Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 400,000 packages pre-installed, including wpcheck with all npm packages installed. Try it out:

var wpcheck = require("wpcheck")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

wpcheck v1.2.0

Vulnerability scanner for WordPress


wpcheck is a Node.js CLI tool that allows you to quickly scan WordPress sites looking for known vulnerabilities, security issues and misconfigurations. wpcheck helps you secure and maintain your WordPress against hackers.

Dependency Status Code Climate Build Status Known Vulnerabilities



npm install --global wpcheck


yarn global add wpcheck
  • wpcheck requires Node.js >= 6 and npm.
  • Fix npm permissions if you get the Permission denied error.


wpcheck <url> [url] [options]

url → WordPress site URL (e.g.

Multiple URLs can be separated by spaces.


--help-hOutputs supplied help text.
--silent-sDisables success and info messages. Displays warnings only.
--version-vPrints wpcheck version.
--rules-dir-rLoads additional rules from a directory (see Custom rules).
--bulk-file-bReads additional WordPress site URLs from a text file (see Bulk scan).
--ignore-rule-iSkips loading and execution of a specific rule (see Ignore rules).
--user-agent-uDefines a custom User-Agent string. Default is wpcheck.

Quick examples

wpcheck --silent
wpcheck --rules-dir ~/path/to/custom/rules
wpcheck --bulk-file ~/path/to/sources.txt
wpcheck --user-agent "Netscape Gold"
wpcheck --ignore-rule wp-login.js

Default rules

wpcheck has a few rules that are enabled by default. Follow also our WordPress security best practices to fix vulnerabilities detected by wpcheck default rules.

1. Checks sensitive WordPress/Apache/Dot files for their availability
  • /wp-config.php
  • /wp-admin/maint/repair.php
  • /.htaccess
  • /.htpasswd
  • /.ssh
  • /.npmrc
  • /.gitconfig
  • /config.json
  • /wp-config-sample.php
  • /wp-content/debug.log
2. Scans WordPress login page for security issues
  • Basic access authentication
  • HTTPS protocol usage
3. Checks whether WordPress is affected by FPD vulnerability
4. Checks whether the Apache directory listing is activated

Custom rules

The power of wpcheck is the flexibility: You can expand the tool functionality by building their own rules, scans and checks. The option --rules-dir allows loading of user-defined rules from a custom directory.

  • The directory path
    • can be absolute or relative to the wpcheck folder
  • The custom rules
    • must be stored as .js files
    • can be a Node.js script
    • can be a npm package
    • must have an exported function named fire = ( data ) => {
    // Play with data
    // console.log( data )

wpcheck will run (technically require) every custom rule file. The file naming does not matter, short and unique names are welcome. Feel free to create your own rules, enjoy!

Get inspired

Ignore rule(s)

wpcheck can skip certain default and custom rules. The CLI option --ignore-rule takes a rule name, the rule name is the JavaScript file name of the rule without path. Multiple rule filtering is possible by a multiple use of the CLI option.

wpcheck --ignore-rule wp-login.js
wpcheck --ignore-rule wp-login.js --ignore-rule sensitive-files.js
wpcheck --rules-dir ./example/rules --ignore-rule custom-rule.js

Bulk scan

Multiple WordPress site URLs can be imported from a single file. This is a simple text file with one URL per line.

wpcheck -b ~/path/to/sources.txt

Use, don't abuse!

RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free