π WordPress Security Scanner - Find Leaks
Pricing
Pay per usage
π WordPress Security Scanner - Find Leaks
Probes WordPress REST API for endpoints leaking users, plugins, drafts, customers. 40% of the web runs WP. Counts only.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
Renzo Madueno
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
16 days ago
Last modified
Categories
Share
WordPress REST API Security Scanner β Find user enumeration + draft leaks
Default WordPress exposes
/wp-json/wp/v2/usersto anonymous callers β returning every registered user's login slug, display name, and URL. That's user enumeration handed to an attacker on a plate, with no rate limit. Combine with/wp-json/wp/v2/plugins(CVE checklist) and you have a complete brute-force attack profile. This actor finds those leaks in 30 seconds.
WordPress powers ~43% of the web. Most installs run the default REST API with zero endpoint restrictions. This scanner probes the core + WooCommerce + common-plugin endpoints to surface every leak.
πΈ Found a leak? Two ways to get it fixed:
βοΈ Solo dev competing with bigger Apify publishers. A 30-second review is the single thing that lifts ranking. Thank you.
Why this exists
WordPress's REST API is on by default and mostly public by default. The core endpoints anyone can query without auth:
/wp-json/wp/v2/usersβ every user's slug + display name β username enumeration β brute-force target list/wp-json/wp/v2/posts?status=draftβ draft posts (CMS often allows this even though it shouldn't)/wp-json/wp/v2/pluginsβ installed plugin list β attacker's CVE checklist (Wordfence Premium 7.x.x? Now they know to try CVE-2024-xxxx)/wp-json/wp/v2/settingsβ site settings (admin email, blog name, etc.)/wp-json/wc/v3/customers(WooCommerce) β customer emails + addresses if API keys misconfigured/wp-json/wc/v3/ordersβ same risk
The WordPress security plugins (Wordfence, iThemes) catch some, miss others. This scanner is non-destructive β it only does GETs with no auth, just like an attacker would.
How to run
Either:
- Leave inputs empty + click Run for a DEMO sample report
- Provide your
wordpressUrlto scan your actual site
{"wordpressUrl": "https://your-site.com","endpointHints": ["custom/v1/private-route"],"outputFormat": "both"}
What you get
- HTML report in run's KV store: severity-coded findings, curl reproducers, paste-ready mu-plugin code to fix
- Dataset rows: one structured row per finding
Sample finding
[CRITICAL] /wp/v2/users β user enumerationTotal records: 12Description: User enumeration β usernames, slugs, display names exposedReproducer:curl 'https://your-site.com/wp-json/wp/v2/users'
How to fix (quick mu-plugin)
// wp-content/mu-plugins/disable-anon-rest.php<?phpadd_filter('rest_endpoints', function ($endpoints) {if (!current_user_can('list_users')) {unset($endpoints['/wp/v2/users']);unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);}return $endpoints;});add_filter('rest_pre_dispatch', function ($result, $server, $request) {$route = $request->get_route();$deny_anon = ['/wp/v2/plugins', '/wp/v2/themes', '/wp/v2/settings'];foreach ($deny_anon as $denied) {if (str_starts_with($route, $denied) && !current_user_can('manage_options')) {return new WP_Error('rest_forbidden', 'Forbidden.', ['status' => 401]);}}return $result;}, 10, 3);
Drop that file in wp-content/mu-plugins/ and re-run the scanner.
Plugin alternative
- Disable WP REST API β quickest, blocks ALL anon access
- WPS Hide Login β also moves wp-admin
- Wordfence Premium β REST API hardening rules
Ethical use
- Only scan sites you own or have explicit permission to scan
- Probes are read-only GETs with no auth, identical to what an unauthenticated visitor sees
Related
- $29 quick scan + report: buy.stripe.com/00w4gz9TWef0dWV4r0cAo0u
- $99 turnkey hardening: buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01
- Weekly auto-scans ($29/mo): rls-monitor.vercel.app
- Sister scanners for BaaS platforms: Supabase, Firebase, Strapi, Directus, Payload CMS, Convex, Hasura, PocketBase, Appwrite, Nhost.
Built and maintained by Renzo MadueΓ±o, founder of Rotate Pilot, aviation exam-prep software. More tools on GitHub.