WPScan is a WordPress specific security scanner that is used by both developers and professional application security engineers. The WP Engine platform helps keep your site safe, but sometimes plugins and themes itself may still be vulnerable, and can be fixed by updating them.
WPScan can remotely or even locally scan your WordPress site to detect known potential vulnerabilities within your themes or plugins. Features include:
- Username discovery via username enumeration
- Version enumeration for WordPress core, plugins, and themes
- Vulnerability identification to compare your site with known vulnerable sites
- Plugin and Theme enumeration to detect which plugins and are installed and activated
- Directory indexing on discovered plugins
- Sensitive information disclosure via exposed log files
- Detects if your WordPress site is operating in debug mode which may leave sensitive logs behind that an attacker can leverage to attack your site.