← All help articles

WordPress scanner

The WordPress module fingerprints WordPress installations and checks core, themes, and plugins against known vulnerabilities.

What we check

  • Core version — extracted from readme.html, generator meta tag, or login page; matched against the WordPress security release feed.
  • Active plugins — enumerated via the public /wp-json/wp/v2/ API where exposed, plus a curated list of common plugin paths.
  • Themes — enumerated via theme directory listings.
  • WPVulnDB / Patchstack — every plugin/theme version is checked against published vulnerabilities.
  • Login surface — is /wp-login.php reachable? Does it have rate limiting?
  • Configuration leakswp-config.php.bak, xmlrpc.php reachable, REST API user enumeration.

Common findings

  • Outdated core — patch within 7 days of every minor release.
  • Vulnerable plugin / theme — update or remove.
  • XML-RPC enabled — disable unless actively used by Jetpack or a similar tool.
  • REST API user enumeration open — block via .htaccess or security plugin.

Frequency

Daily. WordPress vulnerabilities are disclosed continuously.