This plugin scans your system on a daily basis to find vulnerabilities listed in the WPScan Vulnerability Database. It shows an icon on the Admin Toolbar with the total number of vulnerabilities found.

What does the plugin do?

  • Scans the WordPress core, plugins and themes for known vulnerabilities;
  • Shows an icon on the Admin Toolbar with the total number of vulnerabilities found;
  • Notifies you by mail when new vulnerabilities are found.

Further Reading


  • List of vulnerabilities and icon at Admin Bar.
  • Notification settings.


  1. Upload wpscan.zip content to the /wp-content/plugins/ directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Register for a free API token
  4. Save the API token to the WPScan settings page


  • How many API calls are made?
    There is one API call for the WordPress version, one call for each installed plugin and one for each theme, daily.

  • Why is the «Summary» section and the «Check Now» button not showing?
    The cron job did not run, which can be due to:

    • The DISABLE_WP_CRON constant is set to true in the wp-config.php file, but no system cron has been set (crontab -e).
    • A plugin’s caching pages is enabled (see https://wordpress.stackexchange.com/questions/93570/wp-cron-doesnt-execute-when-time-elapses?answertab=active#tab-top).
    • The blog is unable to make a loopback request, see the Tools->Site Health for details.
      If the issue can not be solved with the above, putting define(‘ALTERNATE_WP_CRON’, true); in the wp-config.php
      could help, however, will reduce the SEO of the blog.


31 de octubre de 2019
This plugin is too much expensive, 50 free api requests is not enough, and plugin, or linux version, need many credits for correct testing This is unusable plugin for free testing and increase your limit to 250 API requests per day you need pay for 25€/monthly not recommended as much expensive solution
29 de octubre de 2019
Just recently discovered this is neatly packaged into a WordPress plugin. Great to be able to just tell people to install the plugin to run their site against wpvulndb. Thank you! 🙂
16 de octubre de 2019
The free account on WPscan and it's 50 request cap can not cover a single website, and if you wait 24h it will check the whole site again not prioritising plugins that haven't being check yet. But wait, if you think paying for the 250 request is going solve the issue, you are wrong! This plugin has gone from mush have to must delete!
Leer todas las 5 reseñas

Colaboradores y desarrolladores

«WPScan» es un software de código abierto. Las siguientes personas han colaborado con este plugin.


«WPScan» ha sido traducido a 3 idiomas locales. Gracias a los traductores por sus contribuciones.

Traduce «WPScan» a tu idioma.

¿Interesado en el desarrollo?

Revisa el código , echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.

Registro de cambios


  • Prevent multiple tasks to run simultaneously
  • Check Now Button disabled and Spinner icon displayed when a task is already running
  • Results page automatically reloaded when Task is finished (checked every 10s)


  • Use the /status API endpoint to determine if the Token is valid. As a result, a call is no longer consumed when setting/changing the API token.
  • Trim and remove potential leading ‘v’ in versions when comparing then with the fixed_in values.


  • Add notice about paid licenses


  • Warn if API Limit was hit


  • First release.