It is not easy to get an easy to use and working free Wordpress Security Scanner. In this guide, I’ll introduce a free tool called WPSeku which is written in Python. This makes it portable to any system.

From Wikipedia, A vulnerability scanner is defined as a computer program that’s designed to assess computers, computer systems, networks or applications for known weaknesses.

A vulnerability scanner is used to discover the weak points or poorly constructed parts in a system e.g vulnerabilities relating to mis-configured assets or flawed software that resides on a network-based asset such as a firewall, router, web server, application server, etc.


WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Install WordPress Vulnerability Scanner – WPSeku

The WPSeku Wordpress Security Scanner tool requires python 3. If you don’t have it make sure to get it installed first before you continue.

# which python3

Once you confirm python3 is installed, install WPSeku Wordpress Security Scanner from Github.

Clone repository:

$ git clone wpseku
Cloning into 'wpseku'...
remote: Counting objects: 310, done.
remote: Compressing objects: 100% (80/80), done.
remote: Total 310 (delta 34), reused 54 (delta 12), pack-reused 216
Receiving objects: 100% (310/310), 880.00 KiB | 528.00 KiB/s, done.
Resolving deltas: 100% (163/163), done.

Change to the wpseku directory.

$ cd wpseku

Install python dependencies using pip3.

Ensure you have pip3 installed. For Ubuntu and Debian, you can install it using:

$ sudo apt-get install python3-pip


sudo pip3 install -r requirements.txt

Run script.

$ python3

WordPress Security Scanner – WPSeku usage

Some options which can be passed to the script is:

-u –url Target URL (e.g:
-b –brute Bruteforce login via xmlrpc
-U –user Set username for bruteforce, default “admin”
-s –scan Checking WordPress plugin code
-p –proxy Use a proxy, (host:port)
-c –cookie Set HTTP Cookie header value
-a –agent Set HTTP User-agent header value
-r –ragent Use random User-agent header value
-R –redirect Set redirect target URL False
-t –timeout Seconds to wait before timeout connection
-w –wordlist Set wordlist, default “db/wordlist.txt”
-v –verbose Print more information
-h –help Show this help and exit

Let’s look at some examples.

Generic WPSeku Scan

$ python3 --url --verbose

Sample output.

 _ _ _ ___ ___ ___| |_ _ _ 
| | | | . |_ -| -_| '_| | |
|_____|  _|___|___|_,_|___|
      |_|             v0.4.0

WPSeku - Wordpress Security Scanner
by Momo Outaadi (m4ll0k)

[ + ] Target:
[ + ] Starting: 02:38:51

[ + ] Server: Apache
[ + ] Uncommon header "X-Pingback" found, with contents:
[ i ] Checking Full Path Disclosure...
[ + ] Full Path Disclosure: /home/ehc/public_html/wp-includes/rss-functions.php
[ i ] Checking wp-config backup file...
[ + ] wp-config.php available at:
[ i ] Checking common files...
[ + ] robots.txt file was found at:
[ + ] xmlrpc.php file was found at:
[ + ] readme.html file was found at:
[ i ] Checking directory listing...
[ + ] Dir "/wp-admin/css" listing enable at:
[ + ] Dir "/wp-admin/images" listing enable at:
[ + ] Dir "/wp-admin/includes" listing enable at:
[ + ] Dir "/wp-admin/js" listing enable at:
[ + ] WordPress login is protected by WAF
[ i ] Checking robots paths...
[ i ] Checking WordPress version...

[ i ] Passive enumeration themes...
[ + ] Not found themes with passive enumeration
[ i ] Passive enumeration plugins...
[ + ] Not found plugins with passive enumeration
[ i ] Enumerating users...
[ + ] Not found usernames...
| ID | Username | Login |

Scan plugin, theme and WordPress code

You can as well do a scanning for plugins, themes and WordPress code. Type:

$ python3 --scan <dir/file> --verbose

Where /dir is the absolute path to your WordPress installation directory. Can be the parent, plugins or themes directory.

WPSeku Bruteforce Login

To perform brute-force login attempt, first, you need a dictionary list with passwords to try against. A sample file is available on db/wordlist.txt.

$ python3 --url --brute --user test --wordlist wl.txt --verbose

Replace user with WordPress username to try against and wl.txt with your passwords wordlist.


  1. Free Wordpress Security Scanner
    WordPress Vulnerability scanner
    Check for Vulnerabilities on WordPress
    Vulnerability checks on WordPress
    Wordpress Plugins and Themes vulnerability scanner | scanning

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here