The most thoroughly-sourced
WordPress security scanner
Open-source. 189 checks. Runs locally. Pulls vulnerability data from 8 free sources every night (NVD, GHSA, Mitre, OSV, Wordfence, WPVulnerability, CIRCL, Patchstack). Federated threat intel from CISA KEV, EPSS, Exploit-DB, Metasploit, MITRE ATT&CK, STIX, MISP, OpenCTI, OTX, GreyNoise. Every release is SLSA L3 build-provenance-attested and Sigstore-signed.
$ wpsecscan scan https://yoursite.com
[01/189] waf ok (Cloudflare detected)
[02/189] core_version warn (6.4.2 → 6.5.5 available)
[03/189] plugins ok (24 enumerated)
[04/189] tls_headers fail (HSTS missing)
[05/189] csp warn (unsafe-inline in style-src)
…
[189/189] forensics_timeline ok
┌─ Summary ────────────────────────────────────────┐
│ Critical: 0 High: 2 Medium: 5 Low: 12
│ Risk score: 42/100 Grade: B
│ Scanned in 1m 47s · Report: report.html
└──────────────────────────────────────────────────┘
$ What makes WPSecScan different
Free WordPress scanners are usually one of: a hosted SaaS (your data leaves your network), a single-source CVE checker (gaps when the source is down), or an abandonware project (last updated 2019). WPSecScan is none of those.
Runs locally, your data stays local
A single .exe (or pip install). No SaaS. Optional analytics is opt-in, local-first, and the per-event field allowlist prevents accidental PII leaks.
8 CVE sources, merged nightly
NVD + GHSA + Mitre + OSV + Wordfence + WPVulnerability + CIRCL + Patchstack — all free, all deduped. Wordfence's free v2 API was sunset; we cover the gap.
SLSA L3 + Sigstore signed
Every release ships with SHA256SUMS, Sigstore keyless signatures (.sig + .pem), SLSA build-provenance, and a CycloneDX SBOM. Verify in one command.
189 checks across 18 categories
Auth, transport, file exposure, injection, SSRF/RCE, GraphQL/APIs, modern Web3/NFT/payment, DNS+email+infra, plugins/themes, WCAG AAA, forensics. Every check is tagged with OWASP/ATT&CK/CWE/D3FEND for compliance reporting.
10-provider threat-intel federation
CISA KEV · EPSS · Exploit-DB · Metasploit · MITRE ATT&CK Navigator · STIX 2.1 · MISP · OpenCTI · AlienVault OTX · GreyNoise — with on-disk TTL cache so you're not hammering provider APIs.
Active exploit verification (consent-gated)
10 PoC verifiers behind a strict consent gate:
WPSECSCAN_OWNED_TARGETS=1
AND target in your sites list. No accidental drive-by exploit.
Continuous monitoring
10 always-on monitors: Certificate Transparency, DNS change, WHOIS, dark-web mentions, RBL reputation, CISA-KEV match, GeoIP anomaly, honeypot hits, auto-rollback. Daily cron via the included scheduler.
SSO · RBAC · audit log · multi-tenant
OIDC + SAML. Reader/Operator/Admin roles. HMAC-chained audit log with chain verifier. Two-person sign-off for aggressive scans. Per-tenant scan quotas. Stripe metered-billing scaffold.
12 report formats · 10 ecosystem integrations
HTML / PDF / SARIF / CycloneDX / SVG badge / Jira-shaped tickets… Plus Burp, ZAP, Nuclei, JIRA, Splunk, Datadog, Grafana, Prometheus, ServiceNow, Slack/Teams/Discord, Python/JS/Go SDKs, OpenAPI 3.1.
All 189 checks, grouped
Across 11 categories. Every check is tagged with OWASP Top 10, MITRE ATT&CK, CWE, D3FEND, PCI-DSS 4.0, NIST 800-53, and ISO 27001.
Discovery & enumeration
25waf · core_version · plugins · themes…
Authentication & session
17login · login_throttle · login_throttle_deep · app_passwords…
Transport & headers
23tls_headers · csp · cors · cookies…
File & directory exposure
25exposed_files · directory_listing · debug_leaks · robots_sitemap…
Injection & client-side
18xss_dom_sinks · xss_reflected · sqli · ssti…
SSRF / RCE / open access
13ssrf · open_redirect · cloud_metadata_ssrf · dns_rebinding…
GraphQL & APIs
18wpgraphql · graphql_dos · graphql_field_dos · graphql_field_authz_deep…
DNS, email & infra
14dns_security · dns_deep · dns_templates · email_security_deep…
WordPress core, plugins & themes
23core_cves · plugin_cves · theme_cves · gutenberg_blocks…
Privacy, compliance & accessibility
12gdpr_dsr · privacy_inventory · payment_commerce_deep · compliance_frameworks…
Other
2js_libraries · js_supply_chain…
Don't trust us. Verify.
Every release ships with cryptographic proof of who built it, on what infrastructure, from what source. Three layers — pick how paranoid you want to be.
Layer 1 — SHA256
Byte-for-byte integrity.
sha256sum -c SHA256SUMS.txtLayer 2 — Sigstore
Keyless signature, proves provenance.
cosign verify-blob wpsecscan.exe \
--signature wpsecscan.exe.sig \
--certificate wpsecscan.exe.pem \
--certificate-identity-regexp \
'github.com/bryanflowers/wpsecscan' \
--certificate-oidc-issuer \
https://token.actions.\
githubusercontent.comLayer 3 — SLSA L3
Reproducible build attestation.
slsa-verifier verify-artifact \
wpsecscan.exe \
--provenance-path \
wpsecscan.exe.intoto.jsonl \
--source-uri \
github.com/bryanflowers/wpsecscan \
--source-tag v2.3.0→ Full guide: verify a release.
Always free. AGPLv3. No paid tier.
WPSecScan is funded by the maintainer. There's no SaaS up-sell, no premium plugin, no "enterprise" locked feature. The enterprise mode (SSO/RBAC/audit log) is in the same open-source codebase as everything else. If you find value here, the best thanks is a GitHub star, a feature suggestion, or contributing a check.