WordPress Scanner

login

This tool actively probes a target for vulnerabilities. Running it without verifying the user owns or has permission to test the target is indistinguishable from attack tooling, so it requires authorization.

This tool isn't available in the anonymous view. Sign in to access it.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What does WPScan check?

WPScan is an authorised WordPress security scanner that checks: installed plugins and themes against a database of known CVEs, WordPress core version vulnerabilities, user enumeration, weak passwords (via dictionary attack with permission), XML-RPC exposure, and common misconfigurations like directory listing and debug mode.

How do I secure a WordPress installation?

Key steps: keep core, plugins, and themes updated; delete inactive plugins/themes; use a security plugin (Wordfence, Sucuri); change the default admin username; enforce strong passwords and two-factor authentication; disable XML-RPC if not needed (xmlrpc.php); restrict wp-admin by IP; and regularly scan with authorised tools like WPScan.

Why does this require authentication?

WPScan actively probes a target — sending requests to detect plugins, enumerate users, and test authentication. Without verifying the scanner owns or has permission to test the target, this is indistinguishable from attack reconnaissance. Login and target-ownership verification are required.