Online WordPress Security Scanner to test vulnerabilities of a WordPress installation. Checks include application security, WordPress plugins, hosting environment, and web server.
On this WordPress security testing page, there are two options. The first is a FREE passive check that downloads a handful of pages from the website and performs analysis on the raw HTML code. The second option is a thorough active scan that attempts to enumerate plugins, themes, and users with custom WordPress auditing scripts that use the Nmap NSE framework.
Perform a Free WordPress Security Scan with a low impact test.
Check any WordPress based site and get a high level overview of the sites security posture. Once you see how easy it is grab a membership and test WordPress + Server Vulnerabilities with Nmap WordPress NSE Scripts, Nikto, OpenVAS and more.
- Attempt to detect version of WordPress Core
- Find Plugins & Theme in HTML response
- Attempt to enumerate first 2 WP users
- List page resources including js & iframes
- Test for directory indexing enabled on key locations
- Check Google Safe Browse for reputation
Membership is required for advanced WordPress Enumeration & Vulnerability Scanners
Membership Benefits
Access advanced network mapping and regular scan schedules.
Detect
Detect WP plugin versions, themes and users with Nmap NSE Scripts
Identify
Identify the attack surface through plugin and theme enumeration
Passive Analysis
Passive Analysis Report on up to 1000 sites in one click
OpenVAS and Nikto
Test WordPress with OpenVAS and Nikto Scanners
Access
27 OSINT and Vulnerability Scanning Tools.
Trusted tools
Trusted Open Source Tools
About the WordPress Security Scans
The basic security check will review a WordPress installation for common security-related misconfigurations. Testing with the basic check option uses regular web requests. The system downloads a handful of pages from the target site, then performs analysis on the resulting HTML source.
The more aggressive enumeration option attempts to find all plugins/themes used on the WordPress installation and attempt to enumerate users of the site. These tests will generate HTTP 404 errors in the web server logs of the target site. Be warned If you test all plugins, this will generate more than 18000 log entries and potentially trigger intrusion prevention measures.
In identifying all the plugins, themes, and users of the site, you start to understand the attack surface. With this information, you can target further testing against the discovered resources.
Comparing the Options
Free WordPress Security Check
- Test up to 20 sites at a time using the Passive WordPress Analysis Tool
- WordPress Version Check
- Site Reputation from Google
- Default admin account enabled
- Directory Indexing on plugins
- Sites Externally linked from main page (reputation checks)
- List WordPress Plugins detected through HTML source (try Active enumeration for more aggressive discovery).
- Linked Javascript & Any iframes
- Hosting Reputation and Geolocation information
Additional Benefits (with Membership)
- Test up to 1000 sites at a time using the Passive WordPress Analysis Tool
- Use Nmap NSE scripts for WordPress auditing
- Identify plugins in
/wp-content/plugins/
from a database of over 18000 - Identify themes in
/wp-content/themes/
from a database of over 2600 - Fingerprint the version of the discovered plugins and themes to identify known vulnerabilities
- Enumerate up to 50 user names
- Custom OpenVAS WordPress Report
- With membership you have access to all security testing tools including port scans, web server and network vulnerability scanner.
WordPress is the worlds leading content management system. This makes it a popular target for attackers.
Analysis of compromised WordPress installations shows that exploitation most often occurs due to simple configuration errors or through plugins and themes that have not had security fixes applied.
The checks performed by our WordPress security scan will point out any obvious security failures in the WordPress installation. As well as providing recommended security-related configuration improvements to enhance the security of the website against future attacks.
Additional Resources
- Analysis of Top 100K WordPress Sites
- Introduction to common attacks against WordPress installations
- Using OSSEC to monitor and secure WordPress
- WordPress User Enumeration
Professional WordPress Assessments.
Validated Security Report. Fast turn around.
WordPress Assessment