WordPress Security Scanner – WPSeku

Posted by

WordPress is one of the most popular open-source CMS nowadays having more than 100 million users.

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 10,000 to 15,000 websites for malware and around 70,000 for phishing. If you are serious about your website, then you need to pay attention to WordPress security. In this article, we will share a beautiful WordPress security scanner named as WPSeku through which you can easily scan your WordPress site and find all the loopholes related to:

  • Directory Listing
  • Documentation Files
  • Full Path Disclosure
  • Htaccess file protection
  • Theme and Plugin enumeration
  • Username enumeration
  • etc

Basically, WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Installation of WPSeku in Kali Linux –

To install WPSeku, download the package from Github directly with the help of git clone command as shown below:

Command: git clone https://github.com/m4ll0k/WPSeku.git

After that you need to install one more package which is listed in requirements.txt file, and that you can easily install it through pip install command.


pip3 install -r requirements.txt

To run this tool, simply type

python3 wpseku.py

in your terminal which shows a basic help file.

The basic syntax of this tool is:

Command: python3 wpseku.py –url https://www.xxxxxxx.com –verbose

In the starting phase, it will scan files which are sitemap.xml, license.txt, robots.txt, crossdomain.xml, readme.html, .htaccess and xml-rpc service.

In the second phase, it will scan all database and backup related files along with directory listing scanning.

In the third phase, it will scan the HTTP headers along with an enumeration of themes and plugins and will list out all vulnerabilities along with exploit link as shown below:

The best thing about this tool is that you can even scan the major vulnerabilities like SQL Injection, Cross-site scripting, LFI injection and brute force etc.

For SQL Injection testing, use -s parameter,
For XSS testing, use -x parameter,
For LFI testing, use -l parameter etc

Feel free to leave a comment below or reach me on Instagram @iamshubhamkumar__.

Posted by Shubham ;)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.