Threat Intel
43% of all websites run WordPress — making it the #1 attack surface worldwide 1 in 25 WordPress sites is actively infected with malware right now 97% of CMS-based attacks specifically target WordPress plugins & themes 50,000+ vulnerabilities indexed · WPScan threat database 71% of hacked WordPress sites had a backdoor silently installed 4,000+ plugins carry known, unpatched security vulnerabilities Average breach goes undetected for 197 days — is your site clean? Outdated plugins are responsible for 52% of all WordPress infections SQL injection & XSS remain the top two WordPress attack vectors 60% of infections exploit a vulnerability that already had a patch available 43% of all websites run WordPress — making it the #1 attack surface worldwide 1 in 25 WordPress sites is actively infected with malware right now 97% of CMS-based attacks specifically target WordPress plugins & themes 50,000+ vulnerabilities indexed · WPScan threat database 71% of hacked WordPress sites had a backdoor silently installed 4,000+ plugins carry known, unpatched security vulnerabilities Average breach goes undetected for 197 days — is your site clean? Outdated plugins are responsible for 52% of all WordPress infections SQL injection & XSS remain the top two WordPress attack vectors 60% of infections exploit a vulnerability that already had a patch available
Scan Free →
wp-scan.org
Get started
Our Story

Built after a midnight
malware emergency.

A client call, a hacked WooCommerce store, and 6 hours hunting a single base64 backdoor. We decided there had to be a better way.

R
Rajan Gupta
Founder, wp-scan.org · India

I've been building WordPress sites and plugins for years. One night I got a call — a client's WooCommerce store had been flagged by Google. Revenue had dropped 80% in two hours. I spent the next six hours manually grepping through 3,000 PHP files looking for the infection.

I eventually found it: a base64_decode(eval()) shell, eight functions deep in an old payment plugin, placed there over 14 months ago. Completely invisible to the naked eye.

I built the first version of this scanner the next weekend. The idea was simple — every developer should be able to check a ZIP in under 10 seconds and know if something is wrong. No server install, no plugin, no monthly fees to find out.

That's still the product today: fast, honest, developer-first.

11
Scans completed
567
Threats detected
40+
Vulnerability patterns

Our mission

WordPress powers 43% of the web — but most site owners and even experienced developers have no reliable way to check if their code is clean. We're changing that. wp-scan.org will always have a free tier because every WordPress site deserves to be checked, regardless of budget.

🚀
Fast
Results in under 10 seconds. No waiting, no queues.
🔓
Honest
Free tier that actually works — not just a teaser.
🛡️
Private
Uploaded files deleted immediately after scanning.

What we detect

🔴 Backdoors & Remote Code Execution
🔴 Base64-encoded eval() shells
🟠 SQL Injection vulnerabilities
🟠 Cross-Site Scripting (XSS)
🟠 Remote & Local File Inclusion
🟠 Obfuscated malware & spam injectors
🟡 Hardcoded credentials
🟡 Server & config leaks
🟢 Outdated function usage
🟢 Command injection patterns

And 30+ more patterns across PHP, JavaScript, and HTML files.

👋

Questions or feedback?

We read every email and respond within 24 hours.

✉️ support@wp-scan.org 🔍 Try the Scanner