DEV.co
Open-Source Security · Chocapikk

wpprobe

WPProbe is a fast WordPress plugin and theme scanner written in Go that detects installed components via REST API enumeration and HTML parsing, then maps them to known vulnerabilities from Wordfence and WPScan databases. It offers three scanning modes—stealthy (low-noise REST API queries), brute-force (directory checks), and hybrid—with output in CSV or JSON formats.

Source: GitHub — github.com/Chocapikk/wpprobe
915
GitHub stars
120
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryChocapikk/wpprobe
OwnerChocapikk
Primary languageGo
LicenseMIT — OSI-approved
Stars915
Forks120
Open issues0
Latest releasev0.12.4 (2026-07-04)
Last updated2026-07-04
Sourcehttps://github.com/Chocapikk/wpprobe

What wpprobe is

The tool leverages WordPress REST API endpoint matching and HTML parsing to identify active plugins and themes without brute-forcing, correlating discovered components against prebuilt CVE databases. It supports proxy, custom headers, rate limiting, and multi-threaded scanning, with a Go 1.22+ runtime and Docker deployments available.

Quickstart

Get the wpprobe source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Chocapikk/wpprobe.gitcd wpprobe# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Authorized Security Assessments & Penetration Testing

Quickly enumerate WordPress plugin inventory during authorized red-team engagements or internal security audits to identify known vulnerabilities before exploitation attempts.

Bug Bounty Reconnaissance

Perform initial WordPress reconnaissance on bug-bounty targets to map plugin versions against public CVE databases with minimal noise and WAF detection risk.

WordPress Admin Vulnerability Auditing

Enable WordPress site owners or administrators to perform periodic scans of their own installations to identify outdated or vulnerable plugins and themes for patch management.

Implementation considerations

  • Requires Go 1.22+ for compilation from source; prebuilt binaries available for Linux, macOS, and Windows via GitHub Releases and Kali/BlackArch/NixOS package managers.
  • Initialize vulnerability databases via `wpprobe update-db` before first scan; free Wordfence API key recommended (Enterprise WPScan token optional for additional coverage).
  • Configure rate limiting and threading (`--rate-limit`, `-t` flags) appropriately to avoid WAF triggers; stealthy mode generates minimal requests (~5-10 per target), while brute-force mode produces thousands.
  • Set HTTP proxy if scanning from restricted networks or behind corporate infrastructure; support for `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables.
  • Docker deployment recommended for CI/CD pipelines; persist vulnerability databases using named volumes to avoid re-downloading on each container run.

When to avoid it — and what to weigh

  • Unauthorized Scanning — Do not use against systems without explicit written permission. This is a reconnaissance tool designed for authorized testing; unauthorized use violates computer fraud laws in most jurisdictions.
  • Stale or Incomplete Vulnerability Data — Avoid relying solely on wpprobe's vulnerability matching without independent verification. The tool depends on external Wordfence and WPScan databases; gaps in coverage or outdated data may miss or misclassify vulnerabilities.
  • High-Security Environments Requiring Audit Trails — Stealthy mode may not generate sufficient logging for compliance-driven security audits. Organizations requiring detailed request logs and response chains should use alternative solutions with built-in audit logging.
  • Non-WordPress Web Applications — This tool is WordPress-specific. It is not applicable for scanning custom PHP applications, Drupal, Joomla, or other CMS platforms.

License & commercial use

Licensed under MIT License (OSI-approved permissive license). Full license terms available in repository LICENSE file.

MIT License permits commercial use without royalty or attribution requirement. However, ensure that use is authorized (i.e., scanned targets belong to your organization or you have explicit written permission). The tool itself is freely usable commercially; vulnerability data sourcing (Wordfence/WPScan) may have separate terms. Wordfence free tier requires account registration; WPScan Enterprise has paid tiers. Verify data licensing compliance with your compliance team before commercial deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool is a reconnaissance utility; security posture depends on usage context. Stealthy mode (REST API) generates low-noise requests suitable for environments with IDS/WAF. Brute-force mode triggers high request volume—risk of blocking or alerting. No built-in obfuscation or evasion beyond proxy support. Vulnerability correlation relies on external databases (Wordfence/WPScan); confirm CVE accuracy independently. Do not use against unauthorized targets. Output contains discovered plugin/theme names and versions—treat results as sensitive reconnaissance data. No encryption of local database files; secure storage on host filesystem required.

Alternatives to consider

WPScan (Ruby)

Established WordPress vulnerability scanner with CLI and API; supports both plugin/theme enumeration and brute-force; requires WPScan API token for full CVE database access. More mature but slower (Ruby) and less stealthy than wpprobe REST API approach.

Nuclei (Go-based YAML templates)

General-purpose vulnerability scanner with WordPress plugin/theme detection templates; highly extensible and integrates with broader security workflows. Steeper learning curve and overkill for WordPress-only reconnaissance.

Manual WPScan + Custom Scripts

Direct use of WPScan CLI or custom Python/Bash scripts for targeted scanning. More control but requires significant development and maintenance overhead for multi-target operations.

Software development agency

Build on wpprobe with DEV.co software developers

WPProbe accelerates WordPress reconnaissance in authorized security assessments. Combine stealthy REST API scanning with our expert security services to identify and remediate vulnerabilities before attackers do. Contact Devco to integrate wpprobe into your CI/CD or penetration testing workflow.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

wpprobe FAQ

Do I need API keys to use wpprobe?
No. By default, `wpprobe update-db` fetches a pre-built vulnerability database updated every 2 hours in the GitHub repository. Free Wordfence API keys (optional) enable direct Wordfence API updates; WPScan Enterprise token is only needed for WPScan database updates.
Will wpprobe trigger WAF detection or rate limiting?
Stealthy mode (default) minimizes requests via REST API matching, making it low-noise. Brute-force mode generates thousands of requests and is more likely to trigger rate limits or WAF blocks. Use rate limiting (`--rate-limit` flag) and proxy options to reduce visibility.
What WordPress versions and plugin types does wpprobe detect?
Stealthy mode detects 5000+ plugins exposed via REST API and themes from HTML references; brute-force mode extends coverage to 10k+ plugins. Disabled, hidden, or non-REST-API-enabled plugins may not be detected. Theme detection relies on HTML references and may miss dynamically-loaded themes.
Can I use wpprobe in automated security workflows?
Yes. wpprobe supports multi-target scanning with `-f targets.txt`, JSON/CSV output for parsing, threading, Docker deployment, and CI-friendly configuration via environment variables. Integrate output into SIEM or vulnerability tracking systems via CSV/JSON processors.

Custom software development services

DEV.co helps companies turn open-source tools like wpprobe into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Ready to Audit Your WordPress Installation?

WPProbe accelerates WordPress reconnaissance in authorized security assessments. Combine stealthy REST API scanning with our expert security services to identify and remediate vulnerabilities before attackers do. Contact Devco to integrate wpprobe into your CI/CD or penetration testing workflow.