WordPress Scan
WordPress scans run a 1-page audit of a WordPress site for version, themes, plugins, and known vulnerabilities. Requires administrative credentials (Application Password). Use it to inventory components and identify security issues.
The WordPress scan is a 1-page audit that connects to a WordPress site via its REST API and retrieves the installed version, active and inactive themes, and all plugins. It then checks core, themes, and plugins against the free WPVulnerability database to report known security issues. You get a clear inventory suitable for audits, migrations, and security reviews.
This scan requires administrative credentials. WordPress recommends using an Application Password (Users → Profile → Application Passwords) rather than your main account password. Configure credentials in project settings or enter them when starting the scan.
If the site is not WordPress, or the REST API is disabled or blocked, the scan will fail with a clear error message.
What This Scan Does & Why It Matters
- Single-URL audit of WordPress version, themes, and plugins.
- Free vulnerability check against WPVulnerability (core, themes, plugins).
- Requires administrative credentials (Application Password recommended).
- Uses the WordPress REST API (/wp-json/wp/v2/).
- Useful for audits, migrations, and identifying outdated or vulnerable components.
Key Compliance & Standards
Relevant standards and resources (open in new tab):
- WordPress REST API
- WordPress Application Passwords
- WPVulnerability (vulnerability database)
- WordPress.org – Themes
- WordPress.org – Plugins
Screenshots & Images
All Scan Types
Learn about each scan type: