User

WordPress Scanner

Scan all domains on your account for WordPress installations, check versions, list active plugins, and surface known vulnerabilities.

Last updated 1775606400

Go to Hosting Mode → WordPress → Scan.

The scanner inspects every domain and subdomain on your account, locates WordPress installations by detecting wp-config.php, and reports security and version status for each one.

What the Scanner Checks

The agent (POST /wordpress/scan) performs the following for each domain:

  1. Looks for wp-config.php in the domain's document root.
  2. Reads the WordPress version from wp-includes/version.php.
  3. Uses WP-CLI to retrieve the active theme and the full list of active plugins, including their installed versions.
  4. Checks detected plugin versions against WPScan vulnerability data to flag known-vulnerable versions.

Scan Results Table

Results appear as a table with one row per WordPress installation:

Column Description
Domain The domain or subdomain where WP was found.
WP Version Version badge — green if current, yellow if a minor update is available, red if a major update is available or if the version is end-of-life.
PHP Version The PHP version the domain is currently running.
Active Plugins Count with a link to expand the full plugin list.
Issues Number of vulnerability warnings found.
Last Scanned Timestamp of the most recent scan for this domain.

Vulnerability Warnings

When a plugin version matches a known CVE in the WPScan database, the scanner flags it with a warning. The warning shows:

  • Plugin name and installed version
  • CVE identifier or vulnerability title
  • Severity (low / medium / high / critical)
  • Recommended action (usually: update to a specific version or remove the plugin)

[!WARNING] A clean scan result does not mean the site is fully secure — it only reflects what is detectable from the installed versions. Always follow the WordPress Best Practices.

When to Run a Scan

  • After adding a new domain to your account, to confirm the state of any pre-existing WP install.
  • Before and after running updates — use the scan to confirm all versions are current post-update.
  • On a regular schedule as part of a security audit. Running the scan weekly is a reasonable baseline.
  • Any time a public vulnerability is announced for a plugin you know is in use.

Triggering a Scan via SSH

The scanner can also be triggered manually if you prefer CLI access:

# Run WP-CLI directly to check plugin status on a specific install
wp plugin list --status=active --path=/home/username/domain.com/public_html/ --format=table

For cross-site bulk output:

# List WP version for each install under your account
for dir in /home/username/*/public_html; do
  if [ -f "$dir/wp-includes/version.php" ]; then
    echo "$dir"
    wp core version --path="$dir"
  fi
done

[!NOTE] Manual SSH checks report raw data. Only the panel scanner correlates versions against the WPScan vulnerability database.

Previous
← Installing WordPress
Next
Updating WordPress →