Security Solutions For Everyone


WordPress protection with custom solutions for large enterprises.
  • Custom pricing by number of sites
  • Instant email alerts
  • Vulnerabilities details by ID
  • Latest API endpoints
  • Webhooks: Slack & HTTP
  • Description & PoC API data
  • CVSS Risk Scores

Small Business

For most sites, we recommend Jetpack Protect — the partner product of WPScan, by Automattic. It has all the power of WPScan with an easy-to-use interface.
  • Automated daily scanning
  • Recommended fixes

Researchers can use the CLI tool to make 25 API requests per day. Get started

View all FAQ

View our Enterprise Terms of Service

Frequently Asked Questions

Accordion arrow

Where does the vulnerability data come from?

All of the vulnerabilities are manually entered into our database by a WordPress security professional. That means that each vulnerability is manually checked, which, although is very time consuming, drastically reduces the posibility of false positives.

Our vulnerabilities are sourced from around the web, as well as being sent to us directly by security researchers. We also find many security issues ourselves. We are a CVE Numbering Authority (CNA), so we are able to directly assign CVE numbers for WordPress core vulnerabilities, plugin vulnerabilities and theme vulnerabilities.

We are constantly updating older vulnerabilities with new information as it comes to light. Check out our WordPress Vulnerability Statistics for further details about our vulnerability data.

Accordion arrow

Does the API collect user data?

No. The only data the API stores is the scanner IP or domain, the WordPress version, plugin slugs and theme slugs. As well as, number of API requests, date and time stamps.

Accordion arrow

Which service should I use? The plugin, the scanner, or the API directly?

This will entirely depend on your needs and level of expertise.

Our WordPress security plugin is installed on your WordPress website and scans your websites daily with our API data to check if any of your plugins or themes are affected by any new security vulnerabilities.

Our WordPress security scanner is more targetted towards security professionals and developers. It uses a command line interface and therefore may be too technical for some users. The WPScan security scanner uses a black box approach to scanning and will give a hacker's point of view of your website's security.

You can also use our API directly within your own products and services. This is great if you don't want to use our WordPress security plugin or security scanner. You can build your own products and services using our data.

Trusted by the world's biggest brands

Mercedes Benz Group
Penguin Random House

We know that there are others out there like Patchstack, but the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else.

Brent Stackhouse, VP of Security, WP Engine

One of our top priorities at Kinsta is security. WPScan is a valuable tool in our toolbelt providing a thorough and reliable WordPress vulnerability notification service.

Daniel Pataki, CTO, Kinsta