WPScan
WordPress security scanner: version fingerprinting, plugin/theme vuln DB, weak creds, and user enumeration.
Why it is included
Reference FOSS for the most common CMS attack surface in pentest reports.
Best for
Authorized WordPress reviews and maintenance audits.
Strengths
- WP-specific checks
- API vulnerability data
Limitations
- API token for full DB; scope creep on shared hosting
Good alternatives
Nuclei WP templates · Manual review
Related tools
Security & Privacy
Nikto
Web server scanner that probes for dangerous files, outdated software, and misconfigurations via many checks.
Security & Privacy
Nuclei
Fast vulnerability scanner driven by YAML templates—used for recon, misconfigs, CVEs, and custom checks at scale.
Security & Privacy
OWASP ZAP
OWASP flagship web app scanner and proxy: automated checks, manual request tampering, scripting, and CI integrations.
Security & Privacy
sqlmap
Automatic SQL injection and database takeover helper with fingerprinting, data exfiltration, and OS-shell paths.
Security & Privacy
ffuf
Fast web fuzzer for directories, virtual hosts, parameters, and raw HTTP—common in bug bounty playbooks.
Security & Privacy
Gobuster
Go-based directory/DNS/vhost brute-forcer with threading tuned for pentest wordlists.