# WordPress REST API Security Scanner (`renzomacar/wordpress-security-scanner`) Actor Probes WordPress REST API for endpoints leaking users, plugins, drafts, customers. 40% of the web runs WP. Counts only. - **URL**: https://apify.com/renzomacar/wordpress-security-scanner.md - **Developed by:** [Renzo Madueno](https://apify.com/renzomacar) (community) - **Categories:** Developer tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## WordPress REST API Security Scanner — Find user enumeration + draft leaks > **Default WordPress exposes `/wp-json/wp/v2/users` to anonymous callers — returning every registered user's login slug, display name, and URL.** That's user enumeration handed to an attacker on a plate, with no rate limit. Combine with `/wp-json/wp/v2/plugins` (CVE checklist) and you have a complete brute-force attack profile. **This actor finds those leaks in 30 seconds.** WordPress powers ~43% of the web. Most installs run the default REST API with zero endpoint restrictions. This scanner probes the core + WooCommerce + common-plugin endpoints to surface every leak. > 💸 **Found a leak?** Two ways to get it fixed: > - **$29** quick scan + 1-page report in 24h ([Stripe](https://buy.stripe.com/00w4gz9TWef0dWV4r0cAo0u)) — for when you want sanity check before committing > - **$99** full hardening — I write a mu-plugin tailored to your site + install + verify, 48h, money-back ([Stripe](https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01)) > ⭐️ **Solo dev competing with bigger Apify publishers.** A [30-second review](https://apify.com/renzomacar/wordpress-security-scanner#reviews) is the single thing that lifts ranking. Thank you. ### Why this exists WordPress's REST API is **on by default** and **mostly public by default**. The core endpoints anyone can query without auth: - `/wp-json/wp/v2/users` — every user's slug + display name → username enumeration → brute-force target list - `/wp-json/wp/v2/posts?status=draft` — draft posts (CMS often allows this even though it shouldn't) - `/wp-json/wp/v2/plugins` — installed plugin list → attacker's CVE checklist (Wordfence Premium 7.x.x? Now they know to try CVE-2024-xxxx) - `/wp-json/wp/v2/settings` — site settings (admin email, blog name, etc.) - `/wp-json/wc/v3/customers` (WooCommerce) — customer emails + addresses if API keys misconfigured - `/wp-json/wc/v3/orders` — same risk The WordPress security plugins (Wordfence, iThemes) catch some, miss others. This scanner is **non-destructive** — it only does GETs with no auth, just like an attacker would. ### How to run Either: 1. **Leave inputs empty** + click **Run** for a DEMO sample report 2. **Provide your `wordpressUrl`** to scan your actual site ```json { "wordpressUrl": "https://your-site.com", "endpointHints": ["custom/v1/private-route"], "outputFormat": "both" } ```` ### What you get - **HTML report** in run's KV store: severity-coded findings, curl reproducers, paste-ready mu-plugin code to fix - **Dataset rows**: one structured row per finding ### Sample finding ``` [CRITICAL] /wp/v2/users — user enumeration Total records: 12 Description: User enumeration — usernames, slugs, display names exposed Reproducer: curl 'https://your-site.com/wp-json/wp/v2/users' ``` ### How to fix (quick mu-plugin) ```php // wp-content/mu-plugins/disable-anon-rest.php [\d]+)']); } return $endpoints; }); add_filter('rest_pre_dispatch', function ($result, $server, $request) { $route = $request->get_route(); $deny_anon = ['/wp/v2/plugins', '/wp/v2/themes', '/wp/v2/settings']; foreach ($deny_anon as $denied) { if (str_starts_with($route, $denied) && !current_user_can('manage_options')) { return new WP_Error('rest_forbidden', 'Forbidden.', ['status' => 401]); } } return $result; }, 10, 3); ``` Drop that file in `wp-content/mu-plugins/` and re-run the scanner. ### Plugin alternative - **Disable WP REST API** — quickest, blocks ALL anon access - **WPS Hide Login** — also moves wp-admin - **Wordfence** Premium → REST API hardening rules ### Ethical use - **Only scan sites you own** or have explicit permission to scan - Probes are read-only GETs with no auth, identical to what an unauthenticated visitor sees ### Related - **$29 quick scan + report**: [buy.stripe.com/00w4gz9TWef0dWV4r0cAo0u](https://buy.stripe.com/00w4gz9TWef0dWV4r0cAo0u) - **$99 turnkey hardening**: [buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01](https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01) - **Weekly auto-scans ($29/mo)**: [rls-monitor.vercel.app](https://rls-monitor.vercel.app/) - **Sister scanners** for BaaS platforms: [Supabase](https://apify.com/renzomacar/supabase-rls-scanner), [Firebase](https://apify.com/renzomacar/firebase-security-auditor), [Strapi](https://apify.com/renzomacar/strapi-security-scanner), [Directus](https://apify.com/renzomacar/directus-security-scanner), [Payload CMS](https://apify.com/renzomacar/payload-security-scanner), [Convex](https://apify.com/renzomacar/convex-security-scanner), [Hasura](https://apify.com/renzomacar/hasura-security-scanner), [PocketBase](https://apify.com/renzomacar/pocketbase-security-scanner), [Appwrite](https://apify.com/renzomacar/appwrite-security-auditor), [Nhost](https://apify.com/renzomacar/nhost-security-scanner). Built and maintained by Renzo Madueño, founder of [Rotate Pilot](https://rotatepilot.com), aviation exam-prep software. More tools on [GitHub](https://github.com/Perufitlife). # Actor input Schema ## `wordpressUrl` (type: `string`): Your WordPress site URL, e.g. https://your-site.com. Leave empty + click Run for a sample report. ## `endpointHints` (type: `array`): Beyond the default WordPress core + common plugin endpoints, list custom routes you've registered. ## `outputFormat` (type: `string`): JSON for programmatic use; HTML report saved to KV store under report.html. ## Actor input object example ```json { "endpointHints": [], "outputFormat": "both" } ``` # Actor output Schema ## `results` (type: `string`): All result items as JSON. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("renzomacar/wordpress-security-scanner").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("renzomacar/wordpress-security-scanner").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call renzomacar/wordpress-security-scanner --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=renzomacar/wordpress-security-scanner", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "WordPress REST API Security Scanner", "description": "Probes WordPress REST API for endpoints leaking users, plugins, drafts, customers. 40% of the web runs WP. Counts only.", "version": "0.1", "x-build-id": "bjjZJlx0MdxDWXmvQ" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/renzomacar~wordpress-security-scanner/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-renzomacar-wordpress-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/renzomacar~wordpress-security-scanner/runs": { "post": { "operationId": "runs-sync-renzomacar-wordpress-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/renzomacar~wordpress-security-scanner/run-sync": { "post": { "operationId": "run-sync-renzomacar-wordpress-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "wordpressUrl": { "title": "WordPress Site URL (leave empty for DEMO)", "type": "string", "description": "Your WordPress site URL, e.g. https://your-site.com. Leave empty + click Run for a sample report." }, "endpointHints": { "title": "Extra REST endpoints to probe (optional)", "type": "array", "description": "Beyond the default WordPress core + common plugin endpoints, list custom routes you've registered.", "default": [], "items": { "type": "string" } }, "outputFormat": { "title": "Output format", "enum": [ "json", "html-report", "both" ], "type": "string", "description": "JSON for programmatic use; HTML report saved to KV store under report.html.", "default": "both" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```