
--wp-auth) is a game‑changer, eliminating the guesswork and false negatives that have plagued black‑box scanners for years. - Real‑time JSONL streaming and resume features address long‑standing operational pain points, making WPScan viable for automated pipelines and large‑scale brute‑force assessments.
- Combined with the official WordPress hardening checklist, WPScan now offers a complete lifecycle: discover vulnerabilities, prioritise risks, and implement mitigations—all from a single, consolidated tool.
Prediction:
With WPScan 4.0.0’s enhanced precision and real‑time capabilities, we can expect a significant shift toward authenticated scanning in the WordPress security ecosystem. As API‑based enumeration becomes the norm, organisations will increasingly adopt application passwords as a standard audit mechanism, reducing reliance on aggressive fingerprinting that can trigger security controls. The consolidation of the codebase and modern CI/CD practices also positions WPScan for rapid iteration, suggesting that future releases will integrate directly with DevSecOps pipelines, enabling continuous, low‑impact security validation as part of the software development lifecycle. This evolution will likely drive wider adoption of vulnerability databases like WPVulnDB, further strengthening the overall security posture of the WordPress ecosystem.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ryandewhurst The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


