Free tool · no email required

WordPress vulnerability scanner & PHP version check

Reviewed by Ali Yasin Jatoi, Founder & Lead Engineer· Updated 2026-07-03

Look up any WordPress plugin against the public CVE database, check your PHP version's support status, and get an engineer-written remediation checklist. Everything on this page loads without giving us your email.

Last updated · Reviewed by Ali Yasin Jatoi

Plugin vulnerability checker

Type any WordPress plugin slug (e.g. contact-form-7, elementor, woocommerce) — we'll open direct CVE lookups in the four sources we actually use.

Start typing to open lookups in the four public sources we use every day.

WordPress PHP version check

Find your PHP version (cPanel → PHP Selector, Kinsta → Site dashboard, WP Engine → phpMyAdmin footer), then match it below. Anything red is a live security risk, not a future problem.

PHP versionStatusSecurity patches untilVerdict
PHP 8.4Active support31 Dec 2028Recommended for new sites. Best performance.
PHP 8.3Active support31 Dec 2027Safe, widely supported across plugins.
PHP 8.2Security-only31 Dec 2026Fine, plan a bump to 8.3 or 8.4 this year.
PHP 8.1End of life31 Dec 2025Upgrade urgently. No more security patches.
PHP 8.0End of life26 Nov 2023Critical. Upgrade this month.
PHP 7.4End of life28 Nov 2022Critical. Two-year-old unpatched runtime.
PHP 7.3 and belowEnd of lifeLong expiredFleet-manager verdict: replace this week.

You found a vulnerability. Now what?

  1. 1Update the plugin to the latest patched version. Read the CVE description first — some patches require a manual DB migration step.
  2. 2If no patch exists, deactivate the plugin and find a maintained alternative. An unmaintained plugin will be re-exploited within weeks.
  3. 3If you can't remove it, block the vulnerable endpoint at the WAF layer (Cloudflare page rule, ModSecurity rule at origin).
  4. 4Rotate every WordPress admin password and force-log-out all sessions (Users → All Users → Log out everywhere).
  5. 5Rotate WordPress salts in wp-config.php (regenerate at api.wordpress.org/secret-key/1.1/salt/).
  6. 6Scan the site for existing IOCs: unknown admin users, foreign cron jobs, base64 in theme files, new PHP files in /uploads.
  7. 7If IOCs are present, restore from a pre-compromise backup. Don't try to clean a live compromised site — you will miss backdoors.
  8. 8Submit a Google Safe Browsing review at search.google.com/search-console/security-issues if the site was blocklisted.

WordPress vulnerability scanner FAQ

How do I check my WordPress site for vulnerabilities?+

Three steps. (1) Check your PHP version against the table on this page — anything below 8.2 is an active risk. (2) Export your plugin list from wp-admin → Plugins, then look each one up on Patchstack or WPScan. (3) Run a WPScan CLI or Wordfence scan against the running site to catch already-installed backdoors. Steps 1 and 2 you can do in under 20 minutes without touching the site.

What is a WordPress vulnerability scanner?+

A WordPress vulnerability scanner is a tool that compares your site's WordPress core, plugin, and theme versions against a database of known CVEs to identify unpatched security issues. The gold standard is WPScan (used inside Kali Linux and by most pen-testers). Consumer-grade tools like Wordfence, Sucuri SiteCheck, and Patchstack do the same lookup but wrap it in a friendlier UI.

How do I check my WordPress PHP version?+

Fastest way: install the free 'Display PHP Version' plugin, or add echo phpversion(); to your theme's functions.php temporarily, or check your hosting control panel (cPanel → PHP Selector, Plesk → Domains → PHP Settings, WP Engine → Sites → phpMyAdmin footer). Most managed hosts (Kinsta, WP Engine, Cloudways) surface the PHP version right on the site dashboard.

Is a free vulnerability scanner enough?+

For a small brochure site, yes — a monthly WPScan run plus a paid WAF like Cloudflare covers 95% of real threats. For WooCommerce, membership sites, or anything storing PII, you want continuous scanning (Patchstack, Wordfence Premium, or a managed service that does it for you). Free scanners tell you what's vulnerable; they don't patch it, monitor for exploitation, or remove malware if you're already compromised.

My plugin has a CVE — what do I do?+

Priority order: (1) update the plugin if a patched version exists. (2) If no patch, deactivate the plugin and find a maintained alternative. (3) If you can't remove it (site depends on it), block the vulnerable endpoint at the WAF layer (Cloudflare page rule, ModSecurity rule). (4) Restore from a pre-compromise backup if you already see IOCs (unknown admin users, foreign cron jobs, base64 in files). We do all four inside 4 hours on our Care Plus plan.

Want us to run this for you every week?

Every WebCare plan includes weekly WPScan + Patchstack cross-checks, PHP-version monitoring, and same-day patching for anything CVSS ≥ 7.0. From $99/mo, cancel any time.

30-day money-back · 5.0 rated · engineer-led, not a queue

Call Book a call