WordPress

19 Free and Open-source WordPress Security Vulnerability Scanners and Pentesting Tools

Hazem Abbas

Hazem Abbas

10 min read
19 Free and Open-source WordPress Security Vulnerability Scanners and Pentesting Tools
Photo by Fikret tozak / Unsplash

WordPress security is crucial for maintaining the integrity and safety of your website. By utilizing security vulnerability scanners and pentesting tools, you can proactively identify and address potential vulnerabilities in your WordPress site.

Benefits

These tools offer several benefits and advantages, including:

  • Identification of Vulnerabilities: Security scanners can scan your WordPress site for known vulnerabilities, such as outdated plugins or weak passwords, helping you identify potential risks.
  • Thorough Testing: Pentesting tools allow you to simulate real-world attacks and test the effectiveness of your security measures. This helps you identify any weaknesses or loopholes in your WordPress site's defense.
  • Enhanced Protection: By regularly scanning and testing your WordPress site, you can stay one step ahead of potential attackers and ensure that your website is protected against known security threats.
  • Peace of Mind: Utilizing security vulnerability scanners and pentesting tools provides peace of mind, knowing that you have taken proactive steps to safeguard your WordPress site and the sensitive data it may contain.

Remember, maintaining regular security scans and conducting pentesting exercises are essential for keeping your WordPress site secure and protected from potential threats.

In this list, you will find 20 open-source free tools that can help you make your WordPress sites secure.

1- WPForce - WordPress Attack Suite

WPForce is a suite of WordPress Attack tools. Currently, this contains 2 scripts - WPForce, which brute forces logins via the API, and Yertle, which uploads shells once admin credentials have been found. It also contains a number of post exploitation modules.

Features

  • Brute Force via API, not login form bypassing some forms of protection
  • Can automatically upload an interactive shell
  • Can be used to spawn a full-featured reverse shell
  • Dumps of WordPress password hashes
  • Can backdoor authentication function for plaintext password collection
  • Inject BeEF hook into all pages
  • Pivot to meterpreter if needed
GitHub - n00py/WPForce: Wordpress Attack Suite
Wordpress Attack Suite. Contribute to n00py/WPForce development by creating an account on GitHub.
GitHubn00py

2- WPScan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

GitHub - wpscanteam/wpscan: WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected]
WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected] - GitHub - wpscanteam/…
GitHubwpscanteam

3- FastAudit

FastAudit is a simple WordPress enumeration tool and security auditor that can detect possible security issues with just one web-request. It is inspired by WPScan and uses the WPScan Vulnerability Database to identify plugin/theme/wpVersion-related vulnerabilities. This tool is only for enumeration and not for exploitation, making it safe to use for scanning WordPress applications for vulnerabilities.

Features

  • enumerates wp-version/theme/users/plugins
  • based on the aboved results uses WPScan Vulnerability Database to search for potential vulnerabilities
  • utilizes shodan-API to search for additional vulnerabilities (shodan account required for this feature, may also give false positives sometimes)
  • utilizes haveibeenpwned service to search if a password (in sha1) has been used/breached before (useful for developers to test their passwords).
GitHub - chrispetrou/FastAudit: :shipit: A wordpress security auditor! Audit your wordpress application for security issues with even 1 request.
:shipit: A wordpress security auditor! Audit your wordpress application for security issues with even 1 request. - GitHub - chrispetrou/FastAudit: :shipit: A wordpress security auditor! Audit your…
GitHubchrispetrou

4- WordPress Anomaly Detector

This project compares the files and folders of the original source code of WordPress against a website. This multithreaded script will crawl a given website and search for a directory listing.

GitHub - NavyTitanium/WordPress-Anomaly-Detector: Compare the files and folders of the original source code of WordPress against a website
Compare the files and folders of the original source code of WordPress against a website - GitHub - NavyTitanium/WordPress-Anomaly-Detector: Compare the files and folders of the original source cod…
GitHubNavyTitanium

5- WordPress Vulnerability

WordPress Vulnerability Check (wp-vulnerability-check) is a powerful console application that confidently checks the WPScan Vulnerability Database via API. It effectively identifies any potential security issues with the WordPress plugins that are currently installed.

GitHub - umutphp/wp-vulnerability-check: A command line took to check the WPScan Vulnerability Database via API to identify the security issues of WordPress plugins installed.
A command line took to check the WPScan Vulnerability Database via API to identify the security issues of WordPress plugins installed. - GitHub - umutphp/wp-vulnerability-check: A command line took…
GitHubumutphp

6- WPscrap

This is a fast and stealth WordPress scanner, no api-key, no limitation.

GitHub - moloch54/WPscrap: Fast and stealth WordPress scanner, no api-key, no limitation. Use the top-notch free open-source API www.wpvulnerability.net I’m looking for contributors helping me to dev an auto-exploit module.
Fast and stealth WordPress scanner, no api-key, no limitation. Use the top-notch free open-source API www.wpvulnerability.net I'm looking for contributors helping me to dev an auto-exploit mod…
GitHubmoloch54

7- Web-Hunter

Web-Hunter is a free advanced Web Application Penetration testing tool & WordPress name finder and brute forcer Termux & Kali Linux.

Features

  • DNS Lookup, Reverse IP Lookup, Zone Transfer, Subnet Http Headers, Port And Host Scanner
  • Whois Lookup
  • Find Subdomain
  • Extract Link
  • Geo IP Lookup
  • Admin Panel Finder
  • Admin Scanner
  • No Redirect
  • TCP Port Scan
  • Advanced Dork Finder
  • SQLi/XSS/LFI Payload & Dork
  • WordPress Username Finder
  • WordPress Brute Force
GitHub - darkhunter141/Web-Hunter: Advanced Web Application Penetration testing tool & Wordpress name finder and brute forcer Termux🔥
Advanced Web Application Penetration testing tool & Wordpress name finder and brute forcer Termux🔥 - GitHub - darkhunter141/Web-Hunter: Advanced Web Application Penetration testing tool & W…
GitHubdarkhunter141

8- WordPress Scanner

WordPress Scanner is a PHP tool that assesses vulnerabilities and audits security misconfigurations in WordPress installations. It performs "black box" scanning for WordPress web applications, focusing on common security misconfigurations and analyzing the HTML source of downloaded pages.

GitHub - Wphackedhelp/Wordpress-scanner: Wordpress Scanner https://secure.wphackedhelp.com/
Wordpress Scanner https://secure.wphackedhelp.com/ - GitHub - Wphackedhelp/Wordpress-scanner: Wordpress Scanner https://secure.wphackedhelp.com/
GitHubWphackedhelp

9- RPCSCAN

RPCSCAN by RC is a Python tool that automates the process of finding the xmlrpc.php file on all subdomains of your targets. It also identifies vulnerable methods and searches for reports on platforms like HackerOne and Medium writeups.

GitHub - HACKE-RC/RPCScan: RPCSCAN by RC - A python tool to automate all the efforts that you put on finding the xmlrpc.php file on all of your target’s subdomains and then finding the vulnerable methods and then finding the reports on hackerone and medium writeups.
RPCSCAN by RC - A python tool to automate all the efforts that you put on finding the xmlrpc.php file on all of your target's subdomains and then finding the vulnerable methods and then finding…
GitHubHACKE-RC

10- WordPress Core Integrity Checker

WordPress Core Integrity Checker is a plugin to scan WordPress core directories to check the files' integrity.

GitHub - mohsinadeel/wp-core-integrity: A plugin to scan WordPress core directories to check the files integrity
A plugin to scan WordPress core directories to check the files integrity - GitHub - mohsinadeel/wp-core-integrity: A plugin to scan WordPress core directories to check the files integrity
GitHubmohsinadeel

11- swit-scanner

swit-scanner is a very Powerful and Easy Automated Web Penetration Testing Tool
Swit Scanner. It uses whois, whatweb, subfinder, wafw00f, a2sv, dnsenum, sqlmap, wpscan, goofile, ffuf, photon, hakrawler For Scan.

GitHub - RedSecurity/swit-scanner: Very Powerful and Easy Automated Web Scanner
Very Powerful and Easy Automated Web Scanner. Contribute to RedSecurity/swit-scanner development by creating an account on GitHub.
GitHubRedSecurity

12- WP-Scanner

WP-Scanner is a basic Python3 based WordPress Penetrator Discord Bot.

GitHub - Start-P/WP-Scanner: A basic Python3 based WordPress Penetrator Discord Bot.
A basic Python3 based WordPress Penetrator Discord Bot. - GitHub - Start-P/WP-Scanner: A basic Python3 based WordPress Penetrator Discord Bot.
GitHubStart-P

13- wp-spy

Simple PHP scripts to extract info from WordPress sites and pages

GitHub - gakowalski/wp-spy: Simple PHP scripts to extract info from Wordpress sites and pages
Simple PHP scripts to extract info from Wordpress sites and pages - GitHub - gakowalski/wp-spy: Simple PHP scripts to extract info from Wordpress sites and pages
GitHubgakowalski

14- vMass

vMass Bot is an automated tool that exploits remote hosts by searching for environment files (.env) and extracting tools and information. It can also detect the target host's CMS and attempt to exploit it using the vMass vulnerability set, which includes 108 exploits in the current version.

The bot can generate host lists from IP ranges, URLs, and dotenv low profile dorks, and it can eliminate invalid or dead hosts. Extracted tools can be filtered and tested, and working ones can be delivered to a Telegram channel. The entire process, from generating hosts to delivering results, can be automated using the AUTOPILOT option.

GitHub - azizz98/vMass: vMass Bot Vulnerability Scanner & Auto Exploiter Tool Written in Perl.
vMass Bot :hook: Vulnerability Scanner & Auto Exploiter Tool Written in Perl. - GitHub - azizz98/vMass: vMass Bot Vulnerability Scanner & Auto Exploiter Tool Written in Perl.
GitHubazizz98

15- WP Flak

WP Flak is a free and open-source WordPress security scanner and exploiter.

Its features include:

  • Version Finder
  • Themes / Plugins Infomations
  • Users Extraction (Various Methods)
  • Auto Users Weak Passwords Checker
  • Exploit Finder
  • Exploiter
GitHub - gottburgm/wpFlak: WP Flak (Fliegerabwehrkanone) - Wordpress Security Scanner/Exploiter
WP Flak (Fliegerabwehrkanone) - Wordpress Security Scanner/Exploiter - GitHub - gottburgm/wpFlak: WP Flak (Fliegerabwehrkanone) - Wordpress Security Scanner/Exploiter
GitHubgottburgm

16- WPFinder

This tool helps us to finding admin users and Checking XmlRPC Features (Pingback etc.) on WordPress sites.

GitHub - invelsec/WPFinder: Simple Wordpress Enumeration Tool.
Simple Wordpress Enumeration Tool. Contribute to invelsec/WPFinder development by creating an account on GitHub.
GitHubinvelsec

17- Wordpresscan

Wordpresscan is a simple WordPress scanner written in python based on the work of WPScan (Ruby version), some features are inspired by WPSeku.

GitHub - swisskyrepo/Wordpresscan: WPScan rewritten in Python + some WPSeku ideas
WPScan rewritten in Python + some WPSeku ideas. Contribute to swisskyrepo/Wordpresscan development by creating an account on GitHub.
GitHubswisskyrepo

18- XAttacker Tool

You can use this tool on your website to check the security of your website by finding the vulnerability in your website or you can use this tool to Get Shells | Sends | Deface | cPanels | Databases

GitHub - R3K1NG/XAttacker: X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter
X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter - GitHub - R3K1NG/XAttacker: X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter
GitHubR3K1NG

19- Bane

This python library is made for educational purposes only. Me, as the creator and developer, not responsible for any misuse for this module in any malicious activity. It is made as a tool to understand how hackers can create their tools and perform their attacks. It contains most of known attacks and exploits.

It can be used to perform: DoS and DDoS attacks (all known tools are included), information gathering, scrapping proxies, crawling, google dorking, checking for vulnerabilities (sql injection (all types), xss, command execution, php code injection, FI, forced browsing

GitHub - AlaBouali/bane: this is a python module that contains functions and classes which are used to test the security of web/network applications. it’s coded on pure python and it’s a very intelligent tool ! It can easily detect: XSS (reflected/stored), RCE (Remote Code/Command Execution), SSTI, SSRF, CORS Misconfigurations, File Upload, CSRF, Path Traversal... and more
this is a python module that contains functions and classes which are used to test the security of web/network applications. it's coded on pure python and it's a very intelligent tool ! It…
GitHubAlaBouali


17 Free Open-Source Flat-File CMS in PHP (Laravel, Symphony, and Pure PHP)

What is a Flat-file CMS? Flat-file content management systems (CMSs) expertly address the issue of eliminating the need for a database to store content and configuration. Relying exclusively on flat-files instead of a database, they robustly safeguard against SQL-injection. Moreover, they optimally utilize server resources, far more efficiently than their


20 Best Free PHP-based CMS Alternatives to WordPress for 2024

WordPress dominated the content publishing for years now, but because of many security concerns, many may decide to migrate to other CMS or choose a similar alternative for their customers or for their next projects. WordPress site admins are required always to backup their data, files, database and secure their


Streamlined Web Creation: 22 Free Visual Low-Code Platforms for Responsive Landing Pages with Drag-and-drop Support

A webpage builder is a tool that facilitates the process of creating websites. It eliminates the need for understanding coding languages, making website creation accessible to a wider range of people. Low-code visual Builders A no-code visual page builder is a tool that allows users to create and design websites


PyroCMS is a Free and Professional CMS built with Laravel.

PyroCMS is a highly popular and widely used open-source content management system (CMS) that has been built using the powerful and versatile PHP programming language. It offers an incredibly user-friendly interface that makes it easy for even non-technical users to create, edit, and manage websites effortlessly. With its extensive range


Running WordPress CMS With Docker and Docker Compose

Running WordPress using Docker Compose is a convenient way to set up and manage your WordPress development environment. By using Docker Compose, you can easily configure and deploy WordPress along with its dependencies in a consistent and reproducible manner. To run WordPress as Docker Compose, follow these steps: 1. Install


LMS WordPress: Expectations vs. Reality

In our fast-paced world, online learning has become a part of mainstream education. With the increasing reliance on technology for educational purposes, Learning Management Systems (LMS) have gained popularity. Among the LMS platforms, LMS WordPress has emerged as a top choice for educators and institutions. As the name suggests, LMS


41 Open-source and Free Vulnerability Scanners For Pentesting and Web App Security

Vulnerability scanners are software applications that monitor systems for potential security threats. These tools scan your network and systems for vulnerabilities that could be exploited by hackers. They check for unpatched software, insecure system configurations, and other weaknesses. Vulnerability Scanners for Web Apps Web application vulnerability scanners, specifically, are designed


vMass Bot is a Free Vulnerability Scanner & Auto Exploiter Tool Written in Perl.

vMass Bot is an open-source project that automates the exploitation of remote hosts by searching for environment files (.env) and extracting tools and information. It can generate host lists, filter and test extracted tools, and use WordPress hosts for automatic upload. The entire process can be automated using the AUTOPILOT


19 Free and Open-source WordPress Security Vulnerability Scanners and Pentesting Tools

WordPress security is crucial for maintaining the integrity and safety of your website. By utilizing security vulnerability scanners and pentesting tools, you can proactively identify and address potential vulnerabilities in your WordPress site. Benefits These tools offer several benefits and advantages, including: * Identification of Vulnerabilities: Security scanners can scan your


13 Free Open-source WordPress Backup Scripts, Tools, and Plugins

WordPress is a popular content management system (CMS) that allows users to create and manage websites. It provides a user-friendly interface and a wide range of customizable themes and plugins, making it accessible to both beginners and experienced users. Why is WordPress Popular? WordPress gained popularity due to its ease


Read more


Articles

Tutorials Development Productivity Marketing

Systems

Cross-platform macOS Windows Linux Android RaspberryPi

Development

Frameworks JavaScript Flutter Next.js Straters

Apps

Docker Self-hosted Terminal Java

Science - Healthcare

Healthcare Medical Records Radiology (DICOM-PACS)


Open-source Apps

9,500+

Medical Apps

500+

Lists

450+

Dev. Resources

900+