Know your WordPress security risk — instantly.

WPPlugin Watch scans your installed plugins, themes, and WordPress core against 11,000+ known vulnerabilities and returns severity-rated results in plain English. No dashboards. No jargon.

Get the Plugin View on GitHub

Your site is identified by a one-way SHA-256 fingerprint. No passwords, no content, no personal information is transmitted.

Security Scan Result
yoursite.com
Critical 0
High 1
Medium 2
Low 0
11,000+ vulnerabilities tracked in 2025
WordPress 6.0+ & PHP 8.0+ required
Free forever tier

How it works

Three steps from install to full visibility.

1
Install

Download the free plugin from GitHub and upload it directly in your WordPress admin. No account required.

2
Scan

Click "Scan Now" in the WPPlugin Watch admin panel. The plugin sends your installed plugin slugs, theme slugs, and WordPress core version to the backend. No passwords, no content, no user data.

3
Review

See severity-rated results for your plugins, themes, and WordPress core — with plain-language guidance on what to do next.

Severity levels

Every finding is classified so you know exactly how urgent it is.

Critical

Known exploits exist. Your site is actively exposed. Update immediately.

High

Serious vulnerability. No known exploit yet, but high risk. Update as soon as possible.

Medium

Moderate risk. Update when you can.

Low

Minimal risk. Worth addressing in your next maintenance window.

91% of vulnerabilities originate in plugins — not WordPress core.

Everything included — free

No account required. Install and start scanning in minutes.

Daily-updated vulnerability database

Sourced from the Wordfence Intelligence feed, refreshed daily by the backend.

Covers plugins, themes & core

Every installed plugin and theme, plus your WordPress core version, checked in one scan.

Severity-rated results

Critical, High, Medium, and Low findings with plain-English guidance on what to do next.

Daily background version check

WP-Cron checks daily whether your installed plugin version is current. Full vulnerability scans are manual.

3 manual scans per day

Run up to 3 full vulnerability scans per day from your WordPress admin panel.

Privacy-first design

No account required. Your site is identified by a one-way SHA-256 fingerprint — no PII stored or transmitted.

Built for developers, too.

WPPlugin Watch is open source. The plugin client is on GitHub, the REST API is public, and the changelog is versioned. Build on it, fork it, or contribute.

Backend at api.wpplugin.watch — powered by AWS Lambda, DynamoDB, and API Gateway.

GitHub Repo Open source plugin client
API Explorer REST API reference
Changelog Plugin & API releases
Developer Hub Docs, guides & more

Free to install. No account required.

Download from GitHub and install in seconds from your WordPress admin dashboard.

Get the Plugin on GitHub

Requires WordPress 6.0+ and PHP 8.0+  ·  WordPress.org listing coming soon