WPScan WordPress Security Scanner - Scans your system for security vulnerabilities listed in the WPScan Vulnerability Database.
== Description ==
The WPScan WordPress security plugin is unique in that it uses its own manually curated [WPScan WordPress Vulnerability Database](https://wpscan.com/). The vulnerability database has been around since 2014 and is updated on a daily basis by dedicated WordPress security specialists and the community at large. The database includes more than 21,000 known security vulnerabilities. The plugin uses this database to scan for [WordPress vulnerabilities](https://wpscan.com/wordpresses), [plugin vulnerabilities](https://wpscan.com/plugins) and [theme vulnerabilities](https://wpscan.com/themes), and has the options to schedule automated daily scans and to send email notifications.
WPScan has a Free API plan that should be suitable for most WordPress websites, however, also has paid plans for users who may need more API calls. To use the WPScan WordPress Security Plugin you will need to use a free API token by [registering here](https://wpscan.com/).
<strong>The Free plan allows 25 API requests per day. View the different available [API plans](https://wpscan.com/api).</strong>
= How many API requests do you need? =
* Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin and one request per installed theme.
* On average, a WordPress website has 22 installed plugins.
* The Free plan should cover around 50% of all WordPress websites.
= Security Checks =
The WPScan WordPress Security Plugin will also check for other security issues, which do not require an API token, such as:
* Check for debug.log files
* Check for wp-config.php backup files
* Check if XML-RPC is enabled
* Check for code repository files
* Check if default secret keys are used
* Check for exported database files
* Weak passwords
* HTTPS enabled
= What does the plugin do? =
* Scans for known WordPress vulnerabilities, plugin vulnerabilities and theme vulnerabilities;
* Does additional security checks;
* Shows an icon on the Admin Toolbar with the total number of security vulnerabilities found;
* Notifies you by mail when new security vulnerabilities are found.
1. Upload `wpscan.zip` content to the `/wp-content/plugins/` directory
2. Activate the plugin through the 'Plugins' menu in WordPress
3. [Register](https://wpscan.com/register) for a free API token
4. Save the API token to the WPScan settings page or within the wp-config.php file
== Frequently Asked Questions ==
= How many API calls are made? =
There is one API call made for the WordPress version, one call for each installed plugin and one for each theme. By default there is one scan per day. The number of daily scans can be configured when configuring notifications.
= How can I configure the API token in the wp-config.php file? =
To configure your API token in the wp-config.php file, use the following PHP code: `define( 'WPSCAN_API_TOKEN', '$your_api_token' );`
= How do I disable vulnerability scanning altogether? =
You can set the following PHP constant in the wp-config.php file to disable scanning; `define( 'WPSCAN_DISABLE_SCANNING_INTERVAL', true );`.
= Why is the "Summary" section and the "Run All" button not showing? =
The cron job did not run, which can be due to:
- The DISABLE_WP_CRON constant is set to true in the wp-config.php file, but no system cron has been set (crontab -e).
- A plugin's caching pages is enabled (see https://wordpress.stackexchange.com/questions/93570/wp-cron-doesnt-execute-when-time-elapses?answertab=active#tab-top).
- The blog is unable to make a loopback request, see the Tools->Site Health for details.
If the issue can not be solved with the above, putting `define('ALTERNATE_WP_CRON', true);` in the wp-config.php could help, however, will reduce the SEO of the blog.
