19 Free and Open-source WordPress Security Vulnerability Scanners and Pentesting Tools

19 Free and Open-source WordPress Security Vulnerability Scanners and Pentesting Tools
Photo by Fikret tozak / Unsplash

WordPress security is crucial for maintaining the integrity and safety of your website. By utilizing security vulnerability scanners and pentesting tools, you can proactively identify and address potential vulnerabilities in your WordPress site.

Benefits

These tools offer several benefits and advantages, including:

  • Identification of Vulnerabilities: Security scanners can scan your WordPress site for known vulnerabilities, such as outdated plugins or weak passwords, helping you identify potential risks.
  • Thorough Testing: Pentesting tools allow you to simulate real-world attacks and test the effectiveness of your security measures. This helps you identify any weaknesses or loopholes in your WordPress site's defense.
  • Enhanced Protection: By regularly scanning and testing your WordPress site, you can stay one step ahead of potential attackers and ensure that your website is protected against known security threats.
  • Peace of Mind: Utilizing security vulnerability scanners and pentesting tools provides peace of mind, knowing that you have taken proactive steps to safeguard your WordPress site and the sensitive data it may contain.

Remember, maintaining regular security scans and conducting pentesting exercises are essential for keeping your WordPress site secure and protected from potential threats.

In this list, you will find 20 open-source free tools that can help you make your WordPress sites secure.

1- WPForce - WordPress Attack Suite

WPForce is a suite of WordPress Attack tools. Currently, this contains 2 scripts - WPForce, which brute forces logins via the API, and Yertle, which uploads shells once admin credentials have been found. It also contains a number of post exploitation modules.

Features

  • Brute Force via API, not login form bypassing some forms of protection
  • Can automatically upload an interactive shell
  • Can be used to spawn a full-featured reverse shell
  • Dumps of WordPress password hashes
  • Can backdoor authentication function for plaintext password collection
  • Inject BeEF hook into all pages
  • Pivot to meterpreter if needed
GitHub - n00py/WPForce: Wordpress Attack Suite
Wordpress Attack Suite. Contribute to n00py/WPForce development by creating an account on GitHub.

2- WPScan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

GitHub - wpscanteam/wpscan: WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected]
WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected] - GitHub - wpscanteam/…

3- FastAudit

FastAudit is a simple WordPress enumeration tool and security auditor that can detect possible security issues with just one web-request. It is inspired by WPScan and uses the WPScan Vulnerability Database to identify plugin/theme/wpVersion-related vulnerabilities. This tool is only for enumeration and not for exploitation, making it safe to use for scanning WordPress applications for vulnerabilities.

Features

  • enumerates wp-version/theme/users/plugins
  • based on the aboved results uses WPScan Vulnerability Database to search for potential vulnerabilities
  • utilizes shodan-API to search for additional vulnerabilities (shodan account required for this feature, may also give false positives sometimes)
  • utilizes haveibeenpwned service to search if a password (in sha1) has been used/breached before (useful for developers to test their passwords).
GitHub - chrispetrou/FastAudit: :shipit: A wordpress security auditor! Audit your wordpress application for security issues with even 1 request.
:shipit: A wordpress security auditor! Audit your wordpress application for security issues with even 1 request. - GitHub - chrispetrou/FastAudit: :shipit: A wordpress security auditor! Audit your…

4- WordPress Anomaly Detector

This project compares the files and folders of the original source code of WordPress against a website. This multithreaded script will crawl a given website and search for a directory listing.

GitHub - NavyTitanium/WordPress-Anomaly-Detector: Compare the files and folders of the original source code of WordPress against a website
Compare the files and folders of the original source code of WordPress against a website - GitHub - NavyTitanium/WordPress-Anomaly-Detector: Compare the files and folders of the original source cod…

5- WordPress Vulnerability

WordPress Vulnerability Check (wp-vulnerability-check) is a powerful console application that confidently checks the WPScan Vulnerability Database via API. It effectively identifies any potential security issues with the WordPress plugins that are currently installed.

GitHub - umutphp/wp-vulnerability-check: A command line took to check the WPScan Vulnerability Database via API to identify the security issues of WordPress plugins installed.
A command line took to check the WPScan Vulnerability Database via API to identify the security issues of WordPress plugins installed. - GitHub - umutphp/wp-vulnerability-check: A command line took…

6- WPscrap

This is a fast and stealth WordPress scanner, no api-key, no limitation.

GitHub - moloch54/WPscrap: Fast and stealth WordPress scanner, no api-key, no limitation. Use the top-notch free open-source API www.wpvulnerability.net I’m looking for contributors helping me to dev an auto-exploit module.
Fast and stealth WordPress scanner, no api-key, no limitation. Use the top-notch free open-source API www.wpvulnerability.net I'm looking for contributors helping me to dev an auto-exploit mod…

7- Web-Hunter

Web-Hunter is a free advanced Web Application Penetration testing tool & WordPress name finder and brute forcer Termux & Kali Linux.

Features

  • DNS Lookup, Reverse IP Lookup, Zone Transfer, Subnet Http Headers, Port And Host Scanner
  • Whois Lookup
  • Find Subdomain
  • Extract Link
  • Geo IP Lookup
  • Admin Panel Finder
  • Admin Scanner
  • No Redirect
  • TCP Port Scan
  • Advanced Dork Finder
  • SQLi/XSS/LFI Payload & Dork
  • WordPress Username Finder
  • WordPress Brute Force
GitHub - darkhunter141/Web-Hunter: Advanced Web Application Penetration testing tool & Wordpress name finder and brute forcer Termux🔥
Advanced Web Application Penetration testing tool & Wordpress name finder and brute forcer Termux🔥 - GitHub - darkhunter141/Web-Hunter: Advanced Web Application Penetration testing tool & W…

8- WordPress Scanner

WordPress Scanner is a PHP tool that assesses vulnerabilities and audits security misconfigurations in WordPress installations. It performs "black box" scanning for WordPress web applications, focusing on common security misconfigurations and analyzing the HTML source of downloaded pages.

GitHub - Wphackedhelp/Wordpress-scanner: Wordpress Scanner https://secure.wphackedhelp.com/
Wordpress Scanner https://secure.wphackedhelp.com/ - GitHub - Wphackedhelp/Wordpress-scanner: Wordpress Scanner https://secure.wphackedhelp.com/

9- RPCSCAN

RPCSCAN by RC is a Python tool that automates the process of finding the xmlrpc.php file on all subdomains of your targets. It also identifies vulnerable methods and searches for reports on platforms like HackerOne and Medium writeups.

GitHub - HACKE-RC/RPCScan: RPCSCAN by RC - A python tool to automate all the efforts that you put on finding the xmlrpc.php file on all of your target’s subdomains and then finding the vulnerable methods and then finding the reports on hackerone and medium writeups.
RPCSCAN by RC - A python tool to automate all the efforts that you put on finding the xmlrpc.php file on all of your target's subdomains and then finding the vulnerable methods and then finding…

10- WordPress Core Integrity Checker

WordPress Core Integrity Checker is a plugin to scan WordPress core directories to check the files' integrity.

GitHub - mohsinadeel/wp-core-integrity: A plugin to scan WordPress core directories to check the files integrity
A plugin to scan WordPress core directories to check the files integrity - GitHub - mohsinadeel/wp-core-integrity: A plugin to scan WordPress core directories to check the files integrity

11- swit-scanner

swit-scanner is a very Powerful and Easy Automated Web Penetration Testing Tool
Swit Scanner. It uses whois, whatweb, subfinder, wafw00f, a2sv, dnsenum, sqlmap, wpscan, goofile, ffuf, photon, hakrawler For Scan.

GitHub - RedSecurity/swit-scanner: Very Powerful and Easy Automated Web Scanner
Very Powerful and Easy Automated Web Scanner. Contribute to RedSecurity/swit-scanner development by creating an account on GitHub.

12- WP-Scanner

WP-Scanner is a basic Python3 based WordPress Penetrator Discord Bot.

GitHub - Start-P/WP-Scanner: A basic Python3 based WordPress Penetrator Discord Bot.
A basic Python3 based WordPress Penetrator Discord Bot. - GitHub - Start-P/WP-Scanner: A basic Python3 based WordPress Penetrator Discord Bot.

13- wp-spy

Simple PHP scripts to extract info from WordPress sites and pages

GitHub - gakowalski/wp-spy: Simple PHP scripts to extract info from Wordpress sites and pages
Simple PHP scripts to extract info from Wordpress sites and pages - GitHub - gakowalski/wp-spy: Simple PHP scripts to extract info from Wordpress sites and pages

14- vMass

vMass Bot is an automated tool that exploits remote hosts by searching for environment files (.env) and extracting tools and information. It can also detect the target host's CMS and attempt to exploit it using the vMass vulnerability set, which includes 108 exploits in the current version.

The bot can generate host lists from IP ranges, URLs, and dotenv low profile dorks, and it can eliminate invalid or dead hosts. Extracted tools can be filtered and tested, and working ones can be delivered to a Telegram channel. The entire process, from generating hosts to delivering results, can be automated using the AUTOPILOT option.

GitHub - azizz98/vMass: vMass Bot Vulnerability Scanner & Auto Exploiter Tool Written in Perl.
vMass Bot :hook: Vulnerability Scanner & Auto Exploiter Tool Written in Perl. - GitHub - azizz98/vMass: vMass Bot Vulnerability Scanner & Auto Exploiter Tool Written in Perl.

15- WP Flak

WP Flak is a free and open-source WordPress security scanner and exploiter.

Its features include:

  • Version Finder
  • Themes / Plugins Infomations
  • Users Extraction (Various Methods)
  • Auto Users Weak Passwords Checker
  • Exploit Finder
  • Exploiter
GitHub - gottburgm/wpFlak: WP Flak (Fliegerabwehrkanone) - Wordpress Security Scanner/Exploiter
WP Flak (Fliegerabwehrkanone) - Wordpress Security Scanner/Exploiter - GitHub - gottburgm/wpFlak: WP Flak (Fliegerabwehrkanone) - Wordpress Security Scanner/Exploiter

16- WPFinder

This tool helps us to finding admin users and Checking XmlRPC Features (Pingback etc.) on WordPress sites.

GitHub - invelsec/WPFinder: Simple Wordpress Enumeration Tool.
Simple Wordpress Enumeration Tool. Contribute to invelsec/WPFinder development by creating an account on GitHub.

17- Wordpresscan

Wordpresscan is a simple WordPress scanner written in python based on the work of WPScan (Ruby version), some features are inspired by WPSeku.

GitHub - swisskyrepo/Wordpresscan: WPScan rewritten in Python + some WPSeku ideas
WPScan rewritten in Python + some WPSeku ideas. Contribute to swisskyrepo/Wordpresscan development by creating an account on GitHub.

18- XAttacker Tool

You can use this tool on your website to check the security of your website by finding the vulnerability in your website or you can use this tool to Get Shells | Sends | Deface | cPanels | Databases

GitHub - R3K1NG/XAttacker: X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter
X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter - GitHub - R3K1NG/XAttacker: X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter

19- Bane

This python library is made for educational purposes only. Me, as the creator and developer, not responsible for any misuse for this module in any malicious activity. It is made as a tool to understand how hackers can create their tools and perform their attacks. It contains most of known attacks and exploits.

It can be used to perform: DoS and DDoS attacks (all known tools are included), information gathering, scrapping proxies, crawling, google dorking, checking for vulnerabilities (sql injection (all types), xss, command execution, php code injection, FI, forced browsing

GitHub - AlaBouali/bane: this is a python module that contains functions and classes which are used to test the security of web/network applications. it’s coded on pure python and it’s a very intelligent tool ! It can easily detect: XSS (reflected/stored), RCE (Remote Code/Command Execution), SSTI, SSRF, CORS Misconfigurations, File Upload, CSRF, Path Traversal... and more
this is a python module that contains functions and classes which are used to test the security of web/network applications. it's coded on pure python and it's a very intelligent tool ! It…