Manual Enumeration with Nmap
Find WordPress NSE Scripts
find /usr/share/nmap/scripts -name '*wordpress*'
Enumerate WordPress Plugins
grep '@args' /usr/share/nmap/scripts/http-wordpress-enum.nse
Example scan with arguments, where the base URL for the WordPress installation is at http://domain.tld/webservices/wp/
and enumerating all plugins, as well as getting the latest plugin data from WordPress.
sudo nmap -T4 -Pn -sC --script http-wordpress-enum --script-args http-wordpress-enum.root="/webservices/wp/",http-wordpress-enum.search-limit="all",http-wordpress-enum.check-latest="true" -p80 domain.tld
Enumerate WordPress Users
Nmap
List possible Nmap script arguments
grep '@args' /usr/share/nmap/scripts/http-wordpress-users.nse
Example scan with arguments, where the base URL for the WordPress installation is at http://domain.tld/webservices/wp/
and enumerating 100 possible users.
sudo nmap -T4 -Pn -sC --script http-wordpress-users --script-args http-wordpress-users.basepath="/webservices/wp/",http-wordpress-users.limit="100" -p80 domain.tld
REST API
This script hasn't always worked for me. Another option is to use the REST API to enumerate users.
# Get the first 100 users from the API
# Results should be paginated when dealing with large quantities of results
curl -s http://domain.tld/wp-json/wp/v2/users?per_page=100&page=1
# Get the next 100 users from the API
# Query page 2 of the results
curl -s http://domain.tld/wp-json/wp/v2/users?per_page=100&page=2
References
Borrowed from my write-up of HackTheBox's Taratarsauce: https://benheater.com/hackthebox-tartarsauce/#wordpress-enumeration