Facebook Youtube

How to Scan WordPress for Vulnerabilities Using VirtualBox & WPScan (Full Walkthrough)

March 12, 2025 • Categories: CMS, Programming • Upantor
A visually engaging cybersecurity-themed image representing WordPress vulnerability scanning using VirtualBox. The design includes a WordPress logo, a magnifying glass symbolizing security scanning, and a VirtualBox icon. The background features a digital security theme with blue and dark tones, reflecting cybersecurity aesthetics.
A visually engaging cybersecurity-themed image representing WordPress vulnerability scanning using VirtualBox. The design includes a WordPress logo, a magnifying glass symbolizing security scanning, and a VirtualBox icon. The background features a digital security theme with blue and dark tones, reflecting cybersecurity aesthetics.

Testing WordPress security on a live site is risky. One misconfigured scan or exploit test can take down your real website. The solution: use VirtualBox to set up an isolated local WordPress environment, then scan it safely using professional tools like WPScan.

This guide walks through the complete setup — from installing VirtualBox and WordPress locally, to running a real vulnerability scan and interpreting the results.

What You’ll Need

  • VirtualBox – Free virtualization software from Oracle (virtualbox.org)
  • Kali Linux ISO – A security-focused Linux distribution (kali.org) — includes WPScan
  • WPScan – A dedicated WordPress vulnerability scanner (comes pre-installed on Kali Linux)
  • A local WordPress install – Using LocalWP or XAMPP (to scan safely without touching your live site)

Step 1: Install VirtualBox

  1. Go to virtualbox.org and download the installer for your operating system (Windows, Mac, or Linux)
  2. Run the installer and follow the default setup steps
  3. Open VirtualBox once installed

Step 2: Create a Kali Linux Virtual Machine

  1. Download the Kali Linux ISO from kali.org/get-kali (choose the Installer version)
  2. In VirtualBox, click New
  3. Name it “Kali Linux”, set Type to Linux, Version to Debian (64-bit)
  4. Assign at least 2GB RAM and 20GB disk space
  5. In Settings → Storage, mount the Kali Linux ISO as a virtual optical disk
  6. Start the VM and follow the Kali installation wizard

Step 3: Set Up a Local WordPress Site to Scan

You need a WordPress installation accessible on your local network. The easiest way: install LocalWP on your host machine and note the local IP address it uses (usually something like 192.168.x.x or accessible via localhost).

In VirtualBox, configure the Kali VM’s network adapter to use Bridged Adapter mode — this allows Kali to reach your LocalWP site on the host machine’s network.

Step 4: Run WPScan

WPScan comes pre-installed on Kali Linux. Open a terminal in Kali and run:

wpscan --url http://your-local-wordpress-url --enumerate u,p,t

What each flag does:

  • u – Enumerate usernames
  • p – Enumerate plugins (and check for known vulnerabilities)
  • t – Enumerate themes

For a more detailed scan with the WPScan Vulnerability Database, get a free API token at wpscan.com and use:

wpscan --url http://your-local-wordpress-url --api-token YOUR_TOKEN --enumerate vp,vt,u

Step 5: Interpret the Results

WPScan will output findings categorized by severity:

  • [!] High – Immediate action needed (outdated plugins with known exploits, exposed sensitive files)
  • [i] Informational – Not immediately dangerous but worth noting (WordPress version exposed, usernames enumerated)
  • [+] Found – Discovered items to review (active plugins, themes, users)

Most Common WordPress Vulnerabilities WPScan Detects

  • Outdated plugins with CVEs – The most common finding; update or replace vulnerable plugins immediately
  • Username enumeration – WordPress exposes author usernames by default; disable this via security plugin
  • WordPress version disclosure – Remove the generator meta tag via a security plugin
  • Weak passwords – WPScan can run password dictionary attacks; use strong unique passwords and 2FA
  • Exposed xmlrpc.php – Disable XML-RPC if you don’t need it; it’s a common brute-force vector

Frequently Asked Questions

Is it legal to scan a WordPress site with WPScan?

Only scan sites you own or have explicit written permission to test. Scanning someone else’s site without permission is illegal under computer fraud laws in most countries. This guide is designed for testing your own local WordPress install.

Does WPScan work on live sites too?

Yes — but use a staging copy of your live site rather than the live site itself for security testing. Results on your local environment are representative of vulnerabilities on your live site if both are running the same plugins, themes, and WordPress version.

Is WPScan free?

WPScan is open-source and free to use. The API token (for accessing the vulnerability database) has a free tier with 25 API requests per day — more than enough for most testing purposes.

If you like it, consider sharing it with your friend.

About the Author – Upantor Paul

Hi, I’m Upantor Paul — a WordPress developer passionate about helping people build better websites. Through WebWish Creation, I share practical guides, tutorials, and real solutions for common WordPress, Elementor, and WooCommerce challenges. Everything I write is based on hands-on experience building and fixing real websites, not theory.

I focus on creating fast, responsive, and SEO-friendly WordPress sites that are easy to manage and built to grow. Whether you’re just starting out or looking to improve an existing site, my goal is to make WordPress simpler, clearer, and more reliable for you.

Alongside WebWish Creation, I also run my personal engineering portfolio at upantor.com, where I document deeper technical work, custom PHP logic, and performance-driven builds. This allows me to bring both practical client experience and engineering precision into every article and service I offer.

If you need help with your WordPress website—or just want clear, honest guidance—you’re in the right place. Check out my services.