A powerful, template-driven WordPress reconnaissance and vulnerability scanning tool
Features • Installation • Usage • Architecture • Templates
WPRecon is a modern WordPress security reconnaissance tool built with Go that helps security engineers identify vulnerabilities, misconfigurations, and information disclosure issues in WordPress installations.
Unlike traditional vulnerability scanners with hardcoded checks, WPRecon uses a YAML-driven template architecture, enabling:
- ✅ Easy extensibility without recompilation
- ✅ Team collaboration via shared templates
- ✅ Rapid deployment as a single binary
- ✅ High-performance parallel scanning
- ✅ Flexible matching and extraction capabilities
- Single Binary - No runtime dependencies
- 150+ Templates - Comprehensive WordPress coverage
- Parallel Scanning - Configurable worker pools
- Minimal Code - ~1,200 lines of production code
- Production Ready - Battle-tested architecture
| Feature | Description |
|---|---|
| Parallel Scanning | Configurable worker pool (default: 10 workers) for concurrent requests |
| Rate Limiting | Built-in request throttling (default: 50 req/s) to be network-friendly |
| Auto Retry | Automatic retry logic for failed HTTP requests |
| Hot Reload Templates | No recompilation needed - add templates and scan |
| Variable Resolution | Dynamic variables: {{BaseURL}}, {{Timestamp}}, {{RandomInt}} |
| Multi-Format Output | Human-readable tables and structured JSON |
| CLI & API Modes | Both command-line and REST API interfaces |
| Severity Levels | Findings classified as info, low, medium, high, critical |
- All standard HTTP methods (GET, POST, PUT, DELETE)
- Custom headers and cookies
- Request body parameters
- SSL/TLS support
- Configurable timeouts
Identify positive hits in responses:
- Status - HTTP status code matching (200, 404, 500, etc.)
- Word - Substring presence in response body
- Regex - Pattern matching with capture groups
- Header - Response header validation
- Size - Response body size checks
Extract actionable data from matched responses:
- Regex - Extract capture groups using regular expressions
- JSON - Simple JSON path extraction
150+ production-ready templates covering:
- WordPress Detection - Core detection and version fingerprinting
- Plugin Detection - Popular plugin discovery and version detection
- User Enumeration - WordPress user discovery
- CVE Checks - Known vulnerability detection
- Exposures - Information disclosure (backups, .git, .env, etc.)
- WAF Detection - Cloudflare, AWS WAF, ModSecurity, Sucuri, Wordfence
- Security Analysis - Misconfiguration detection and security headers
- Database - Database exposure and repair detection
- Go 1.17 or higher
- Linux, macOS, or Windows
# Clone the repository
git clone https://github.com/ffx64/wprecon.git
cd wprecon
# Build the binary
go build -o wprecon ./cmd/wprecon/main.go
# Move to your PATH (optional)
sudo mv wprecon /usr/local/bin/go install github.com/ffx64/wprecon/cmd/wprecon@latestdocker build -t wprecon .
docker run wprecon scan https://example.comScan a WordPress website with all available templates:
wprecon scan https://example.comRun only selected templates:
wprecon scan https://example.com -t wordpress-detection,plugin-detection,user-enumeration# JSON output for automation
wprecon scan https://example.com --output json
# Pretty-printed table (default)
wprecon scan https://example.com --output table# Use 20 concurrent workers and 100 requests/sec
wprecon scan https://example.com --workers 20 --rate-limit 100wprecon list-templateswprecon --helpWhen running a scan, WPRecon produces detailed findings:
Table Format:
ID | Template | Name | Severity | Target | Evidence
---------------------|------------------------|--------------------------|----------|---------------------|----------
finding_001 | wordpress-version | WordPress Version Found | info | example.com | 6.2.1
finding_002 | plugin-detection | Plugin Detected | low | example.com | Yoast SEO 16.0
finding_003 | security-headers | Missing Security Headers | medium | example.com | X-Frame-Options
JSON Format:
{
"scan_id": "scan_uuid_001",
"timestamp": "2026-04-10T14:37:00Z",
"target": "https://example.com",
"total_findings": 15,
"findings": [
{
"id": "finding_uuid_001",
"template_id": "wordpress-detection",
"name": "WordPress Installation Detected",
"description": "WordPress CMS installation identified on target",
"severity": "info",
"cvss_score": 0.0,
"matched_url": "https://example.com/wp-admin/",
"http_method": "GET",
"status_code": 200,
"response_time_ms": 245,
"evidence": {
"version": "6.2.1",
"wp_version_header": "6.2.1"
},
"timestamp": "2026-04-10T14:37:00Z",
"remediation": "Keep WordPress updated to the latest version"
}
]
}wprecon/
├── cmd/wprecon/
│ └── main.go # CLI entrypoint
├── internal/
│ ├── app/
│ │ ├── cli.go # CLI command handlers
│ │ └── api.go # REST API handlers
│ ├── engine/
│ │ ├── scanner.go # Scan orchestration
│ │ ├── worker_pool.go # Parallelization engine
│ │ ├── context.go # Scan context management
│ │ ├── logger.go # Logging utilities
│ │ └── rate_limit.go # Rate limiting
│ ├── executor/
│ │ ├── http_executor.go # HTTP client
│ │ ├── request_builder.go # Request construction
│ │ └── variables.go # Variable resolution
│ ├── matchers/
│ │ └── matchers.go # Response matching logic
│ ├── extractors/
│ │ └── extractors.go # Data extraction
│ ├── templates/
│ │ ├── loader.go # Template discovery
│ │ └── parser.go # YAML parsing
│ ├── pipeline/
│ │ └── pipeline.go # Scan workflow
│ └── domain/
│ ├── template.go # Data models
│ ├── finding.go
│ ├── http.go
│ ├── matcher.go
│ └── extractor.go
├── templates/ # YAML template library
│ ├── wordpress/ # WordPress-specific
│ ├── cves/ # CVE detection
│ ├── exposures/ # Info disclosure
│ ├── common/ # Generic checks
│ └── waf/ # WAF detection
└── go.mod # Dependencies
┌─────────────────────────────────────────────┐
│ User Interface (CLI/API) │
└─────────────────────────────────────────────┘
│
├─→ Template Loader
├─→ Rate Limiter
└─→ Worker Pool Manager
│
▼
┌─────────────────────────────────────────────┐
│ Scan Pipeline Engine │
│ ┌────────→ Request Builder │
│ │ ┌────────→ HTTP Executor │
│ │ │ ┌────────→ Matcher (5 types) │
│ │ │ │ ┌────────→ Extractor (2 types) │
│ │ │ │ │ ┌────────→ Finding Report │
│ │ │ │ │ │ │
│ ▼ ▼ ▼ ▼ ▼ │
│ Template → Request → Response → Finding │
└─────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────┐
│ Output Formatters & Storage │
│ (JSON, Table, Report Generation) │
└─────────────────────────────────────────────┘
- Single Responsibility - Each module has clear, focused purpose
- Template-Driven - All scanning logic lives in YAML, not code
- Horizontal Scalability - Modular design allows easy extension
- Factory Pattern - Simple addition of new matchers and extractors
- No External Dependencies - Only UUID and YAML parsing libraries
- Thread-Safe - Safe concurrent scanning with worker pools
Templates are YAML files that define how WPRecon should scan for specific vulnerabilities or information.
id: wordpress-version-detection
name: WordPress Version Detection
description: Detects and extracts WordPress version from readme.html
severity: info
author: WPRecon Team
requests:
- url: "{{BaseURL}}/readme.html"
method: GET
matchers:
- type: status
status:
- 200
- type: word
words:
- "WordPress"
extractors:
- type: regex
regex:
- 'Version (\d+\.\d+\.\d+)'| Template | Purpose |
|---|---|
wordpress-detection |
Detect WordPress installation |
wordpress-version |
Fingerprint WordPress version |
plugins.yaml |
Detect installed plugins |
themes.yaml |
Detect installed themes |
users.yaml |
Enumerate WordPress users |
- CVE detection for WordPress plugins
- Known vulnerability checks
- Security misconfiguration detection
- Backup file exposure (wp-config.php.bak, .sql)
- Git repository exposure (.git/)
- Environment file exposure (.env)
- S3 bucket misconfiguration
- Cloudflare
- AWS WAF
- ModSecurity
- Sucuri
- Wordfence
- Generic WAF detection
- Missing security headers
- Weak authentication
- CORS misconfiguration
- Debug mode detection
- Create a new YAML file in
templates/custom/ - Follow the template structure (see example above)
- Run WPRecon - templates are auto-discovered
Example:
# Create custom template
cat > templates/custom/my-check.yaml << 'EOF'
id: my-custom-check
name: My Custom Check
description: Detects custom vulnerability
severity: medium
author: Your Name
requests:
- url: "{{BaseURL}}/vulnerable-endpoint"
method: GET
matchers:
- type: status
status:
- 200
- type: word
words:
- "vulnerable"
EOF
# Scan with custom template
wprecon scan https://example.com -t my-custom-check# HTTP timeout (default: 10s)
export WPRECON_TIMEOUT=15
# Number of workers (default: 10)
export WPRECON_WORKERS=20
# Requests per second (default: 50)
export WPRECON_RATE_LIMIT=100
# Log level (default: info)
export WPRECON_LOG_LEVEL=debug
# Template directories (default: ./templates)
export WPRECON_TEMPLATE_DIRS=/path/to/templates:/path/to/more/templateswprecon scan <target> \
--templates-dir ./custom-templates \
--workers 20 \
--rate-limit 100 \
--timeout 15 \
--output json \
--log-level debugComprehensive security evaluation of WordPress installations:
wprecon scan https://example.com --output json > assessment_report.jsonAutomated vulnerability scanning in deployment pipelines:
# GitHub Actions example
- name: WordPress Security Scan
run: |
wprecon scan ${{ secrets.STAGING_URL }} \
--output json \
--templates wordpress-detection,plugin-detection,cve-checksScan multiple targets efficiently:
cat targets.txt | while read target; do
wprecon scan "$target" --output json >> results.json
done- Go 1.17+
# Build binary
go build -o wprecon ./cmd/wprecon/main.go
# Build for multiple platforms
GOOS=linux GOARCH=amd64 go build -o wprecon-linux ./cmd/wprecon/main.go
GOOS=darwin GOARCH=amd64 go build -o wprecon-darwin ./cmd/wprecon/main.go
GOOS=windows GOARCH=amd64 go build -o wprecon-windows.exe ./cmd/wprecon/main.gogoogle/uuid v1.6.0 - UUID generation for findings
gopkg.in/yaml.v3 - YAML template parsing
- Minimal Dependencies - Only essential libraries
- Clean Architecture - Layered design for maintainability
- Extensible - Easy to add matchers, extractors, and templates
- Well-Documented - Clear code comments and documentation
- Fork the repository
- Create a feature branch (
git checkout -b feature/my-template) - Add your template to
templates/ - Test thoroughly:
wprecon scan https://test.site -t your-template - Submit a Pull Request
This project is licensed under the MIT License - see LICENSE file for details.
Made with ❤️ for Matheus (ffx64)