Dieses Plugin überprüft täglich dein System auf mögliche Sicherheitslücken aus der WPScan-Sicherheitslücken-Datenbank. Mit einem Symbol in der Admin-Werkzeugleiste wird die Gesamtzahl der gefunden Lücken angezeigt.

Was macht dieses Plugin?

  • Überprüft den WordPress-Kern, Plugins und Themes auf bekannte Sicherheitslücken;
  • Zeigt ein Symbol in der Admin-Werkzeugleiste mit der Gesamtzahl der gefunden Sicherheitslücken;
  • Benachrichtigt dich per E-Mail, wenn neue Sicherheitslücken gefunden wurden.

Mehr erfahren


  • Liste der Sicherheitslücken und Symbol in der Adminleiste.
  • Benachrichtigungs-Einstellungen.


  1. Lade wpscan.zip-Inhalte ins /wp-content/plugins/-Verzeichnis
  2. Aktiviere das Plugin im ‚Plugins‘-Menü von WordPress
  3. Melde dich an, um ein kostenloses API-Token zu erhalten
  4. Sichere das API-Token auf der WPScan-Einstellungsseite


  • How many API calls are made?
    There is one API call for the WordPress version, one call for each installed plugin and one for each theme, daily.

  • Why is the „Summary“ section and the „Check Now“ button not showing?
    The cron job did not run, which can be due to:

    • The DISABLE_WP_CRON constant is set to true in the wp-config.php file, but no system cron has been set (crontab -e).
    • A plugin’s caching pages is enabled (see https://wordpress.stackexchange.com/questions/93570/wp-cron-doesnt-execute-when-time-elapses?answertab=active#tab-top).
    • The blog is unable to make a loopback request, see the Tools->Site Health for details.
      If the issue can not be solved with the above, putting define(‚ALTERNATE_WP_CRON‘, true); in the wp-config.php
      could help, however, will reduce the SEO of the blog.


22. März 2020
As many users wrote this is a usful plugin but needs an API service. Yes, it is free up to 50 API calls/day but it becomes expensive when you run several websites. I run 40 websites mainly using the same themes/plugins set, it is really annoying to pay more just because you are forced to request the same information several times. As a solution, query results could be cached and used more than one time for request coming in a 24 hours range...
25. Februar 2020
Works well for me and saves me many hours over repeatedly checking my plugins manually. The 50 check limit is a bit inconvenient but workable, and I understand limits are unavoidable using the freemium model (WP has spoiled us such that we sometimes expect too much for free). Thank you for making this available. Favoritted.
31. Oktober 2019
This plugin is too much expensive, 50 free api requests is not enough, and plugin, or linux version, need many credits for correct testing This is unusable plugin for free testing and increase your limit to 250 API requests per day you need pay for 25€/monthly not recommended as much expensive solution
29. Oktober 2019
Just recently discovered this is neatly packaged into a WordPress plugin. Great to be able to just tell people to install the plugin to run their site against wpvulndb. Thank you! 🙂
16. Oktober 2019
The free account on WPscan and it's 50 request cap can not cover a single website, and if you wait 24h it will check the whole site again not prioritising plugins that haven't being check yet. But wait, if you think paying for the 250 request is going solve the issue, you are wrong! This plugin has gone from mush have to must delete!
Lies alle 7 Rezensionen

Mitwirkende & Entwickler

„WPScan“ ist Open-Source-Software. Folgende Menschen haben an diesem Plugin mitgewirkt:


„WPScan“ wurde in 3 Sprachen übersetzt. Danke an die Übersetzerinnen und Übersetzer für ihre Mitwirkung.

Übersetze „WPScan“ in deine Sprache.

Interessiert an der Entwicklung?

Durchstöbere den Code, sieh dir das SVN Repository an oder abonniere das Entwicklungsprotokoll per RSS.



  • Use the new slug helper method on all items on the page


  • Better slug detection before calling the API


  • Prevent multiple tasks to run simultaneously
  • Check Now Button disabled and Spinner icon displayed when a task is already running
  • Results page automatically reloaded when Task is finished (checked every 10s)


  • Use the /status API endpoint to determine if the Token is valid. As a result, a call is no longer consumed when setting/changing the API token.
  • Trim and remove potential leading ‚v‘ in versions when comparing then with the fixed_in values.


  • Hinweis auf kostenpflichtige API


  • Warnung bei Überschreitung des API Limits


  • Erste Veröffentlichung.