WordPress Security Scan Features

With more than 24% of websites on the Internet running WordPress, and a 60% share of the Content Management System (CMS) market; WordPress security is becoming an increasingly important factor in an organization’s security posture.While WordPress’ core is designed with security in mind, the same cannot be said for the thousands of plugins which extend the WordPress ecosystem. Unfortunately, thousands of WordPress plugins contain high-severity vulnerabilities. Unless vulnerable plugins are updated or disabled, they could allow attackers to easily compromise the integrity and availability of the site, gain access to the WordPress administrative interface and the database, as well as deface the site and trick users into phishing attacks, or use the site to distribute malware.

Scan for Over 1200 Vulnerable WordPress Plugins & Other WordPress-specific Misconfigurations

Scan for Vulnerable WordPress Plugins

Acunetix identifies WordPress installations, and will launch security tests for over 1200 popular WordPress plugins, as well as several other vulnerability tests for WordPress core vulnerabilities. In addition, Acunetix will also conduct other WordPress-specific configuration tests such as weak WordPress admin passwords, WordPress username enumeration, wp-config.php backup files, malware disguised as plugins and old versions of plugins.

The WordPress plugins detected, are listed in the WordPress plugins Knowledge Base including a description, version number detected and latest version of plugin to update to. Similar checks are also performed on other Content Management Systems such as Joomla! and Drupal.

WordPress Configuration File Disclosure

Although most of the common configuration settings are available through the WordPress admin interface, the WordPress administrator might need to alter certain settings from wp-config.php directly. This is often done by first creating a backup of the known working configuration, before proceeding with manually altering the file in a text editor. However, the backed up file becomes available to whoever is able to guess the name of the backup file.

Username Enumeration and Weak Password Guessing

Acunetix runs tests for username enumeration of WordPress accounts. Enumerating usernames gives attackers a head-start when attacking your WordPress installation, since an attacker would have the necessary information to launch a password dictionary attack against the enumerated usernames.

Based on the users identified during the scan, Acunetix will also attempt to detect if the enumerated users are using weak passwords based on a password list, as well as other combinations, including the use of leetspeak.

WordPress Vulnerability Alerts
WordPress, Joomla! and Drupal vulnerability tests

Not just WordPress

In addition to detection of vulnerable versions of WordPress core, plugins and misconfigurations, Acunetix can also detect vulnerabilities in Joomla! and Drupal installations. Following WordPress, Joomla! and Drupal are among the most widely deployed Content Management Systems (CMSs) and have their own share of vulnerabilities and misconfigurations.


Acunetix is available on premise and online. Choose your trial.