• Subscribe to the low volume list for updates.

WordPress Security Testing with Nmap

With the popularity of WordPress as a publishing platform, security testing is an important part of ensuring the installation is secure. Nmap has a couple of NSE scripts specifically for the testing of WordPress installations. Using those scripts as a base I developed a couple more that expanded the capabilities of using Nmap to audit WordPress installations. These scripts were then merged with nmap's http-wordpress-enum.nse script

Nmap comes with two Lua NSE scripts for high level testing of WordPress installations. The scripts allow for brute forcing of the plugins on the system and for enumerating WordPress user accounts that are on the system.

published CVE's (vulnerabilities) for
WordPress and its components

As with any security testing, make sure you fully understand what the script will do and how it might affect a target system. Only test systems you have permission to scan!

NMAP NSE Scripts for WordPress


Rather than brute forcing paths, this script is much more polite and will only download the main page of the WordPress site and examine the theme and plugin paths in the html. The WordPress version will also be identified using the default readme.html file if the meta generator is not present.


The http-wordpress-enum.nse script comes with default Nmap installation and allows you to attempt to identify users of the WordPress installation. Once you have user names it is possible to brute force the passwords using methods I detailed in the attacking wordpress article.

Hacker Target NMAP-nse-scripts for WordPress


Deprecated as http-wordpress-enum.nse updated to include this functionality,

In addition to identifying the plugins in use, I added a feature to the http-wordpress-plugins.nse script that will identify the version of the installed plugin and compare that to the latest version that is checked in real time against the WordPress Plugin API.

-- Interesting ports on my.woot.blog (
-- 80/tcp open  http    syn-ack
-- | http-wordpress-plugins:
-- | search amongst the 500 most popular plugins
-- |   akismet 3.0.4 (latest version: 3.0.4)
-- |   wordpress-seo 1.7 (latest version: 1.7.1)
-- |   disqus-comment-system 2.83 (latest version: 2.84)
-- |_  wp-to-twitter 1.2 (latest version: 1.45)


Deprecated as http-wordpress-enum.nse updated to include this functionality,

Based on the NSE script http-wordpress-plugins.nse I created out a variation that tests for WordPress themes. One of the often overlooked parts of keeping a secure WordPress installation is ensuring all themes (even inactive ones) are kept up to date or removed if not in use. Security vulnerabilities can be found in WordPress themes and these are often exploitable even if the theme is inactive.

The wp-theme.lst was created after I crawled the Alexa top 1 million sites and found around 200000 WordPress sites. By basing the theme list on the in use themes and sorting by popularity this list is a good representation of the most popular themes in being used across the web.

-- Interesting ports on my.woot.blog (
-- 80/tcp open  http    syn-ack
-- | http-wordpress-themes:
-- | search amongst the 500 most popular themes 
-- |   twentyfourteen 1.3
-- |   canvas 5.8.7
-- |_  twentytwelve 1.5

Assess the risk and work on mitigation.

Remove limits with a full membership.

We host OpenVAS, Nmap and other Vulnerability Scanners.

Trusted tools. Hosted for easy access.