This plugin scans your system on a daily basis to find vulnerabilities listed in the WPScan Vulnerability Database. It shows an icon on the Admin Toolbar with the total number of vulnerabilities found.

What does the plugin do?

  • Scans the WordPress core, plugins and themes for known vulnerabilities;
  • Shows an icon on the Admin Toolbar with the total number of vulnerabilities found;
  • Notifies you by mail when new vulnerabilities are found.

Further Reading


  • List of vulnerabilities and icon at Admin Bar.
  • Notification settings.


  1. Upload wpscan.zip content to the /wp-content/plugins/ directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Register for a free API token
  4. Save the API token to the WPScan settings page


  • How many API calls are made?
    There is one API call for the WordPress version, one call for each installed plugin and one for each theme, daily.

  • Why is the “Summary” section and the “Check Now” button not showing?
    The cron job did not run, which can be due to:

    • The DISABLE_WP_CRON constant is set to true in the wp-config.php file, but no system cron has been set (crontab -e).
    • A plugin’s caching pages is enabled (see https://wordpress.stackexchange.com/questions/93570/wp-cron-doesnt-execute-when-time-elapses?answertab=active#tab-top).
    • The blog is unable to make a loopback request, see the Tools->Site Health for details.
      If the issue can not be solved with the above, putting define(‘ALTERNATE_WP_CRON’, true); in the wp-config.php
      could help, however, will reduce the SEO of the blog.


October 31, 2019
This plugin is too much expensive, 50 free api requests is not enough, and plugin, or linux version, need many credits for correct testing This is unusable plugin for free testing and increase your limit to 250 API requests per day you need pay for 25€/monthly not recommended as much expensive solution
October 29, 2019
Just recently discovered this is neatly packaged into a WordPress plugin. Great to be able to just tell people to install the plugin to run their site against wpvulndb. Thank you! 🙂
October 16, 2019
The free account on WPscan and it's 50 request cap can not cover a single website, and if you wait 24h it will check the whole site again not prioritising plugins that haven't being check yet. But wait, if you think paying for the 250 request is going solve the issue, you are wrong! This plugin has gone from mush have to must delete!
Read all 5 reviews

Contributors & Developers

“WPScan” is open source software. The following people have contributed to this plugin.


“WPScan” has been translated into 3 locales. Thank you to the translators for their contributions.

Translate “WPScan” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Prevent multiple tasks to run simultaneously
  • Check Now Button disabled and Spinner icon displayed when a task is already running
  • Results page automatically reloaded when Task is finished (checked every 10s)


  • Use the /status API endpoint to determine if the Token is valid. As a result, a call is no longer consumed when setting/changing the API token.
  • Trim and remove potential leading ‘v’ in versions when comparing then with the fixed_in values.


  • Add notice about paid licenses


  • Warn if API Limit was hit


  • First release.