wpprobe
WPProbe is a fast WordPress plugin and theme scanner written in Go that detects installed components via REST API enumeration and HTML parsing, then maps them to known vulnerabilities from Wordfence and WPScan databases. It offers three scanning modes—stealthy (low-noise REST API queries), brute-force (directory checks), and hybrid—with output in CSV or JSON formats.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | Chocapikk/wpprobe |
| Owner | Chocapikk |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 915 |
| Forks | 120 |
| Open issues | 0 |
| Latest release | v0.12.4 (2026-07-04) |
| Last updated | 2026-07-04 |
| Source | https://github.com/Chocapikk/wpprobe |
What wpprobe is
The tool leverages WordPress REST API endpoint matching and HTML parsing to identify active plugins and themes without brute-forcing, correlating discovered components against prebuilt CVE databases. It supports proxy, custom headers, rate limiting, and multi-threaded scanning, with a Go 1.22+ runtime and Docker deployments available.
Get the wpprobe source
Clone the repository and explore it locally.
git clone https://github.com/Chocapikk/wpprobe.gitcd wpprobe# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Go 1.22+ for compilation from source; prebuilt binaries available for Linux, macOS, and Windows via GitHub Releases and Kali/BlackArch/NixOS package managers.
- Initialize vulnerability databases via `wpprobe update-db` before first scan; free Wordfence API key recommended (Enterprise WPScan token optional for additional coverage).
- Configure rate limiting and threading (`--rate-limit`, `-t` flags) appropriately to avoid WAF triggers; stealthy mode generates minimal requests (~5-10 per target), while brute-force mode produces thousands.
- Set HTTP proxy if scanning from restricted networks or behind corporate infrastructure; support for `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables.
- Docker deployment recommended for CI/CD pipelines; persist vulnerability databases using named volumes to avoid re-downloading on each container run.
When to avoid it — and what to weigh
- Unauthorized Scanning — Do not use against systems without explicit written permission. This is a reconnaissance tool designed for authorized testing; unauthorized use violates computer fraud laws in most jurisdictions.
- Stale or Incomplete Vulnerability Data — Avoid relying solely on wpprobe's vulnerability matching without independent verification. The tool depends on external Wordfence and WPScan databases; gaps in coverage or outdated data may miss or misclassify vulnerabilities.
- High-Security Environments Requiring Audit Trails — Stealthy mode may not generate sufficient logging for compliance-driven security audits. Organizations requiring detailed request logs and response chains should use alternative solutions with built-in audit logging.
- Non-WordPress Web Applications — This tool is WordPress-specific. It is not applicable for scanning custom PHP applications, Drupal, Joomla, or other CMS platforms.
License & commercial use
Licensed under MIT License (OSI-approved permissive license). Full license terms available in repository LICENSE file.
MIT License permits commercial use without royalty or attribution requirement. However, ensure that use is authorized (i.e., scanned targets belong to your organization or you have explicit written permission). The tool itself is freely usable commercially; vulnerability data sourcing (Wordfence/WPScan) may have separate terms. Wordfence free tier requires account registration; WPScan Enterprise has paid tiers. Verify data licensing compliance with your compliance team before commercial deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool is a reconnaissance utility; security posture depends on usage context. Stealthy mode (REST API) generates low-noise requests suitable for environments with IDS/WAF. Brute-force mode triggers high request volume—risk of blocking or alerting. No built-in obfuscation or evasion beyond proxy support. Vulnerability correlation relies on external databases (Wordfence/WPScan); confirm CVE accuracy independently. Do not use against unauthorized targets. Output contains discovered plugin/theme names and versions—treat results as sensitive reconnaissance data. No encryption of local database files; secure storage on host filesystem required.
Alternatives to consider
WPScan (Ruby)
Established WordPress vulnerability scanner with CLI and API; supports both plugin/theme enumeration and brute-force; requires WPScan API token for full CVE database access. More mature but slower (Ruby) and less stealthy than wpprobe REST API approach.
Nuclei (Go-based YAML templates)
General-purpose vulnerability scanner with WordPress plugin/theme detection templates; highly extensible and integrates with broader security workflows. Steeper learning curve and overkill for WordPress-only reconnaissance.
Manual WPScan + Custom Scripts
Direct use of WPScan CLI or custom Python/Bash scripts for targeted scanning. More control but requires significant development and maintenance overhead for multi-target operations.
Build on wpprobe with DEV.co software developers
WPProbe accelerates WordPress reconnaissance in authorized security assessments. Combine stealthy REST API scanning with our expert security services to identify and remediate vulnerabilities before attackers do. Contact Devco to integrate wpprobe into your CI/CD or penetration testing workflow.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
wpprobe FAQ
Do I need API keys to use wpprobe?
Will wpprobe trigger WAF detection or rate limiting?
What WordPress versions and plugin types does wpprobe detect?
Can I use wpprobe in automated security workflows?
Custom software development services
DEV.co helps companies turn open-source tools like wpprobe into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Ready to Audit Your WordPress Installation?
WPProbe accelerates WordPress reconnaissance in authorized security assessments. Combine stealthy REST API scanning with our expert security services to identify and remediate vulnerabilities before attackers do. Contact Devco to integrate wpprobe into your CI/CD or penetration testing workflow.