Does this tool scan non-WordPress sites?

The scanner first checks for WordPress indicators (wp-content, wp-includes, wp-json paths). If the site isn't running WordPress, it will report that and suggest using our general vulnerability scanner instead.

Why is xmlrpc.php a security risk?

xmlrpc.php was designed for remote publishing but is heavily abused. Attackers use it for brute-force password attacks (it allows multiple login attempts per request), pingback-based DDoS amplification, and username enumeration. Most modern WordPress sites should disable it via a plugin or server rule.

What is WordPress REST API user enumeration?

WordPress exposes a REST API at /wp-json/wp/v2/users that by default lists all users with published posts, revealing usernames. Attackers harvest these usernames to target brute-force attacks against wp-login.php. Restrict access with a security plugin or custom code.

How do outdated plugins get exploited?

Vulnerable WordPress plugins are the #1 attack vector. Exploit databases like WPScan and Exploit-DB catalog thousands of plugin vulnerabilities. Automated bots scan the internet for sites running known-vulnerable plugin versions and exploit them within hours of disclosure.

How does this compare to WPScan?

WPScan is a comprehensive WordPress security scanner with a large vulnerability database. This tool provides a quick, browser-based check for the most critical WordPress security issues. For a thorough assessment, a full penetration test from Maced covers WordPress-specific vulnerabilities as part of its comprehensive security testing.

Free WordPress Scanner

Scan any WordPress site for security issues

Enter a URL to detect whether a site runs WordPress, identify its version, check for exposed endpoints like xmlrpc.php and the REST API, detect visible plugins and themes, and test for user enumeration — all without authentication.

Trusted by teams at

How it works

How WordPress Scanner works

Enter a URL

Paste any website URL. The scanner first checks whether the site is running WordPress before proceeding with security checks.

Fingerprint WordPress installation

We detect the WordPress version from meta tags and source code, enumerate exposed endpoints (REST API, xmlrpc.php, wp-login), and extract visible plugin and theme paths from the HTML.

Get a vulnerability assessment

Each finding is analyzed for security risk. You get specific remediation steps for exposed endpoints, outdated versions, and configuration weaknesses.

Features

What WordPress Scanner checks

Detect WordPress version

Extracts the WordPress version from the meta generator tag and source code. Outdated versions have known CVEs that attackers actively exploit with automated tools.

Check xmlrpc.php exposure

Tests whether xmlrpc.php is accessible, which enables brute-force password attacks, pingback DDoS amplification, and username enumeration. Most modern sites should disable it.

Test REST API user enumeration

Checks if /wp-json/wp/v2/users is publicly accessible, which exposes usernames that attackers use for targeted brute-force attacks against wp-login.php.

Enumerate plugins and themes

Detects plugin and theme slugs from wp-content paths in the page source. Known vulnerable plugins are the most common WordPress attack vector — responsible for over 90% of WordPress compromises.

Check wp-login.php accessibility

Verifies whether the WordPress login page is publicly accessible without IP restrictions or additional authentication, which exposes the site to brute-force attacks.

Use cases

Who should use the free WordPress Scanner

WordPress Site Owners

Check your own site for common misconfigurations before attackers find them. Verify that xmlrpc.php is disabled, the REST API is restricted, and your version is current.

Security Professionals

Quickly fingerprint a WordPress target during a penetration test. Identify the version, exposed endpoints, and installed plugins to prioritize further testing.

Web Agencies

Audit client WordPress sites for security issues during onboarding or maintenance. Generate evidence of misconfigurations that need remediation.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free WordPress Scanner.

Go beyond WordPress Scanner

This free WordPress Scanner checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Start Pentest

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible

Free WordPress Scanner

Scan any WordPress site for security issues

How WordPress Scanner works

Enter a URL

Fingerprint WordPress installation

Get a vulnerability assessment

What WordPress Scanner checks

Detect WordPress version

Check xmlrpc.php exposure

Test REST API user enumeration

Enumerate plugins and themes

Check wp-login.php accessibility

Who should use the free WordPress Scanner

WordPress Site Owners

Security Professionals

Web Agencies

All free security tools

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questions

This free WordPress Scanner checks a handful of things. Maced's AI pentest checks thousands.

Free WordPress Scannerself.__wrap_n!=1&&self.__wrap_b("_R_138dav5ubtpfl7b_",1)

Scan any WordPress site for security issuesself.__wrap_n!=1&&self.__wrap_b("_R_158dav5ubtpfl7b_",1)

How WordPress Scanner worksself.__wrap_n!=1&&self.__wrap_b("_R_l5dav5ubtpfl7b_",1)

Enter a URLself.__wrap_n!=1&&self.__wrap_b("_R_2j9dav5ubtpfl7b_",1)

Fingerprint WordPress installationself.__wrap_n!=1&&self.__wrap_b("_R_2l9dav5ubtpfl7b_",1)

Get a vulnerability assessmentself.__wrap_n!=1&&self.__wrap_b("_R_2n9dav5ubtpfl7b_",1)

What WordPress Scanner checksself.__wrap_n!=1&&self.__wrap_b("_R_l5lav5ubtpfl7b_",1)

Detect WordPress versionself.__wrap_n!=1&&self.__wrap_b("_R_339lav5ubtpfl7b_",1)

Check xmlrpc.php exposureself.__wrap_n!=1&&self.__wrap_b("_R_359lav5ubtpfl7b_",1)

Test REST API user enumerationself.__wrap_n!=1&&self.__wrap_b("_R_379lav5ubtpfl7b_",1)

Enumerate plugins and themesself.__wrap_n!=1&&self.__wrap_b("_R_399lav5ubtpfl7b_",1)

Check wp-login.php accessibilityself.__wrap_n!=1&&self.__wrap_b("_R_3b9lav5ubtpfl7b_",1)

Who should use the free WordPress Scannerself.__wrap_n!=1&&self.__wrap_b("_R_l5tav5ubtpfl7b_",1)

WordPress Site Ownersself.__wrap_n!=1&&self.__wrap_b("_R_1j9tav5ubtpfl7b_",1)

Security Professionalsself.__wrap_n!=1&&self.__wrap_b("_R_1l9tav5ubtpfl7b_",1)

Web Agenciesself.__wrap_n!=1&&self.__wrap_b("_R_1n9tav5ubtpfl7b_",1)

All free security toolsself.__wrap_n!=1&&self.__wrap_b("_R_l65av5ubtpfl7b_",1)

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questionsself.__wrap_n!=1&&self.__wrap_b("_R_l6dav5ubtpfl7b_",1)

Does this tool scan non-WordPress sites?

Why is xmlrpc.php a security risk?

What is WordPress REST API user enumeration?

How do outdated plugins get exploited?

How does this compare to WPScan?

This free WordPress Scanner checks a handful of things. Maced's AI pentest checks thousands.self.__wrap_n!=1&&self.__wrap_b("_R_15alav5ubtpfl7b_",1)

Free WordPress Scanner

Scan any WordPress site for security issues

How WordPress Scanner works

Enter a URL

Fingerprint WordPress installation

Get a vulnerability assessment

What WordPress Scanner checks

Detect WordPress version

Check xmlrpc.php exposure

Test REST API user enumeration

Enumerate plugins and themes

Check wp-login.php accessibility

Who should use the free WordPress Scanner

WordPress Site Owners

Security Professionals

Web Agencies

All free security tools

Frequently asked questions

This free WordPress Scanner checks a handful of things. Maced's AI pentest checks thousands.