4 Free Tools To Scan WordPress For Security Vulnerabilities

by Jul 11, 2023WordPress Security0 comments

Kinsta - Unlock 4 Months OFF Annual WordPress Plans

As the popularity of WordPress continues to grow, so does the need for robust security measures to protect your website from potential vulnerabilities. Fortunately, there are free tools available that can scan your WordPress site and identify security weaknesses.

In this blog post, we will explore four powerful tools that can help you fortify your WordPress fortress. Each tool is accompanied by an explanation, link, and screenshots, providing you with a comprehensive overview of their features and capabilities.

Table of Contents

Let’s dive in and ensure the safety of your WordPress website!


WPScan is a widely acclaimed WordPress vulnerability scanner that checks your website for security loopholes, outdated plugins, and themes. It is a command-line tool built on Ruby that performs comprehensive security checks, including scanning for known vulnerabilities, weak passwords, and outdated software versions. WPScan is regularly updated to keep up with the latest threats and is trusted by security professionals worldwide.

$ wpscan --url https://example_website.com --random-user-agent --enumerate vp,u,vt,tt
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

[+] URL: https://example_website.com/ []
[+] Started: Mon Jul 10 13:40:49 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - cf-ray: 7e4b47c21c12b6eb-QRO
 |  - cf-cache-status: BYPASS
 |  - ki-cache-type: Edge
 |  - ki-cf-cache-status: BYPASS
 |  - ki-edge: v=20.0.0;mv=2.0.4
 |  - permissions-policy: geolocation 'self'; autoplay 'self'; camera 'self'; accelerometer 'none'; gyroscope 'none'; magnetometer 'none'; midi 'none'; speaker 'none'; microphone 'none'; payment 'none'; usb 'none'; picture-in-picture 'none'; ambient-light-sensor 'none'; vr 'none'
 |  - referrer-policy: strict-origin-when-cross-origin
 |  - x-edge-location-klb: 1
 |  - x-kinsta-cache: MISS
 |  - report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2hQ9xX1KgjLZTCrrXZ%2BG1GXc4HvNMywt7cAYU9IaQzNC8le9qr7XeVU5lWfAWnn2lUHP6xq02AdTJsrl91NyZmYJZhJCJGmaa8tm%2BzIOrgxxM5Gv%2F%2Bb7ms79Xsm0op0WxQ%3D%3D"}],"group":"cf-nel","max_age":604800}
 |  - nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
 |  - server: cloudflare
 |  - alt-svc: h3=":443"; ma=86400
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: https://example_website.com/robots.txt
 | Interesting Entries:
 |  - /?s=
 |  - /page/*/?s=
 |  - /search/
 |  - /wp-json/
 |  - /?rest_route=
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://example_website.com/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 30%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] This site has 'Must Use Plugins': https://example_website.com/wp-content/mu-plugins/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 80%
 | Reference: http://codex.wordpress.org/Must_Use_Plugins

[+] Registration is enabled: https://example_website.com/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://example_website.com/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.2.2 identified (Latest, released on 2023-05-20).
 | Found By: Query Parameter In Upgrade Page (Aggressive Detection)
 |  - https://example_website.com/wp-includes/css/dashicons.min.css?ver=6.2.2
 |  - https://example_website.com/wp-includes/css/buttons.min.css?ver=6.2.2
 |  - https://example_website.com/wp-admin/css/forms.min.css?ver=6.2.2
 |  - https://example_website.com/wp-admin/css/l10n.min.css?ver=6.2.2
 |  - https://example_website.com/wp-admin/css/install.min.css?ver=6.2.2

[+] WordPress theme in use: Divi
 | Location: https://example_website.com/wp-content/themes/Divi/
 | Latest Version: 4.21.1 (up to date)
 | Readme: https://example_website.com/wp-content/themes/Divi/README.md
 | Style URL: https://example_website.com/wp-content/themes/Divi/style.css
 | Style Name: Divi
 | Style URI: http://www.elegantthemes.com/gallery/divi/
 | Description: Smart. Flexible. Beautiful. Divi is the most powerful theme in our collection....
 | Author: Elegant Themes
 | Author URI: http://www.elegantthemes.com
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 | Version: 4.21.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://example_website.com/wp-content/themes/Divi/style.css, Match: 'Version: 4.21.1'

[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:36 <=============================================> (504 / 504) 100.00% Time: 00:00:36
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:01:10 <===========================================> (2575 / 2575) 100.00% Time: 00:01:10

[i] No Timthumbs Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] John Doe
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Rss Generator (Aggressive Detection)

[+] johndoe
 | Found By: Yoast Seo Author Sitemap (Aggressive Detection)
 |  - https://example_website.com/author-sitemap.xml

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jul 10 13:43:05 2023
[+] Requests Done: 3160
[+] Cached Requests: 15
[+] Data Sent: 909.226 KB
[+] Data Received: 6.568 MB
[+] Memory used: 170.984 MB
[+] Elapsed time: 00:02:16

Link: WPScan

Screenshot: WPScan


Nessus is a comprehensive vulnerability scanner widely used in the cybersecurity industry. While it is not WordPress-specific, it can be utilized to scan your WordPress website for vulnerabilities. Nessus performs in-depth checks, scanning for outdated software, weak configurations, and known security flaws. It offers detailed reports and prioritizes vulnerabilities based on their severity, helping you focus on the most critical issues.

Link: Nessus

Screenshot: Nessus


OpenVAS (Open Vulnerability Assessment System) is an open-source vulnerability scanner that can be utilized to scan your WordPress site for potential security issues. It performs various checks, including network vulnerability scanning, web application scanning, and configuration auditing. OpenVAS offers extensive reporting capabilities and can be customized to meet your specific requirements.

Link: OpenVAS



Vega is a free and open-source web vulnerability scanner that can be used to scan your WordPress site for potential security weaknesses. It performs comprehensive tests, including SQL injection, cross-site scripting, and directory traversal. Vega offers an intuitive graphical interface and provides detailed reports to help you identify and address vulnerabilities effectively.

Link: Vega


Conclusion: Securing your WordPress website is a top priority, and these four free tools can significantly contribute to your efforts. WPScan, Sucuri Security, Wordfence, and Nessus provide comprehensive scanning capabilities, identifying vulnerabilities, malware, and outdated software versions. By utilizing these tools, you can proactively address security weaknesses and ensure the robustness of your WordPress fortress. Take advantage of these free resources, strengthen your website’s security, and gain peace of mind in an increasingly interconnected world.

Kinsta - Unlock 4 Months OFF Annual WordPress Plans
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
WPScan Cheat Sheet

WPScan Cheat Sheet

WPScan is an invaluable tool for safeguarding your WordPress website against potential vulnerabilities. As cyber threats continue to evolve, performing regular scans with WPScan can help identify security weaknesses and protect your website from potential attacks.

In this blog post, we’ll provide you with a comprehensive WPScan cheat sheet that covers installation, basic scanning techniques, password brute-forcing, vulnerability scanning, plugin and theme analysis, output and reporting options, and more. Let’s dive in and unlock the power of WPScan to fortify your WordPress fortress.

read more
What is the best WordPress security?

What is the best WordPress security?

In today’s digital landscape, protecting your WordPress website from potential threats is crucial. With cyberattacks on the rise, implementing robust security measures is paramount.

This blog post delves into the world of WordPress security, exploring the best practices and tools to fortify your online presence. Discover how you can keep your website secure and gain peace of mind in an increasingly interconnected world.

read more
Understanding How Passwords are Stored in WordPress

Understanding How Passwords are Stored in WordPress

Passwords serve as the first line of defense against unauthorized access to your website. As one of the most popular content management systems (CMS) in the world, WordPress takes the security of user passwords seriously.

In this article, we will delve into the inner workings of password storage in WordPress, exploring the mechanisms implemented to ensure the protection of user credentials.

read more
WordPress Password Manager SSO (Single Sign-On): Simplify Access, Enhance Security

WordPress Password Manager SSO (Single Sign-On): Simplify Access, Enhance Security

In today’s digital landscape, managing multiple usernames and passwords across various platforms can be a daunting task. That’s where Single Sign-On (SSO) comes in.

In this comprehensive blog article, we will delve into the world of WordPress Password Manager SSO, exploring its history, benefits, top plugins to implement SSO in a WordPress site, common implementation errors, and the importance of SSO in building a robust WordPress authentication strategy.

read more
Preventing WordPress Malware: A Guide for Web Development Agencies

Preventing WordPress Malware: A Guide for Web Development Agencies

WordPress powers a significant portion of the internet, making it an attractive target for hackers and malware infections. As a web development agency, it is crucial to prioritize website security and take proactive measures to prevent malware and hackers from compromising WordPress websites.

This comprehensive guide aims to provide web developers, web administrators, and marketing professionals with valuable insights and best security practices to safeguard WordPress websites against malware attacks.

read more
Buy me a Beer
Ad - Web Hosting from SiteGround - Crafted for easy site management. Click to learn more.
Sucuri - Complete end-to-end security