WordPress Plugin Security Scanner
WordPress plugins are the #1 attack surface for WordPress sites — they're installed by millions of sites and written by developers with varying security expertise. Before installing a custom or premium plugin, upload the ZIP here to scan its PHP, JavaScript, and HTML files for SQL injection, XSS, file inclusion, command injection, hardcoded credentials, and 40+ other vulnerability patterns.
What wp-scan.org detects
- ✓ SQL injection via unsanitized input in custom queries
- ✓ Cross-site scripting in plugin front-end output
- ✓ Local and remote file inclusion vulnerabilities
- ✓ Hardcoded API keys, passwords, or database credentials
- ✓ CSRF vulnerabilities — missing nonce checks on admin actions
- ✓ Insecure direct object references in AJAX handlers
Scan your WordPress files now — free
Want to see what a Premium report looks like?
View a real scan with line numbers, fix guides, and secure code for every finding.
Common questions
Yes — download the plugin ZIP from wordpress.org and upload it here. Plugins in the official repository are reviewed, but reviews aren't exhaustive; scanning is still worthwhile for any plugin handling sensitive data.
Upload the plugin ZIP you received from the vendor. wp-scan.org doesn't transmit your files to any third party — scanning happens on the server and the ZIP is deleted immediately after.
Free scans support ZIP files up to 20 MB. Premium supports up to 150 MB — enough for the largest plugin collections.
See exact line numbers and fix guides for every finding
Upgrade to Premium — from $9.99/mo →