Skip to main content
ONEROXE
Sign In
Core · Plugins · Exposure

WordPress Security Scanner

A focused, read-only WordPress assessment: detects WordPress and its core version, finds exposed wp-config backups, debug.log and directory listings, checks REST/author username enumeration and XML-RPC exposure, and fingerprints popular plugins.

Pro feature

WordPress Security Scanner is a Pro tool

Specialized scans are part of ONEROXE Pro. Sign in and upgrade to run the wordpress security scanner.

What you'll unlock
  • WordPress detection and core-version disclosure
  • Exposed wp-config backups (.bak/.save/.old) leaking DB credentials
  • Public debug.log and browsable upload directories
  • REST API (/wp-json/wp/v2/users) and ?author=N username enumeration
ExampleIllustrative — not your results
View Pro plansSign in

Pro from ₹349/mo ($12/mo).

What this assesses

WordPress detection and core-version disclosure
Exposed wp-config backups (.bak/.save/.old) leaking DB credentials
Public debug.log and browsable upload directories
REST API (/wp-json/wp/v2/users) and ?author=N username enumeration
XML-RPC exposure (brute-force / pingback abuse)
Detection of popular plugins and their disclosed versions

How it works

Read-only· GET requests to standard WP paths
  1. We detect WordPress and its core version, then GET well-known paths: wp-json REST, author enumeration, xmlrpc.php, exposed wp-config backups and debug.log, and directory listings.
  2. We fingerprint popular plugins and the versions they disclose.
  3. Every request is a read-only GET — we never attempt logins, brute force or any state-changing action.

What it doesn’t do: Plugin/theme CVE matching needs a dedicated WordPress vuln feed; cross-check disclosed versions manually.

Why it matters

WordPress powers a huge share of the web, and most breaches come from the basics — an exposed config backup, enumerable usernames, XML-RPC brute-force, or an outdated plugin. This catches those quickly, read-only, before an attacker does.

Frequently asked questions

Is this scan intrusive?

No — it only sends read-only GET requests to standard WordPress paths. It does not attempt logins, exploitation or any state-changing action.

Does it check plugins for known CVEs?

It detects popular plugins and their disclosed versions. Matching those to specific CVEs needs a dedicated WordPress vulnerability feed — cross-check the reported versions against current advisories and keep everything updated.

It says my version is disclosed — is that bad?

On its own it is low-severity, but it lets attackers match your exact version to known vulnerabilities. Keep core updated and suppress the version output (generator meta and readme.html).

More specialized scans

Compliance ReportSSL/TLS Deep AuditRepo Secrets + SCAAPI Security ScanLLM / AI PentestMobile APK ScanGraphQL Security ScanCloud Bucket Scanner