This tutorial in the WordPress hacking section will teach you how to scan WordPress websites for vulnerabilities, calculate WordPress user accounts and malicious passwords. Counting WordPress users is the first step to a powerful attack to gain access to a WordPress account. WPScan has the option to scan a targeted website to get a list of account names. In this tutorial we will also look at how to hide usernames from WPScan so that you can avoid counting user accounts and limiting the effectiveness of malicious power efforts. We will conclude this tutorial by showing you how to aggressively attack root passwords using WPScan on Kali Linux. WPScan is a critical scanner for the dark WordPress box. This tool is a must have for any WordPress developer to scan for weaknesses and resolve issues before they are exploited by hackers. In collaboration with Nikto, a great webserver testing tool, this tool should be part of any login test aimed at a WordPress website or blog.

Also Read : How To Create Private Chat Room On Mobile And Computer

We are always at the network level, and wish to hack a WordPress website and find weaknesses in it. But this will only happen if you have external access test information. We cannot hack WordPress websites without proper information. For more details, you will have to read this blog to the end. We want to say that hacking is a skill that develops through hard work.

Pre Requisites :

  1. Attacker WordPress SIte Link
  2. Any Linux (WPscan Tool)
  3. Username Wordlist File
  4. Password Wordlist File


Let’s Start, Hack WordPress Website

WPscan is a command line tool used as a dangerous scanner in a black box. It is often used by security professionals and bloggers to check the security of their website. WPscan comes pre-installed in the Linux security-based distribution and is available as a plug-in.

Here, I am using a WordPress website hosted at as you can see in the image provided below

In this stage! We will enumerate the username of the WordPress website. For that, we will use the wpscan tool. wpscan is pre-install in Kali Linux. Using wpscan, you can Brute-force attack on username and password.

Step 1 :- Open Linux. Now we are ready to Update WPScan tool on Kali Linux, Check WPscan Tools

wpscan –update

Step 2 :- Scan Full Website for Admin Plane Login Username Fine 

wpscan --url -e u

 I got my username.

Step 3 :- At this stage! We will list the username for the WordPress website. Therefore, we will use the wpscan tool. wpscan is pre-installed on Kali Linux. Using wpscan, you can attack by attacking username and password.

Using Username 

wpscan --url -U suman333 -P /root/Desktop/pass.txt


Using Username Wordlist File

wpscan --url -U /root/Desktop/User.txt -P /root/Desktop/pass.txt

--URL  is URL parameter, followed by URL of the wordpress website to be scanned

-U will only bruteforce the supplied usernames, in our case it is user.txt

-P will bruteforce the passwords from the provided list pass.txt

Step 4 :- The scan time mainly depends on how big the password dictionary file is and as we count a large number of users with large numbers of passwords it can affect the performance of the website if left unchecked for too long.

In the end, we got the username and password.

Step 5 :- We succeed. At this time, we will open the WordPress login page and login with an authenticate credential.

Login using username: admin and password you can access dashboard admin.