📦 WordPress Scanner
Detect WordPress version, themes, plugins, and security issues
📚 About WordPress Scanning
This tool performs passive enumeration to detect WordPress installations and their components. It does not attempt any exploitation or authentication bypass.
What We Detect
- WordPress Version: Via meta generator, RSS feed, asset versions, and readme.html
- Theme: Name, version, author, and parent theme from style.css
- Plugins: 40+ popular plugins including Yoast SEO, WooCommerce, Elementor, Contact Form 7, and more
- Security Issues: XML-RPC, user enumeration, directory listing, debug mode, and exposed backups
Understanding Security Grades
| A (90-100) | Excellent security configuration |
| B (80-89) | Good security with minor issues |
| C (70-79) | Average security, improvements recommended |
| D (60-69) | Below average, multiple issues found |
| F (0-59) | Poor security, immediate action needed |
Limitations
- Only plugins that load public assets can be detected
- Sites with WAF protection (Cloudflare, Sucuri, Wordfence) may show limited results
- Version detection depends on site configuration — some sites hide this info
- Private/premium plugins may not be recognized
- This is a passive scan — no login or exploitation attempts
Common Error Messages
- "Could not find the website" — Check the domain spelling and DNS configuration
- "Connection timed out" — The site may be slow or blocking requests
- "Scan was blocked" — The site has WAF protection (this is good security!)
- "Private addresses not allowed" — Only public websites can be scanned
⚠️ Ethical Use Notice: Only scan websites you own or have explicit permission to test.
Unauthorized scanning may violate computer fraud laws.