Not really, Kali is a distro with specific tools.
You could run Nikto and WPScan over a Wordpress site, but really you ain't learning much if you've done basic hardening, and patched everything (Wordpress can auto patch it's built-in, but you need to let the server have write permissions for that, which may be something he prefers not to do.)
Wordpress sites typically pwned by plugins or themes (or weak passwords) detailed plugin testing could be done with Kali's tools but I use Pro version and code inspection, and other approaches.
Offence and defence are sometimes quite different.
Whilst I'm happy when finding XSS and other issues in Wordpress plugins, the real secret is to try and stop those issues mattering so much, since we won't find them all (based on past experience).
My favourite tool is definitely Burp Suite, but Kali ships a free version without the automated scanner built in. You can use wapiti and some other tools to do those bits.
You need to understand the issues because none of the tools is false positive free.
Also it depends on the security model. Wordpress lets admins XSS each other (why not they can install PHP), so any good scan will find that.
Had to explain that the one interesting finding in clients expensive Wordpress pen test was by design. They also missed at least 5 XSS issues, based on those we found afterwards, and third parties found. But hey you have good admins, who don't follow dodgy links, log them out of sessions early, put some XSS mitigations, avoid Firefox because it lacks an auditor, force on the Block when the auditor spots something etc...
