Title: Plugin Security Scanner Author: Glen Scott Published: April 13, 2015 Last modified: August 19, 2019 --- Search plugins This plugin **hasn’t been tested with the latest 3 major releases of WordPress**. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress. ![](https://ps.w.org/plugin-security-scanner/assets/icon-256x256.png?rev=1133757) # Plugin Security Scanner By [Glen Scott](https://profiles.wordpress.org/glen_scott/) [Download](https://downloads.wordpress.org/plugin/plugin-security-scanner.2.0.2.zip) * [Details](https://wordpress.org/plugins/plugin-security-scanner/#description) * [Reviews](https://wordpress.org/plugins/plugin-security-scanner/#reviews) * [Development](https://wordpress.org/plugins/plugin-security-scanner/#developers) [Support](https://wordpress.org/support/plugin/plugin-security-scanner/) ## Description This plugin determines whether any of your plugins or themes have security vulnerabilities. It does this by looking up details in the WPScan Vulnerability Database. It will run a scan once a day, and e-mail the administrator if any vulnerable plugins or themes are found. _Please note:_ As from version 2.0.0, you will need to [register on the WPScan Vulnerability Database](https://wpvulndb.com/users/sign_up) site in order to get an API token. This token is required before any security scans can be performed. Once you have your token, it can be added to the Plugin Security Scanner settings page. You can also register a webhook for notifications. The webhook will trigger daily, even if no vulnerabilities found. The webhook is a post request, with JSON payload containing the vulnerabilities. You can enable the webhook under Settings\General tab – see the Plugin Security Scanner settings. It also adds a new menu option to the admin tools menu called “Plugin Security Scanner”. Clicking this runs a scan. If the scan finds any problems, it shows you a list of plugins or themes that have vulnerabilities, along with a description of the issue. The WPScan Vulnerability Database API, which this plugin uses, is free for non-commercial use. However, any commercial usage will require that you purchase a commercial license from WPScan. If you are using the API for your own site then you will not need a commercial license. However, if you are a hosting company and install the plugin systematically across all of your clients sites, then you will need to purchase a commercial license. If you are making heavy use of the API, it is likely that you will need to purchase a commercial license. To enquire about a commercial license, please contact team@wpvulndb.com Icons made by [Alessio Atzeni](http://www.flaticon.com/authors/alessio-atzeni) from [www.flaticon.com](http://www.flaticon.com) is licensed by [CC BY 3.0](http://creativecommons.org/licenses/by/3.0/) ## Screenshots * [[ * Example run of the security scanner that has found two vulnerable plugins. * [[ * E-mail alert to administrator when vulnerable plugins have been found. ## Reviews ![](https://secure.gravatar.com/avatar/7c50ba4af2e2c4a5374c41982b29ac76bac406970a53cf4892db4d1d57f9b1f6? s=60&d=retro&r=g) ### 󠀁[Great plugin!](https://wordpress.org/support/topic/great-plugin-9160/)󠁿 [Julie](https://profiles.wordpress.org/habannah/) September 3, 2016 Peace of mind! Excellent support from the plugin author Proactive maintenance of the WPScan Vulnerability Database ![](https://secure.gravatar.com/avatar/02ce3fbd1d03b09d4cbe862e253c16dbf9dc0214d84118304aae30083e22bb68? s=60&d=retro&r=g) ### 󠀁[Fonctionne bien, mais ses messages manque de détails](https://wordpress.org/support/topic/fonctionne-bien-mais-ses-messages-manque-de-details/)󠁿 [Sabine](https://profiles.wordpress.org/lisettemag/) September 3, 2016 1 reply Fonctionne très bien, mais j’abuse en espérant une petite amélioration essentielle… Quand j’ai installé le plugin Zopim Live Chat la semaine dernière, il m’a adressé dans les 24h un message : —— Vulnerability found: zopim-live-chat <= 1.2.5 – XSS in ZeroClipboard Scan completed: 1 vulnerability found. —– Un peu court pour savoir ce qu’il en retourne vraiment, mais le boulot de base est fait. Je suis alertée et le support de Zopim aussi. Maintenant, reste à trouver la faille… Plus de détails seraient le bienvenu surtout quand on doit transmettre à un support. ![](https://secure.gravatar.com/avatar/f94cb8e7107d3093e864f4c0fdc33500e2a418c157d28788d47736f2cb2e37b5? s=60&d=retro&r=g) ### 󠀁[Could also check WP version](https://wordpress.org/support/topic/could-also-check-wp-version/)󠁿 [Edir Pedro](https://profiles.wordpress.org/edir/) September 3, 2016 Slow to check because the API service works only one plugin at a time, but good enough. Could show the vulnerabilities found direct on Plugins page. [ Read all 7 reviews ](https://wordpress.org/support/plugin/plugin-security-scanner/reviews/) ## Contributors & Developers “Plugin Security Scanner” is open source software. The following people have contributed to this plugin. Contributors * [ Glen Scott ](https://profiles.wordpress.org/glen_scott/) [Translate “Plugin Security Scanner” into your language.](https://translate.wordpress.org/projects/wp-plugins/plugin-security-scanner) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/plugin-security-scanner/), check out the [SVN repository](https://plugins.svn.wordpress.org/plugin-security-scanner/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/plugin-security-scanner/) by [RSS](https://plugins.trac.wordpress.org/log/plugin-security-scanner/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 2.0.2 * Clarified 403 error #### 2.0.1 * Clarified error message in daily email #### 2.0.0 * Use WPScan Vulnerability Database API V3 * Important notice: to use this plugin, you now need to register a user and get an API token from https://wpvulndb.com/users/sign_up * Improved error handling #### 1.6.0 * Moved settings to dedicated page * Added option to ignore unpatched issues #### 1.5.2 * Fix: Allow scanning if you are running WordPress nightly or release candidates #### 1.5.1 * Added option to ignore ‘WordPress 2.3-4.8.3 – Host Header Injection in Password Reset’ vulnerability #### 1.5.0 * Checks vulnerabilities in WordPress core files * Added ability to send an HTTP request when vulnerabilities are found (webhook) #### 1.4.1 * Fix issue with theme version checking #### 1.4 * Themes as well as plugins are now scanned for vulnerabilities #### 1.3.1 * Added check to make sure the WPVulnDb API has returned a valid response #### 1.3 * Added option under “Settings / General / Plugin Security Scanner” to disable the email notification #### 1.2.1 * Moved to WPScan Vulnerability Database API v2 #### 1.2.0 * Added i18n support #### 1.1.9 * Fix: Removed unecessary ob_flush calls * Fix: If vulnerability does not have a “fixed in” version number, report it as a vulnerability #### 1.1.8 * Fix: corrected links to WPScan Vulnerability Database #### 1.1.7 * Add link to WPScan Vulnerability Database details page #### 1.1.6 * Conditionally include plugin.php include in case it is not already included #### 1.1.5 * Escape output in HTML report to prevent XSS #### 1.1.4 * Added blog title to email subject #### 1.1.3 * Fixed bug that prevented admin email being sent #### 1.1 * Email admin daily if any vulnerabilities are found #### 1.0 * Initial release ## Meta * Version **2.0.2** * Last updated **7 years ago** * Active installations **800+** * Tested up to **5.2.24** * Tags * [plugins](https://wordpress.org/plugins/tags/plugins/)[scanner](https://wordpress.org/plugins/tags/scanner/) [secure](https://wordpress.org/plugins/tags/secure/)[security](https://wordpress.org/plugins/tags/security/) [vulnerabilities](https://wordpress.org/plugins/tags/vulnerabilities/) * [Advanced View](https://wordpress.org/plugins/plugin-security-scanner/advanced/) ## Ratings 4.9 out of 5 stars. * [ 6 5-star reviews ](https://wordpress.org/support/plugin/plugin-security-scanner/reviews/?filter=5) * [ 1 4-star review ](https://wordpress.org/support/plugin/plugin-security-scanner/reviews/?filter=4) * [ 0 3-star reviews ](https://wordpress.org/support/plugin/plugin-security-scanner/reviews/?filter=3) * [ 0 2-star reviews ](https://wordpress.org/support/plugin/plugin-security-scanner/reviews/?filter=2) * [ 0 1-star reviews ](https://wordpress.org/support/plugin/plugin-security-scanner/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/plugin-security-scanner/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/plugin-security-scanner/reviews/) ## Contributors * [ Glen Scott ](https://profiles.wordpress.org/glen_scott/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/plugin-security-scanner/)