← Back to Scanner

Changelog

Release notes and updates for Wordpress Security Scanner

Version 1.4.0

Latest October 23, 2025
Removed
  • Removed unreliable debug mode detection (WP_DEBUG detection requires actual PHP errors to be visible, causing too many false negatives on well-coded sites)

Version 1.3.1

October 23, 2025
Added
  • Detection of exposed database backup files (backup.sql)
  • Detection of test files (test.php) that may expose server configuration
Changed
  • Moved readme.html and license.txt from high to medium severity (informational only, not security risks)
Fixed
  • Fixed sensitive files findings formatter incorrectly grouping ALL medium severity files as "Source Code Exposed"
  • Now properly separates .git files (actual source code risk) from readme.html/license.txt (version information)
  • Git repository files now correctly shown as "Source Code Exposed"
  • Readme/license files now shown as "Version Information Disclosed" with appropriate description
  • Fixed "undefined" appearing in UI for medium severity findings (missing alert-triangle icon)

Version 1.3.0

October 23, 2025
Added
  • Sensitive file exposure detection for Wordpress installations
  • Detection of exposed wp-config backups (wp-config.php.bak, .save, .old, ~, .txt) - critical credential risk
  • Detection of version disclosure files (readme.html, license.txt)
  • Detection of environment files (.env) and debug files (phpinfo.php)
  • Detection of exposed source code (.git directory)
  • Vim temporary file detection (.swp files for config files)
  • Proxy fallback support for sensitive file checks
  • Severity-based findings (Critical, High, Medium) for exposed files

Version 1.2.0

October 23, 2025
Added
  • Directory listing detection for Wordpress directories (wp-content/uploads, wp-content/plugins, wp-content/themes, wp-includes)
  • Proxy fallback support for directory listing checks
  • High-risk severity indicator for exposed directory listings

Version 1.1.0

October 23, 2025
Added
  • Proxy fallback support for all security checks when direct requests are blocked
  • SHA-256 hashing for rate limiting data (privacy enhancement)
  • Terms of Use and Privacy Policy pages
  • Transparency statement emphasizing core values
Changed
  • Updated proxy URL to api.ng-stage.com
  • Improved REST API security recommendations
  • Enhanced all security checks with proxy fallback support
Fixed
  • Fixed contradictory results when direct requests are blocked by firewalls
  • Fixed user enumeration showing as protected when actually vulnerable

Version 1.0.0

October 21, 2025
Added
  • Initial release of WordPress Security Scanner
  • WordPress detection with multiple methods
  • User enumeration testing (REST API, author archives, RSS feeds)
  • XML-RPC detection (direct access and pingback header)
  • WordPress version detection (generator tag and asset versions)
  • REST API status detection
  • Rate limiting (3 scans per hour per site)
  • Web UI with scan interface
  • API documentation page
  • SSRF protection and input validation
Scanner API Docs Privacy Terms