WordPress security is crucial for maintaining the integrity and safety of your website. By utilizing security vulnerability scanners and pentesting tools, you can proactively identify and address potential vulnerabilities in your WordPress site.
These tools offer several benefits and advantages, including:
- Identification of Vulnerabilities: Security scanners can scan your WordPress site for known vulnerabilities, such as outdated plugins or weak passwords, helping you identify potential risks.
- Thorough Testing: Pentesting tools allow you to simulate real-world attacks and test the effectiveness of your security measures. This helps you identify any weaknesses or loopholes in your WordPress site's defense.
- Enhanced Protection: By regularly scanning and testing your WordPress site, you can stay one step ahead of potential attackers and ensure that your website is protected against known security threats.
- Peace of Mind: Utilizing security vulnerability scanners and pentesting tools provides peace of mind, knowing that you have taken proactive steps to safeguard your WordPress site and the sensitive data it may contain.
Remember, maintaining regular security scans and conducting pentesting exercises are essential for keeping your WordPress site secure and protected from potential threats.
In this list, you will find 20 open-source free tools that can help you make your WordPress sites secure.
1- WPForce - WordPress Attack Suite
WPForce is a suite of WordPress Attack tools. Currently, this contains 2 scripts - WPForce, which brute forces logins via the API, and Yertle, which uploads shells once admin credentials have been found. It also contains a number of post exploitation modules.
- Brute Force via API, not login form bypassing some forms of protection
- Can automatically upload an interactive shell
- Can be used to spawn a full-featured reverse shell
- Dumps of WordPress password hashes
- Can backdoor authentication function for plaintext password collection
- Inject BeEF hook into all pages
- Pivot to meterpreter if needed
WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.
FastAudit is a simple WordPress enumeration tool and security auditor that can detect possible security issues with just one web-request. It is inspired by WPScan and uses the WPScan Vulnerability Database to identify
plugin/theme/wpVersion-related vulnerabilities. This tool is only for enumeration and not for exploitation, making it safe to use for scanning WordPress applications for vulnerabilities.
- enumerates wp-version/theme/users/plugins
- based on the aboved results uses WPScan Vulnerability Database to search for potential vulnerabilities
- utilizes shodan-API to search for additional vulnerabilities (shodan account required for this feature, may also give false positives sometimes)
- utilizes haveibeenpwned service to search if a password (in sha1) has been used/breached before (useful for developers to test their passwords).
4- WordPress Anomaly Detector
This project compares the files and folders of the original source code of WordPress against a website. This multithreaded script will crawl a given website and search for a directory listing.
5- WordPress Vulnerability
WordPress Vulnerability Check (wp-vulnerability-check) is a powerful console application that confidently checks the WPScan Vulnerability Database via API. It effectively identifies any potential security issues with the WordPress plugins that are currently installed.
This is a fast and stealth WordPress scanner, no api-key, no limitation.
Web-Hunter is a free advanced Web Application Penetration testing tool & WordPress name finder and brute forcer Termux & Kali Linux.
- DNS Lookup, Reverse IP Lookup, Zone Transfer, Subnet Http Headers, Port And Host Scanner
- Whois Lookup
- Find Subdomain
- Extract Link
- Geo IP Lookup
- Admin Panel Finder
- Admin Scanner
- No Redirect
- TCP Port Scan
- Advanced Dork Finder
- SQLi/XSS/LFI Payload & Dork
- WordPress Username Finder
- WordPress Brute Force
8- WordPress Scanner
WordPress Scanner is a PHP tool that assesses vulnerabilities and audits security misconfigurations in WordPress installations. It performs "black box" scanning for WordPress web applications, focusing on common security misconfigurations and analyzing the HTML source of downloaded pages.
RPCSCAN by RC is a Python tool that automates the process of finding the xmlrpc.php file on all subdomains of your targets. It also identifies vulnerable methods and searches for reports on platforms like HackerOne and Medium writeups.
10- WordPress Core Integrity Checker
WordPress Core Integrity Checker is a plugin to scan WordPress core directories to check the files' integrity.
swit-scanner is a very Powerful and Easy Automated Web Penetration Testing Tool
Swit Scanner. It uses whois, whatweb, subfinder, wafw00f, a2sv, dnsenum, sqlmap, wpscan, goofile, ffuf, photon, hakrawler For Scan.
WP-Scanner is a basic Python3 based WordPress Penetrator Discord Bot.
Simple PHP scripts to extract info from WordPress sites and pages
vMass Bot is an automated tool that exploits remote hosts by searching for environment files (.env) and extracting tools and information. It can also detect the target host's CMS and attempt to exploit it using the vMass vulnerability set, which includes 108 exploits in the current version.
The bot can generate host lists from IP ranges, URLs, and dotenv low profile dorks, and it can eliminate invalid or dead hosts. Extracted tools can be filtered and tested, and working ones can be delivered to a Telegram channel. The entire process, from generating hosts to delivering results, can be automated using the AUTOPILOT option.
15- WP Flak
WP Flak is a free and open-source WordPress security scanner and exploiter.
Its features include:
- Version Finder
- Themes / Plugins Infomations
- Users Extraction (Various Methods)
- Auto Users Weak Passwords Checker
- Exploit Finder
This tool helps us to finding admin users and Checking XmlRPC Features (Pingback etc.) on WordPress sites.
Wordpresscan is a simple WordPress scanner written in python based on the work of WPScan (Ruby version), some features are inspired by WPSeku.
18- XAttacker Tool
You can use this tool on your website to check the security of your website by finding the vulnerability in your website or you can use this tool to Get Shells | Sends | Deface | cPanels | Databases
This python library is made for educational purposes only. Me, as the creator and developer, not responsible for any misuse for this module in any malicious activity. It is made as a tool to understand how hackers can create their tools and perform their attacks. It contains most of known attacks and exploits. it can be used to perform: DoS and DDoS attacks (all known tools are included), information gathering, scrapping proxies, crawling, google dorking, checking for vulnerabilities (sql injection (all types), xss, command execution, php code injection, FI, forced browsing