WordPress security tools

Supporting image for WordPress security tooling and tips


WordPress is a powerful framework and Content Management System (CMS). It powers some of the biggest websites and is a beloved platform for bloggers. With this popularity, WordPress has seen also some negative attention when it comes to security. Now that automatic updates reduce the risks in the core, there is still some room for improvement left. The WordPress security tools in this category help to perform a scan and do an assessment.

This tool category contains several types of scanners, each targetting different security areas. As usual, most of these tools have their own strengths and weaknesses. Therefore it is suggested to combine a few tools when scanning a website or WordPress instance. By creating your own preferred toolkit, you can better assess how well a WordPress installation is secured.


WordPress security tools are typically used for application security.

Users for these tools include developers, pentesters, security professionals, system administrators.


Popular WordPress security tools

Vane (WordPress vulnerability scanner)

application security, web application analysis

Vane is a forked project of the now non-free popular WordPress vulnerability scanner WPScan.

WPScan (WordPress vulnerability scanner)

penetration testing, security assessment, vulnerability scanning

WPScan can scan WordPress installations and determine if there are vulnerabilities in a particular installation.

WPSploit (scanner for WP themes and plugins)

code analysis

WPSploit helps developers and penetration testers to perform a code audit of WordPress themes and plugins. The tool runs a static code analysis on the systems itself for possible security flaws.

WordPress Exploit Framework (WordPress exploiting toolkit)

penetration testing, security assessment, vulnerability scanning, web application analysis

The WordPress Exploit Framework (WPXF) provides a set of tools to assess and exploit WordPress installations. It can be used for pentesting and red teaming assignments. The tool is less friendly for beginners, but more experienced pentesters will find no difficulty in using it.

Wordpresscan (WordPress vulnerability scanner)

application security, penetration testing, web application analysis

Tools like WordPresscan are useful to perform vulnerability scans on the popular WordPress platform. It can be used during development and on existing installations.

Wordstress (white-box scanner for WordPress installations)

application security, vulnerability scanning, web application analysis

WordPress is a popular choice among content management systems (CMS). Powering many websites and blogs, it is also a popular target. So regular updates and security testing can help to reduce the risk. WordStress can help with this testing.

droopescan (CMS vulnerability scanner)

web application analysis

Droopescan can be used to test the security of several Content Management Systems (CMS). It mainly focuses on Drupal, SilverStripe, and Wordpress installations.

wp_enum (user enumeration)

penetration testing, security assessment, vulnerability scanning

This utility scans for the available identities on a WordPress installation.

Missing a favorite tool in this list? Share a tool suggestion and we will review it.

Related topics

Looking for more specific topics within this tool group? Have a look at the following relevant topics.