WPScan
Vulnerability scanner software
DevSecOps software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if WPScan and its alternatives fit your requirements.
Contact the product provider
Free Trial unavailable
Free version
Small
Medium
Large
- Accommodation and food services
- Arts, entertainment, and recreation
- Retail and wholesale
What is WPScan
WPScan is a security scanning tool focused on identifying vulnerabilities and security misconfigurations in WordPress sites, including core, themes, and plugins. It is used by security teams, penetration testers, and developers to assess exposure and validate remediation. The product combines an open-source scanner with a maintained vulnerability database and supports automation via CLI and API for integration into security workflows.
WordPress-specific coverage
WPScan is purpose-built for WordPress and focuses on issues in WordPress core, plugins, and themes. This specialization supports checks that general-purpose scanners may not prioritize, such as WordPress component enumeration and version-specific findings. It fits teams that primarily need WordPress application security visibility rather than broad cloud or container coverage.
Maintained vulnerability intelligence
WPScan ties scan results to a curated vulnerability database for WordPress components. This helps users map detected versions to known CVEs and advisories and prioritize remediation. The database-backed approach is useful for repeatable assessments and for tracking newly disclosed issues affecting installed components.
Automation-friendly interfaces
WPScan provides a command-line interface suitable for scripting and CI usage. It also offers an API (commonly used for vulnerability data lookups) that can support integration into DevSecOps pipelines and internal tooling. These interfaces enable scheduled scans and consistent reporting across environments.
Narrow platform scope
WPScan is focused on WordPress and does not aim to provide broad application, cloud, endpoint, or container security coverage. Organizations looking for a single platform to cover multiple technology stacks will need additional tools. This can increase operational overhead when WordPress is only one part of a larger environment.
Results depend on visibility
Like many remote scanners, WPScan’s findings can be constrained by what a target site exposes (for example, blocked endpoints, WAF rules, or limited version disclosure). This can reduce the completeness of enumeration and vulnerability matching. In some cases, authenticated or internal scanning approaches are required to validate component versions and configurations.
Not a full DevSecOps suite
WPScan supports automation, but it is not an end-to-end DevSecOps platform with integrated policy management, build governance, and multi-stage risk workflows. Teams may need separate systems for ticketing integration, risk acceptance, and cross-repository reporting. This is most noticeable in larger organizations standardizing security controls across many applications.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| Researcher | Free (non-commercial) — capped at 25 API calls/day | CLI tools and API access for non-commercial research; limited to 25 API calls/day; "Start for free" option on official site. |
| CLI Scanner | Free | WPScan CLI scanner is free to use for all (does not require the API). |
| Enterprise | Custom pricing / Get a quote | Custom pricing by number of sites; includes instant email alerts, vulnerability details by ID, webhooks (Slack & HTTP), PoC/description data, CVSS scores, and database export access; requires contacting WPScan/sales for pricing. |
Notes: The WPScan API requires a paid license for commercial use; public commercial pricing is not listed on the site and requires contacting WPScan for a quote. The site also references Jetpack Protect (free plugin that uses WPScan data) as a small-business option.
Seller details
Automattic Inc.
San Francisco, CA, USA
2005
Private
https://jetpack.com/
https://x.com/automattic
https://www.linkedin.com/company/automattic/
