InfoSec Ninjas 资安忍者


Wordpresscan is a Wordpress CMS security auditing tool which is rewritten WPScan in Python and implemented some idea of WPSeku by swissky. However, the original copy in Github is still in alpha version and dated Oct 15, 2017.

Wordpresscan is then forked by Samiux on Apr 19, 2018 and some improvements as well as bugs fix on it. The modified version is released in Open Source under GPLv3 by Samiux.

It is well tested on Parrot Security OS 3.11 and it can run right away on Parrot without installation.


sha256sum 16709ebde820eb0c062a8880df26882faff6d98b10930e1c7c1635652b21036e Wordpresscan-1.0d.tar.gz


Version 1.0a
Release date : 2018-04-19 GMT+8
[+] Fork from Wordpresscan
[+] Minor bugs fix
[+] Some improvements

Version 1.0b
Release date : 2018-04-20 GMT+8
[+] Some improvements

Version 1.0c
Release date : 2018-04-20 GMT+8
[+] Some improvements

Version 1.0d [Stable]
Release date : 2018-04-21 GMT+8
[+] Improvement for avoiding DoS to target
[+] Some improvements


- Parrot Security OS 3.11 or higher (Linux system)
- Python 2.7


tar -xvzf Wordpresscan-1.0d.tar.gz
cd Wordpresscan



cd Wordpresscan
python -h

Scan and Update

cd Wordpresscan
python -u "" --update --random-agent

Brute force password

cd Wordpresscan
python -u "" --brute --usernames "admin" --passwords-list fuzz/wordlist.lst --threads 50 --random-agent

Brute force username and password

cd Wordpresscan
python -u "" --brute --users-list fuzz/wordlist.lst --passwords-list fuzz/wordlist.lst --threads 50 --random-agent

* The total number of threads is depends on how much memory you have and the bandwidth you get as well as the resources of the target web server that available. However, too few threads may be too slow. Too many threads may cause false positive on some insufficient resources web sites, that is DoS to the target. Suggested that the maximum threads is around 50 to 100 for a amateur web site.