Additional menu

11 WordPress Scanner to Find Security Vulnerabilities & Misconfiguration

11 WordPress Scanner to Find Security Vulnerabilities & Misconfiguration

Geek Flare Blog post is sponsored by Netsparker Web Application Security Scanner.

Is your WordPress site secure enough? Find the flaws in your WordPress website and fix them before someone misuses it.

The latest research by SUCURI shows more than 70%  of WordPress sites are infected with one or more vulnerabilities.

There are plenty of online scanners to check the common web vulnerabilities, but that may not be sufficient as a security risk may arise from WordPress core, plugin, theme or misconfiguration.

For that, you need a specialize security scanner which not just detect the common but also particular to WordPress vulnerabilities.

The following scanner can help you to audit your website and let you know for security risk. So you can take necessary action to prevent from being hacked.


1. WordPress Security Scan by Hacker Target

WordPress check by Hacker Target test for a vulnerable plugin (1800+), outdated WordPress version, web server configuration and the following.

  • Google safe browsing test
  • Directory indexing
  • Admin account status (enabled/disabled)
  • iFrames
  • Hosting provider reputation
  • JavaScript linked
  • Vulnerable themes (2600+)
  • Basic level of brute force

Hacker Target downloads few pages from the URL and examines the HTTP header and HTML code.

2. Detectify

Detectify is enterprise vulnerability scanner which tests for more than 500 vulnerabilities including OWASP top 10 & WordPress specific.

So if you are looking for not just WordPress scan but complete website security then gives a try to Detectify.


WP SCANS leverage WPScan vulnerability database to compare the version and report if any vulnerable core, plugin, a theme found.

WPScan cover more than 6100 vulnerabilities database. If you are looking to use WP Scan on your server/PC, then you may refer this guide about how to install and use it.

4. Security Ninja

Ninja security is a plugin, so a test is done from within your WordPress admin. It checks for more than 50 metrics with one click, and you get a detailed report including test name, status, how-to fix & results.

It took less than 2 minutes to scan my site and got the excellent report covering latest version, database connectivity exposure, a connection over SSL, etc.


SUCURI provide end-to-end security solution like monitoring, clean-up & protection. If you are looking for complete website security solution (antivirus+firewall), then SUCURI would be a good choice.

If you are just looking to test your website on-demand, then you can use their FREE SiteCheck which checks for malware, blacklisting status, out-dated technologies used & errors.

Another option would be to use the plugin to initiate the scan from your WordPress admin dashboard.

6. Pentest-Tools

WordPress Vulnerability scan by Pentest-Tools is another tool leveraging WPScan and give you the option to download the report in PDF format. Sample report here.

It enumerates the plugin, theme, users and fingerprint the WordPress version.

7. Exploit Scanner

Exploit Scanner is a plugin which you got to install within your WordPress site. It scans for files, database, comments for anything suspicious.

If you suspect your WordPress is compromised, then this would be very handy to run a quick scan to find anything hidden/malicious.

It doesn’t remove/change anything.

8. WP Loop

WP Loop performs 11 basic checks covering information leakage, enumeration & file accessibility.

  • WP, PHP version disclosure
  • html, install.php, upgrade.php accessibility
  • Login enumeration
  • Windows live writer and EditURI link

If you have a just setup WordPress site, then it would be a good place to start testing & securing.

9. WP Neuron

WP Neuron tool scan WordPress vulnerabilities in core files, plugins, libraries. It also enumerate weak password to test brute force attacks and scan all code to ensure none of the scripts is exposed to online threats.

10. Acunetix

Acunetix is complete website vulnerability scanner platform which covers CMS like WordPress specific checks as well.

Acunetix test your site for XSS, SQLi, SSL, DOS, Header, SSRF, XXE, more than 1200 WordPress plugins, core files, weak admin password, user enumeration, wp-config.php and much more.


Post scan, you get detailed report with the risk finding and fix recommendation.

11. Quttera

Quttera plugin scan your WordPress site for known and unknown malware and suspicious activity. You can initiate the scan from your WordPress admin dashboard, and it will make HTTP call to Quttera to scan and get the results.

Along with malware lookup, it also does the following.

  • Check if URL is blacklisted
  • No signature or pattern detection
  • Inject PHP shells detection
  • External link detection
  • Investigate WordPress core files

I hope above on-demand tool and plugin helps you to scan your WordPress website for online threats so you can prevent from being hacked.

If you are looking for complete website security and acceleration, then you may explore cloud-based solution like SUCURI, Incapsula, Cloudflare.

Reader Interactions

Chandan Kumar
About Chandan
Chandan Kumar is the founder of Geek Flare. Learn more here and connect with him on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *