Plecost alternatives

Looking for an alternative tool to replace Plecost? During the review of Plecost we looked at other open source tools. Based on their category, tags, and text, these are the ones that have the best match.

Top 3

  1. WordPress Exploit Framework (WordPress exploiting toolkit)
  2. WPScan (WordPress vulnerability scanner)
  3. p0f (passive fingerprinting tool)

These tools are ranked as the best alternatives to Plecost.

Alternatives (by score)

74

WordPress Exploit Framework (WPXF)

Introduction

WordPress is still one of the most popular frameworks for websites. A variety of open source tools exist to assess the security of this content management system, and its themes and plugins.

Project details

WordPress Exploit Framework is written in Ruby.

Strengths and weaknesses

  • + More than 500 GitHub stars
  • + The source code of this software is available
  • - Has longer learning curve

Typical usage

  • Penetration testing
  • Security assessment
  • Vulnerability scanning
  • Web application analysis

WordPress Exploit Framework review

78

WPScan

Introduction

WPScan can scan WordPress installations and determine if there are vulnerabilities in a particular installation.

Project details

WPScan is written in Ruby.

Strengths and weaknesses

  • + More than 25 contributors
  • + More than 2000 GitHub stars
  • + The source code of this software is available
  • - Software usage is restricted (e.g. commercially)

Typical usage

  • Penetration testing
  • Security assessment
  • Vulnerability scanning

WPScan review

56

p0f

Introduction

This tool is a great addition to nmap, especially if that reveals not reliable data or none at all. Due to the passive way of working, it won't be detected nor influences any connection.

- Version 3 of p0f is a full rewrite
- The idea for p0f dates back to June 10, 2000
- Tool can run in foreground or as a daemon process

Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellaneous forensics.

Project details

Strengths and weaknesses

  • + Project is mature (10+ years)
  • + The source code of this software is available
  • + Well-known tool

    p0f review

    60

    wafw00f

    Introduction

    wafw00f is a security tool to perform fingerprinting on web applications and detect any web application firewall in use.

    Project details

    wafw00f is written in Python.

    Strengths and weaknesses

    • + The source code of this software is available

      Typical usage

      • Application fingerprinting
      • Information gathering
      • Penetration testing
      • Reconnaissance
      • Security assessment

      wafw00f review

      74

      WhatWeb

      Introduction

      WhatWeb can be used stealthy and fast to determine what technologies are used on a particular website or web application. This process called fingerprinting can tell a lot about how it was build and possible weaknesses it might have. The tool can be used in different levels, from stealthy to very aggressive. This last one is useful in penetration tests or during development.

      Project details

      WhatWeb is written in Ruby.

      Strengths and weaknesses

      • + More than 25 contributors
      • + More than 1000 GitHub stars
      • + The source code of this software is available

        Typical usage

        • Reconnaissance
        • Web application analysis

        WhatWeb review

        85

        changeme

        Introduction

        Supported protocols:

        • HTTP/HTTPS
        • MSSQL
        • MySQL
        • PostgreSQL
        • SSH
        • SSH with key

        Project details

        changeme is written in Python.

        Strengths and weaknesses

        • + The source code of this software is available

          Typical usage

          • Password strength testing
          • Security assessment

          changeme review

          64

          Damn Small FI Scanner (DSFS)

          Introduction

          None

          Project details

          Damn Small FI Scanner is written in Python.

          Strengths and weaknesses

          • + The source code of this software is available

            Typical usage

            • Security assessment
            • Vulnerability scanning

            Damn Small FI Scanner review

            85

            exitmap

            Introduction

            A tool like exitmap might be useful to monitor the reliability and trustworthiness of Tor exit relays. The Tor Project actually uses exitmap to check for false negatives and find malicious exit relays. These are related to the check service page of the project.

            Project details

            84

            ssh_scan

            Introduction

            This tool is light on its dependencies, as it only uses Ruby and BinData. The scanner is simple to use, as it is limited in the number of parameters and options. There is also the ability to show the results on the screen or export the data to a JSON file. The latter is great if you want to do further processing of the details, or simply store them for later comparison.

            Project details

            ssh_scan is written in Ruby.

            Strengths and weaknesses

            • + More than 10 contributors
            • + Many releases available
            • + The source code of this software is available
            • + Supported by a large company

              Typical usage

              • Penetration testing
              • Security assessment
              • System hardening
              • Vulnerability scanning

              ssh_scan review

              85

              SSLyze

              Introduction

              SSLyze provides a library for scanning services that use SSL/TLS for encrypted communications. It can be used to test their implementation.

              Project details

              60

              tlsenum

              Introduction

              Tlsenum is a CLI tool to enumerate TLS protocol and TLS cipher support by a server. The tool lists then the output based on the order of priority. Tlsenum can be used to find the supported protocols and ciphers of a system and determine if it is properly hardened. This information can be useful to system administrators and pentesters doing a security assessment of the system.

              Project details

              tlsenum is written in Python.

              Strengths and weaknesses

              • + The source code of this software is available

                Typical usage

                • Information gathering
                • Security assessment
                • System enumeration
                • System hardening

                tlsenum review

                85

                droopescan

                Introduction

                Droopescan can be used to test the security of several Content Management Systems (CMS). It mainly focuses on Drupal, SilverStripe, and Wordpress installations.

                Project details

                droopescan is written in Python.

                Strengths and weaknesses

                • + The source code of this software is available

                  Typical usage

                  • Web application analysis

                  droopescan review

                  68

                  flunym0us

                  Introduction

                  Flunym0us is a security scanner for WordPress and Moodle installations. The tool tests the security of the installation by performing enumeration attempts.

                  Project details

                  flunym0us is written in Python.

                  Strengths and weaknesses

                  • + The source code of this software is available

                    Typical usage

                    • Vulnerability scanning
                    • Web application analysis

                    flunym0us review

                    64

                    Vane

                    Introduction

                    Vane is a forked project of the now non-free popular WordPress vulnerability scanner WPScan.

                    Project details

                    Vane is written in Ruby.

                    Strengths and weaknesses

                    • + More than 25 contributors
                    • + The source code of this software is available

                      Typical usage

                      • Application security
                      • Web application analysis

                      Vane review

                      60

                      Wordpresscan

                      Introduction

                      Tools like WordPresscan are useful to perform vulnerability scans on the popular WordPress platform. It can be used during development and on existing installations.

                      Project details

                      Wordpresscan is written in Python.

                      Strengths and weaknesses

                      • + The source code of this software is available

                        Typical usage

                        • Application security
                        • Penetration testing
                        • Web application analysis

                        Wordpresscan review

                        60

                        Wordstress

                        Introduction

                        WordPress is a popular choice among content management systems (CMS). Powering many websites and blogs, it is also a popular target. So regular updates and security testing can help to reduce the risk. WordStress can help with this testing.

                        Project details

                        Wordstress is written in Ruby.

                        Strengths and weaknesses

                        • + The source code of this software is available

                          Typical usage

                          • Application security
                          • Vulnerability scanning
                          • Web application analysis

                          Wordstress review

                          60

                          WPForce

                          Introduction

                          This toolkit is fairly new and consists of WPForce and Yertle. As the name implies, the first component has the focus on brute force attacking of login credentials. When admin credentials have been found, it is Yertle that allows uploading a shell. Yertle also has post-exploitation modules for further research.

                          Project details

                          WPForce is written in Python.

                          Strengths and weaknesses

                          • + The source code of this software is available
                          • - Full name of author is unknown

                          Typical usage

                          • Penetration testing
                          • Security assessment
                          • Vulnerability scanning

                          WPForce review

                          52

                          WPSeku

                          Introduction

                          With WPSeku a WordPress installation can be tested for the presence of security issues. Some examples are cross-site scripting (XSS), sql injection, and local file inclusion. The tool also tests for the presence of default configuration files. These files may reveal version numbers, used themes and plugins.

                          Project details

                          WPSeku is written in Python.

                          Strengths and weaknesses

                          • + The source code of this software is available
                          • - Unknown project license

                          Typical usage

                          • Penetration testing
                          • Security assessment
                          • Vulnerability scanning

                          WPSeku review

                          64

                          wpvulndb_cmd

                          Introduction

                          wpvulndb_cmd is a command-line security tool to perform a vulnerability scan on WordPress installations. It uses WP-CLI and the WPScan vulnerability database.

                          Project details

                          wpvulndb_cmd is written in Python.

                          Strengths and weaknesses

                          • + The source code of this software is available

                            Typical usage

                            • Penetration testing
                            • Security assessment
                            • Web application analysis

                            wpvulndb_cmd review

                            Some relevant tool missing as an alternative to Plecost? Please contact us with your suggestion.