WPScan — WordPress Security Scanner


The WPScan WordPress Security Scanner plugin scans your system on a daily basis to find security vulnerabilities listed in the WPScan Vulnerability Database. It shows an icon on the Admin Toolbar with the total number of security vulnerabilities found.

The WPScan Vulnerability Database is a WordPress vulnerability database, which includes WordPress core vulnerabilities, plugin vulnerabilities and theme vulnerabilities. The database is maintained by the WPScan Team, who are 100% focused on WordPress security.

To use the WPScan WordPress Security Plugin you will need to use a free API token by registering here.

Что делает этот плагин?

  • Scans the WordPress core, plugins and themes for known security vulnerabilities;
  • Показывает значок в верхней панели администратора с общим числом найденных уязвимостей;
  • Notifies you by mail when new security vulnerabilities are found.

Дальнейшее чтение


  • Список уязвимостей и значок в верхней панели администратора.
  • Настройки уведомлений.
  • Site health page.


  1. Загрузите содержимое архива wpscan.zip в директорию /wp-content/plugins/
  2. Активируйте плагин используя меню ‘Плагины’ в WordPress
  3. Зарегистрируйтесь для получения бесплатного API-токена
  4. Save the API token to the WPScan settings page or within the wp-config.php file

Часто задаваемые вопросы

  • How can I configure the API token in the wp-config.php file?

To configure your API token in the wp-config.php file, use the following PHP code: define( 'WPSCAN_API_TOKEN', '$your_api_token' );

  • How many API calls are made?

    There is one API call made for the WordPress version, one call for each installed plugin and one for each theme. By default there is one scan per day. The number of daily scans can be configured when configuring notifications.

  • Why is the «Summary» section and the «Check Now» button not showing?

    The cron job did not run, which can be due to:

    • The DISABLE_WP_CRON constant is set to true in the wp-config.php file, but no system cron has been set (crontab -e).
    • A plugin’s caching pages is enabled (see https://wordpress.stackexchange.com/questions/93570/wp-cron-doesnt-execute-when-time-elapses?answertab=active#tab-top).
    • The blog is unable to make a loopback request, see the Tools->Site Health for details.
      If the issue can not be solved with the above, putting define(‘ALTERNATE_WP_CRON’, true); in the wp-config.php
      could help, however, will reduce the SEO of the blog.


WPScan makes all the other security plugins I needed, obsolete! lightweight and regular updates, i expected to pay for but they are included! super easy to use! security in seconds!
WPScan is a great plugin, easy to use and works very well! Fantastic team behind it!
Посмотреть все 13 отзывов

Участники и разработчики

«WPScan — WordPress Security Scanner» — проект с открытым исходным кодом. В развитие плагина внесли свой вклад следующие участники:


«WPScan — WordPress Security Scanner» переведён на 5 языков. Благодарим переводчиков за их работу.

Перевести «WPScan — WordPress Security Scanner» на ваш язык.

Заинтересованы в разработке?

Посмотрите код, проверьте SVN репозиторий, или подпишитесь на журнал разработки по RSS.

Журнал изменений


  • Add scanning interval option to settings page
  • Some other small improvements


  • Show severity ratings for Enterprise users
  • Show Plugin Closed label
  • Add PDF report download
  • Add account status meta box
  • Add support for API token constant in wp-config.php file
  • Show vulnerabilities in Site Health
  • Update menu icon to monochrome


  • Updated text and messages to reduce confusion
  • Removed WPScan_JWT class as no longer required


  • Use the new slug helper method on all items on the page


  • Better slug detection before calling the API


  • Prevent multiple tasks to run simultaneously
  • Check Now Button disabled and Spinner icon displayed when a task is already running
  • Results page automatically reloaded when Task is finished (checked every 10s)


  • Use the /status API endpoint to determine if the Token is valid. As a result, a call is no longer consumed when setting/changing the API token.
  • Trim and remove potential leading ‘v’ in versions when comparing then with the fixed_in values.


  • Добавить уведомление о платных лицензиях


  • Предупредить, если достигнут лимит API


  • Первый релиз.