Automated WordPress vulnerability checking with Wordshell and WPVulnDB

| Nov 4, 2016

The WPScan Vulnerability Database ( provides an excellent service for checking your WordPress core, themes and plugins for known vulnerabilities.

It is a little tedious to use manually (i.e. enter your core version and the names and versions of your themes and plugins one at a time), but an API is provided which can make this an automated process IF you can get the core, theme and plugin details automatically as well.

Anant Shrivastava wrote a tool which makes use of WP-CLI and the WPVulnDB to check your WordPress installation for vulnerabilities. It’s here on GitHub. It uses WP-CLI to extract the WordPress core, theme and plugin versions from your site, and then checks them against the VPVulnDB database. It uses version 1 of the WPVulnDB API so it’s a little out of date now but I think it still works. So if you’re using WP-CLI this is probably worth a look.

Unfortunately for me, it seems most of my clients’ websites don’t allow SSH access so I’m stuck with FTP. This is mostly why I purchased Wordshell, which is an excellent piece of software for managing multiple instances of WordPress. It doesn’t require SSH or a plugin to be installed, which is awesome.

Another Wordshell customer requested some sort of tool which would do for Wordshell what Anant’s commandline vulnerability reporter does for WP-CLI. I thought that was a great idea, so made it myself. You can find my wsvulndb_commandline tool here.

If you use Wordshell, please give this a go and provide feedback!