WPScan – WordPress Security Scanner

WPScan WordPress Security Scanner - Scans your system for security vulnerabilities listed in the WPScan Vulnerability Database.

3.8

Rating summary

Reviews

10K

Active installations

Download the Plugin

Overview

Compatibility

Installation instructions

Customer support & learning resources

Changelog

Main benefits

Daily updated vulnerability database

Automated daily security scans

Email notifications for threats

Free API plan available

Extensive security checks

About this plugin

Categories: Security

Version: 1.15.7

Last updated: 22-10-2023

WordPress version: 3.4

Tested up to: 6.3.5

PHP version required: 5.5

Languages: English (UK), Deutsch (Sie) [+9]

Tags:

Security Vulnerability Wpscan Hack Wpvulndb

Learning resources: View resources

Overview

The WPScan WordPress Security Plugin is a robust tool designed to bolster the security of your WordPress site by leveraging the extensive WPScan WordPress Vulnerability Database. This unique database, which has been meticulously curated since 2014 and includes over 21,000 known vulnerabilities, allows the plugin to perform thorough scans for vulnerabilities in WordPress cores, plugins, and themes. In addition to automated daily scans and email notifications, WPScan provides security checks that do not require an API token, such as inspecting debug logs, backup files, and configuration settings. While the plugin offers a free API plan suitable for basic needs, with 25 API requests per day, it also provides scalable paid plans for larger requirements. Despite moving its focus to enterprise customers, WPScan remains a critical tool for securing WordPress sites, though users are encouraged to consider Jetpack Protect as a recommended alternative for ongoing support.

Extensive Vulnerability Database

Uses a manually curated WPScan WordPress Vulnerability Database.
Database includes more than 21,000 known security vulnerabilities.
Updated daily by dedicated WordPress security specialists and the community.

Automated and Scheduled Scans

Options to schedule automated daily scans.
Scans for WordPress vulnerabilities, plugin vulnerabilities, and theme vulnerabilities.
Sends email notifications when new security vulnerabilities are found.

Free API Plan

Free API plan allows 25 API requests per day.
Suitable for around 50% of all WordPress websites.
Paid plans available for users needing more API calls.

Additional Security Checks

Checks for debug.log files, wp-config.php backup files, and XML-RPC enabled.
Checks for code repository files, default secret keys, and exported database files.
Checks for weak passwords and if HTTPS is enabled.

Features list

Feature

Free version

Premium version

WordPress protection with custom solutions for large enterprises

Tailored security solutions for large-scale WordPress deployments.

Custom pricing by number of sites

Flexible pricing based on the number of websites protected.

Instant email alerts

Real-time notifications sent directly to your email.

Vulnerabilities details by ID

Access detailed information on vulnerabilities using unique identifiers.

Latest API endpoints

Up-to-date API endpoints for seamless integration.

Webhooks: Slack & HTTP

Automated notifications via Slack and HTTP webhooks.

Description & PoC API data

API access to vulnerability descriptions and proof-of-concept data.

CVSS Risk Scores

Common Vulnerability Scoring System (CVSS) risk assessments.

Free Plugin

Uses WPScan data to alert you about threats to your website.

Upgrade for WAF

Provides Web Application Firewall and one-click fixes.

Pricing

Enterprise

$0 / custom

Plan includes

WordPress protection with custom solutions for large enterprises

Custom pricing by number of sites

Instant email alerts

Vulnerabilities details by ID

Latest API endpoints

Webhooks: Slack & HTTP

Description & PoC API data

CVSS Risk Scores

Buy Now

Jetpack Protect

$0 / free

Plan includes

Free Plugin

Upgrade for WAF

Buy Now

In some cases companies have different prices based on various components like a location. As a result the prices displayed here can differ from the ones you see on their websites.

See all pricing options

Rating and reviews

3.8

Rating summary

Reviews

10K

Active installations

User sentiment analysis

Users appreciate the security benefits of the WordPress plugin, noting it is effective, simple to use, and particularly useful for sites with multiple plugins. Many find it easy to install and are thankful for its regular updates and timely vulnerability reports. However, users are frustrated by the introduction of Jetpack integration, which limits free functionalities and imposes expensive subscription plans. The free 50 API calls per day are insufficient for many, leading to incomplete scans. Issues such as inaccurate HTTPS alerts and the inability to disable certain features have also been reported. While some users praise the prompt support and community commitment, others feel the plugin has become inefficient and costly.

tripflex

30 Aug, 2023

complete garbage now, used to be amazing now they basically force you to use jetpack. No replies trying to get enterprise license, another great product (used to be) that automattic has killed and used just for leads to jetpack

Dan

10 Mar, 2023

There’s an issue that keeps appearing but no information about why or what to do about it.

wpgerd

08 Mar, 2023

In the past this was a very good way to check, if you have vulnerable Plugins/Themes, but with Jetpack you didn’t get notifications, only if you pay the expensive plans ;-(There are other plugins, which do it better!

quadeg

07 Sep, 2022

…if you dont’t intend to pay for a sub, the plugin lies saying that you need a free api to use it. Maybe the api is free but you need a subscription to access it. The plugin is useless if you don’t subscribe. Use the tool’s website for a rather useless partial report.

Hans Konings

25 Apr, 2022

I doubt that I will get me a paid subscription to this otherwise interesting plugin, because it keeps sending me email alerts with this warning: “Security check Website HTTPS The website does not seem to be using HTTPS (SSL/TLS) encryption for communications.” When I check for http:/ in the database or anywhere else on the site, nothing is found. When I run WPScan manually, it says everything is fine. All my browsers also indicate that https is functioning. Why does WPSCan insist on sending me these alerts? I would like to see a log about where WPScan found this error. This topic was modified 2 years, 3 months ago by Hans Konings.

WPScan – WordPress Security Scanner

Overview

Compatibility

Installation instructions

Customer support & learning resources

Changelog

Main benefits

About this plugin

Overview

Extensive Vulnerability Database

Automated and Scheduled Scans

Free API Plan

Additional Security Checks

Features list

Pricing

Plan includes

Plan includes

Rating and reviews

User sentiment analysis

More plugins like this

Wordfence: Pricing, Instructions, Reviews and More

Really Simple SSL: Pricing, Instructions, Reviews and More

Jetpack

Limit Login Attempts Reloaded

FAQ

How many API calls are made?

How can I configure the API token in the wp-config.php file?

How do I disable vulnerability scanning altogether?

Why is the 'Summary' section and the 'Run All' button not showing?

What is WPScan?

What is the WPScan Vulnerability Database?

What are the security checks performed by WPScan?

What are the API plans available for WPScan?