WordPress Vulnerability Scanner
Discover known vulnerable plugins in your website
Security Ninja offers free vulnerability detection for your WordPress website. This feature warns you if there is a known problem in a plugin that allows hackers to attack your website.
We scan public repositories for vulnerabilities related to WordPress and compare that list to the plugins installed on your website.
Free for everyone
This feature is available to free and premium users and alerts you to any plugins you have installed that has a known exploit or vulnerability.
When you install WP Security Ninja, the list of vulnerabilities is downloaded automatically to your website and then updated regularly.
You are also warned about specific security issues for different versions of WordPress itself.
The API will expand in the future to also include warnings for WordPress themes.
Your data is private!
All checking of vulnerabilities happens directly on your website, no data is sent back to our servers.
The list of vulnerabilities is gathered by curated sources such as the NVD - National Vulnerability Database and then downloaded to your website from our API.
Your installed plugins are then checked against the list and you will be alerted to any vulnerable plugins on your website.
There are many reasons why a flaw can appear in a plugin or a theme. It can be due to simple mistakes, misleading documentation, lack of experience working with WordPress code, or a ton of other reasons. Many plugins also use 3rd party libraries for different tasks, and it could be here that a security flaw exists.
Many times this problem can be alleviated by keeping your plugins up to date. Still, there are also cases where a vulnerability is made public even before the developers have a chance to know about it and create a fix.
WPScan and ThreatPress maintain searchable databases that focus on WordPress vulnerabilities. There are regular updates for newly found exploits in plugins, themes, and also WordPress core itself.
The standard for indexing, categorizing, and determining the severity of the exploit is CVE. The CVE was launched in 1999 as a community effort to standardize the reporting of exploits, and the MITRE Corporation now runs it. The organization has copyrighted the CVE list and trademarked its name in an ongoing effort to keep the standard free and open-sourced.
CVE stands for Common Vulnerabilities and Exposures, and its purpose is to be a standard for sharing publicly available vulnerability data across networks and platforms. Each vulnerability gets a unique ID and a score based on its severity and ease of exploitation. The directory includes exploits across all platforms and systems.
There are many public searchable databases for vulnerabilities and exploits. Specific to WordPress, WPScan, and ThreatPress both maintain popular databases of WordPress vulnerabilities.