Automating WPScan to scan and report vulnerable Wordpress sites
- Scan multiple sites with WPScan
- Define reporting emails addresses for every configured site individually and globally
- Parse WPScan output and divide the results in "Warnings", "Alerts", "Fixed" items, "Informations" and eventually "Errors"
- Mail notification and verbosity can be configred, additionnaly WPScan output can be attached to emails.
- Scan sites continuously at defined interval and handled VulnDB API limit.
- Local log file can be configured and also lists all the findings
- Define false positives strings for every configured site individually and globally
- Define WPScan arguments for every configured site individually and globally
- Speed up scans using several asynchronous workers
- Optionnal follow URL redirection if WPScan fails and propose to ignore main redirect
- Save raw WPScan results into files
- Parse the results differently whether wpscan argument
- WPScan (itself requires Ruby and some libraries).
- Python 3 (standard libraries)
- Tested on Linux and MacOS
pip3 install wpwatcher
pip3 install wpwatcher --upgrade
git clone
cd WPWatcher && python3 install
should be in your PATH
but you can always run the python script directly
python3 ./wpwatcher/ --url -v
See docker installation steps
- Clone the repository
- Install docker image
With the user UID, wpwatcher
will then run as this user. The following will use the current logged user UID. Won't work if you build the image as root.
docker image build \
--build-arg USER_ID=$(id -u ${USER}) \
-t wpwatcher .
- Create and map a WPWatcher folder containing your
file to the docker runner.wpwatcher
command would look like :
docker run -it -v '/path/to/wpwatcher.conf/folder/:/wpwatcher/.wpwatcher/' wpwatcher [...]
Or install without UID mapping, it will use docker volumes in order to write files and save reports
docker image build -t wpwatcher .
command would look like :
docker run -it -v 'wpwatcher_data:/wpwatcher/.wpwatcher/' wpwatcher
Try it out (No persistent storage)
docker run -it wpwatcher --url
Create an alias with volume mapping your good to go
alias wpwatcher="docker run -it -v 'volume-name-or-path-to-folder:/wpwatcher/.wpwatcher/' wpwatcher"
Simple usage, scan 2 sites with default config
wpwatcher --url
Load sites from text file , pass WPScan arguments , follow redirection if WPScan failed , use 5 asynchronous workers , email custom recepients if any alert or warning with full WPScan result attached and ignore the WPScan No WPVulnDB API Token warning.
wpwatcher --urls sites.txt \
--wpscan_args "--rua --force --stealthy" \
--follow_redirect --workers 5 \
--send --attach \
--email_to [email protected] [email protected] \
--fpstr "No WPVulnDB API Token given"
- The script must read a configuration file to setup mail server settings and other otions. Setup mail server settings and turn on send_email_report in the config file or use
if you want to receive reports. - The script will automatically try to delete all temp
files in/tmp/wpscan
before starting scans - You might want to use
(fail fast) when you're setting up and configuring the script. Abort scans when WPScan fails, useful to troubleshoot. - All messages are printed to
. - WPWatcher store a database of reports and compare reports one scan after another to notice for fixed issues and implement
config . Default location is~/.wpwatcher/wp_reports.json
. Setwp_reports=null
in the config to disable the storage of the Json file, the database will still be stored in memory when using--daemon
- One or more WPScan command failed
- Unable to send one or more email report
- Other errors
The script must read a configuration file to setup mail server settings and other otions. Setup mail server settings and turn on send_email_report
in the config file or use --send
if you want to receive reports.
See Full configuration options section below to see list of configurables values with CLI arguments and shortcuts.
Select config file with --conf File path
. You can specify multiple files. Will overwrites the keys with each successive file. If not specified, it will try to load config from files ~/.wpwatcher/wpwatcher.conf
, ~/wpwatcher.conf
and ./wpwatcher.conf
, in this order.
Create and edit a new config file from template. ( --template_conf
argument print a default config file )
wpwatcher --template_conf > ./wpwatcher.conf
vim ./wpwatcher.conf
Other arguments will simply overwrite config values.
See complete list of options in the section Full configuration options bellow or use wpwatcher --help
to see options configurable with CLI.
You need a WPScan API token in order to show vulnerability data and be alerted of vulnerable WordPress or plugin. If you have large number of sites to scan, you'll probably can't scan all your sites because of the limited amount of daily API request. Turn on api_limit_wait
to wait 24h and contuinue scans when API limit si reached.
If no API token is provided to WPScan, scans will still trigger WARNING emails with outdated plugin or WordPress version.
Please make sure you respect the WPScan license.
See details and how to
Configure :
: i.e.12h
Recommended to use --daemon
argument and not the config file value, otherwise wpwatcher
will start by default in daemon mode.
Launch WPWatcher in daemon mode:
wpwatcher --daemon [--urls ./my_sites.txt] ...
Let's say you have 20 WordPress sites to scan but your API limit is reached after 8 sites, the program will sleep 24h and continue until all sites are scanned (2 days later). Then will sleep the configured time and start again.
Tip: wpwatcher
and wpscan
might not be in your execution environement PATH
. If you run into file not found error, try to configure the full paths to executables and config files.
Note: By default a different database file will be used when using daemon mode ~/.wpwatcher/wp_reports.daemon.json
Setup WPWatcher as a service.
Create and configure the service file
systemctl edit --full --force wpwatcher.service
in the following template service file:[Unit] Description=WPWatcher StartLimitIntervalSec=0 [Service] Type=simple Restart=always RestartSec=1 ExecStart=/usr/local/bin/wpwatcher --daemon User=user [Install]
Enable the service to start on boot
systemctl daemon-reload systemctl enable wpwatcher.service
The service can be started/stopped with the following commands:
systemctl start wpwatcher.service systemctl stop wpwatcher.service
Follow logs
journalctl -u wpwatcher -f
For other systems, please refer to the appropriate documentation
Caution: do not configure crontab execution and continuous scanning at the same time .
See contab usage
- Crontab usage:
0 0 * * * wpwatcher --quiet
To print only ERRORS and WPScan ALERTS, use --quiet
or set quiet=Yes
in your config.
You'll receive email alerts with cron MAILTO
feature. Add >/dev/null
to ignore.
Crontab with multiple config files usage:
: contains all configurations exceptwp_wites
: contains first X urlssite2.txt
: contain the rest ...
In your crontab, configure script to run at your convenience. For exemple, with two lists :
# Will run at 00:00 on Monday:
0 0 * * 1 wpwatcher --conf wpwatcher.conf --urls site1.txt --quiet
# Will run at 00:00 on Tuesday:
0 0 * * 2 wpwatcher --conf wpwatcher.conf --urls sites2.txt --quiet
Warning, this kind of setup can lead into having two wpwatcher
executions at the same time. This might result into failure and/or database corruption because of conccurent accesses to reports database file.
Simple configuration file without SMTP authentication
wp_sites= [ {"url":""},
{"url":""} ]
wpscan_args=[ "--format", "json",
"--api-token", "YOUR_API_TOKEN" ]
email_to=["[email protected]"]
from_email[email protected]
You can store the API Token in the WPScan default config file at ~/.wpscan/scan.yml
and not supply it via the wpscan CLI argument in the WPWatcher config file. See WPSacn readme.
See all configuration options with explanatory comments.
Path to wpscan executable.
With RVM could be /usr/local/rvm/gems/default/wrappers/wpscan
Path is parsed with shlex.
If missing, assume wpscan
is in your PATH
Global WPScan arguments.
Must be a valid Json string.
See wpscan --help
for more informations about WPScan options
wpscan_args=[ "--format", "cli",
"--detection-mode", "aggressive",
"--enumerate", "t,p,tt,cb,dbe,u,m"]
Overwrite with --wpargs "WPScan arguments"
. If you run into option parsing error, start the arguments string with a space or use equals sign --wpargs="[...]"
to avoid argparse bug.
You can use this to ignore some warnmings or alerts.
False positives will still be processed as infos: Use with care.
Must be a valid Json string
false_positive_strings=["You can get a free API token with 50 daily requests by registering at"]
List of dictionnary having a url, custom email report recepients, false positives and specific wpscan arguments.
Each dictrionnary must contain at least a "url"
Must be a valid Json string.
Must be supplied with config file or argument.
wp_sites= [
"email_to":["[email protected]"],
"false_positive_strings":["Vulnerability 123"],
"email_to":["[email protected]"],
"false_positive_strings":["Vulnerability 456"]
"email_to":["[email protected]"]
Overwrite with arguments: --url URL [URL...]
or --urls File path
. Custom email report recepients, false positives and specific wpscan arguments are not supported with CLI arguments
- Whether to send emails for alerting of the WPScan result (ALERT or other).
If missing, default to No
Overwrite with arguments: --send
- Whether to report warnings and track the warnings fixes.
Will send WARNING notifications and will include warnings in ALERT reports.
If missing, default to Yes
- Wheter to include Informations in the reports. Send INFO notifications if no warnings or alerts are found.
If missing, default to No
Overwrite with arguments: --infos
- Send ERROR notifications if wpscan failed.
If missing, default to No
Overwrite with arguments: --errors
- Attach text output file with raw WPScan output when sending a report
Overwrite with arguments: --attach
- Global email report recepients, will always receive email reports for all sites.
Must be a valid Json string
email_to=["[email protected]"]
Overwrite with arguments: --email_to Email [Email...]
- Minimum time inverval between sending two report with the same status. Examples of valid strings:
If missing, default to0s
Overwrite with arguments: --resend Time string
- Send any error email to those addresses and not to other recepients (
Applicable only ifsend_errors=Yes
Must be a valid Json string
email_errors_to=["[email protected]"]
- Send email reports as
from_email[email protected]
- SMTP Email server and port
- SMTP Use authentication. If missing, default to No
- SMTP Username
- SMTP Password
Wait 24h when API limit has been reached.
Default behaviour will consider the API limit as a WPScan failure and continue the scans (if not fail_fast) leading into making lot's of failed commands
Overwrite with arguments: --wait
- Daemon mode: loops forever. If missing, default to No
Overwrite with arguments: --daemon
- Sleep time between two scans.
If missing, default to0s
Overwrite with argument: --loop Time string
- Quiet Print only errors and WPScan ALERTS
Overwrite with arguments: --quiet
- Verbose terminal output and logging.
Print WPScan raw output and parsed WPScan results.
Overwrite with arguments: --verbose
- Local log file
Overwrite with argument: --log File path
- Save WPScan results to files as they are scanned
Overwrite with argument: --wpout Folder path
- Raise exceptions with stack trace or exit when WPScan failed.
Default behaviour is to log error, continue scans and return non zero status code when all scans are over
Overwrite with arguments: --ff
- Reports database file.
If missing, will figure out a place based on your environment to store the database. Usenull
keyword to disable the storage of the Json database file.
Overwrite with arguments: --reports File path
- Number of asynchronous workers. Speed up the scans.
If missing, default to1
, synchronous iterating.
Overwrite with arguments: --workers Number
- Follow redirection when WPScan failed and propose to use
If missing, default toNo
Overwrite with arguments: --follow
See options configurable with CLI, run wpwatcher --help
One report is generated per site and the reports are sent individually when finished scanning a website.
Email notification can have 5 status:
: You have a vulnerable Wordpress, theme or pluginWARNING
: You have an oudated Wordpress, theme or pluginFIXED
: All issues are fixed or ignored (warnings included ifsend_warnings=Yes
: WPScan did not find any issues with your siteERROR
: WPScan failed
Tip: set "--format","json"
in wpscan_args
config option to use the json parsing feature and have more concise email text.
Alerts, Warnings and Infos might differ whether you're using cli or json format.
Log file and stdout outputs are easily grepable with the following log levels and keywords:
: Only used forWPScan ALERT
: WPScan failed, send report failed or other errorsWARNING
: Only used forWPScan WARNING
: Used for info output ,WPScan INFO
: Used for debug outup and raw WPScan output.
In addition to log messages, the readable report, and raw WPScan output can be printed with --verbose
See output sample
% wpwatcher --url
INFO - Load config file(s) : ['./wpwatcher.conf']
INFO - Updating WPScan
INFO - Deleted temp WPScan files in /tmp/wpscan/
INFO - WordPress sites and configuration:
wp_sites = [{"url": ""}, {"url": ""}, {"url": ""}]
send_email_report = True
send_errors = True
email_to = []
send_infos = True
quiet = False
verbose = False
attach_wpscan_output = True
fail_fast = False
api_limit_wait = False
daemon = False
daemon_loop_sleep = 0:05:00
resend_emails_after = 5 days, 0:00:00
wp_reports = ./test.json
asynch_workers = 1
log_file =
follow_redirect = True
send_warnings = False
false_positive_strings = ["You can get a free API token with 50 daily requests by registering at"]
email_errors_to = []
wpscan_path = wpscan
wpscan_args = ["--format", "cli", "--no-banner", "--random-user-agent", "--disable-tls-checks"]
smtp_server =
smtp_auth = False
smtp_user =
smtp_pass = ***
smtp_ssl = False
from_email =
INFO - Load wp_reports database: ./test.json
INFO - Starting scans on 3 configured sites
INFO - Scanning site
INFO - ** WPScan INFO ** [+] URL: [] [+] Effective URL: [+] Started: Wed Apr 8 23:48:55 2020
INFO - ** WPScan INFO ** Interesting Finding(s):
INFO - ** WPScan INFO ** [+] Headers | Interesting Entries: | - cf-cache-status: DYNAMIC | - expect-ct: max-age=604800, report-uri="" | - server: cloudflare | - cf-ray: 58114157ff55ca53-YUL | Found By: Headers (Passive Detection) | Confidence: 100%
INFO - ** WPScan INFO ** [+] This site seems to be a multisite | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | Reference:
INFO - ** WPScan INFO ** [+] WordPress theme in use: julesr-aeets | Location: | Style URL: | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | The version could not be determined.
INFO - ** WPScan INFO ** [+] Enumerating All Plugins (via Passive Methods)
INFO - ** WPScan INFO ** [i] No plugins Found.
INFO - ** WPScan INFO ** [+] Enumerating Config Backups (via Passive and Aggressive Methods)
INFO - ** WPScan INFO ** Checking Config Backups -: |=============================================================================================================================================================================================================================================================================|
INFO - ** WPScan INFO ** [i] No Config Backups Found.
INFO - ** WPScan INFO ** [+] Finished: Wed Apr 8 23:49:02 2020 [+] Requests Done: 55 [+] Cached Requests: 4 [+] Data Sent: 17.677 KB [+] Data Received: 153.06 KB [+] Memory used: 213.473 MB [+] Elapsed time: 00:00:06
INFO - ** WPScan INFO ** [False positive] [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at
WARNING - ** WPScan WARNING ** [+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13). | Found By: Meta Generator (Passive Detection) | -, Match: 'WordPress 5.1.1' | Confirmed By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection) | -
INFO - Not sending WPWatcher WARNING email report because no email are configured for site
INFO - Write 1 wp_report(s) in the database ./test.json
INFO - Progress - [========= ] 33% - 1 / 3
INFO - Scanning site
INFO - ** WPScan INFO ** [+] URL: [] [+] Effective URL: [+] Started: Wed Apr 8 23:49:10 2020
INFO - ** WPScan INFO ** Interesting Finding(s):
INFO - ** WPScan INFO ** [+] Headers | Interesting Entries: | - server: nginx | - x-powered-by: PHP/5.6.40, PleskLin | Found By: Headers (Passive Detection) | Confidence: 100%
INFO - ** WPScan INFO ** [+] WordPress version 5.4 identified (Latest, released on 2020-03-31). | Found By: Rss Generator (Passive Detection) | -, <generator></generator> | -, <generator></generator>
INFO - ** WPScan INFO ** [+] WordPress theme in use: catch-responsive | Location: | Latest Version: 2.7.5 (up to date) | Last Updated: 2020-01-31T00:00:00.000Z | Style URL: | Style Name: Catch Responsive | Style URI: | Description: Catch Responsive is an extremely flexible and customizable Responsive WordPress theme suitable for a... | Author: Catch Themes | Author URI: | Found By: Css Style In Homepage (Passive Detection) | Confirmed By: Css Style In 404 Page (Passive Detection) | Version: 2.7.5 (80% confidence) | Found By: Style (Passive Detection) | -, Match: 'Version: 2.7.5'
INFO - ** WPScan INFO ** [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods)
INFO - ** WPScan INFO ** [i] Plugin(s) Identified:
INFO - ** WPScan INFO ** [+] feature-a-page-widget | Location: | Latest Version: 2.1.1 | Last Updated: 2018-12-05T16:38:00.000Z | Found By: Urls In Homepage (Passive Detection) | The version could not be determined.
INFO - ** WPScan INFO ** [+] siteorigin-panels | Location: | Latest Version: 2.10.15 | Last Updated: 2020-04-07T09:31:00.000Z | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | The version could not be determined.
INFO - ** WPScan INFO ** [+] so-widgets-bundle | Location: | Latest Version: 1.16.0 | Last Updated: 2020-04-07T09:37:00.000Z | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | The version could not be determined.
INFO - ** WPScan INFO ** [+] wordpress-seo | Location: | Latest Version: 13.4.1 (up to date) | Last Updated: 2020-04-08T06:05:00.000Z | Found By: Comment (Passive Detection) | Version: 13.4.1 (60% confidence) | Found By: Comment (Passive Detection) | -, Match: 'optimized with the Yoast SEO plugin v13.4.1 -'
INFO - ** WPScan INFO ** [+] Enumerating Config Backups (via Passive and Aggressive Methods)
INFO - ** WPScan INFO ** Checking Config Backups -: |=============================================================================================================================================================================================================================================================================|
INFO - ** WPScan INFO ** [i] No Config Backups Found.
INFO - ** WPScan INFO ** [+] Finished: Wed Apr 8 23:49:25 2020 [+] Requests Done: 66 [+] Cached Requests: 4 [+] Data Sent: 17.715 KB [+] Data Received: 317.92 KB [+] Memory used: 208.801 MB [+] Elapsed time: 00:00:15
INFO - ** WPScan INFO ** [False positive] [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at
WARNING - ** WPScan WARNING ** [+] tablepress | Location: | Last Updated: 2020-04-01T08:54:00.000Z | [!] The version is out of date, the latest version is 1.11 | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | Version: 1.9.2 (10% confidence) | Found By: Query Parameter (Passive Detection) | -
INFO - Not sending WPWatcher WARNING email report because no email are configured for site
INFO - Write 1 wp_report(s) in the database ./test.json
INFO - Progress - [=================== ] 66% - 2 / 3
INFO - Scanning site
ERROR - WPScan failed with exit code 4. WPScan output: Scan Aborted: The url supplied '' seems to be down (Timeout was reached)
ERROR - Could not scan site
INFO - Not sending WPWatcher ERROR email report because no email are configured for site
INFO - Write 1 wp_report(s) in the database ./test.json
INFO - Progress - [==============================] 100% - 3 / 3
INFO - Results summary
Site Status Last email Issues Problematic component(s) WARNING None 1 [+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13). WARNING None 1 [+] tablepress ERROR None 1 WPScan failed with exit code 4.
INFO - Scans finished with errors.
Do not use on a json file currently used by a wpwatcher
Load default database
wpwatcher --wprs
Load specific file
wpwatcher --wprs ~/.wpwatcher/wp_reports.json
See guidelines and exemple
- Init config dict from file with
method - Customize the config if you want, you can overwrite any config values
- Create a
object with your desired configuration - Call
method. Return atuple (exit code, reports)
The prorgam will automatically load and use a local reports databse and return complete updated database. Setwp_reports
to only return scanned site reports.
from wpwatcher.config import WPWatcherConfig
from wpwatcher.core import WPWatcher
config, files = WPWatcherConfig(files=['./demo.conf']).build_config() # leave None to find default config file
config.update({ 'send_infos': True,
'wp_sites': [ {'url':''},
{'url':''} ],
'wpscam_args': ['--stealthy'],
'wp_reports': 'null'
exit_code, reports = w.run_scans_and_notify()
for r in reports:
print("%s\t\t%s"%( r['site'], r['status'] ))
See Releases
If you have any questions, please create a new issue.
If you like the project and think you could help with making it better, there are many ways you can do it:
- Create new issue for new feature proposal or a bug
- Implement existing issues
- Help with improving the documentation
- Spread a word about the project to your collegues, friends, blogs or any other channels
- Any other things you could imagine
- Any contribution would be of great help
- Florian Roth (Original author of WPWatcher v0.2)
- Tristan Landès