/ download · v2.3.0

Download WPSecScan v2.3.0

Pick your platform. Every binary is SLSA L3 attested and Sigstore signed. → verify your download

Windows · direct .exe

wpsecscan.exe

CLI · ~25 MB

Command-line scanner. PowerShell + Bash friendly.

⬇ Download v2.3.0

wpsecscan-gui.exe

GUI · ~25 MB

Tkinter GUI. Double-click to run.

⬇ Download v2.3.0

⚠ Windows Defender may flag the .exe on first run — it's a known false-positive on offensive-pattern strings inside the scanner. See docs → Defender.

Package managers

winget (Windows 11)

winget install Bryan.WPSecScan

Chocolatey (Windows)

choco install wpsecscan

Homebrew (macOS)

brew install bryanflowers/tap/wpsecscan

pip (cross-platform)

pip install wpsecscan

Snap (Linux)

sudo snap install wpsecscan

Flatpak (Linux)

flatpak install flathub com.wpsecscan.Scanner

Arch (AUR)

yay -S wpsecscan

Docker

docker run --rm \
  ghcr.io/bryanflowers/wpsecscan:2.3.0 \
  scan https://example.com

From source

git clone https://github.com/bryanflowers/wpsecscan
cd wpsecscan
pip install -e ".[all]"

WordPress companion plugin (optional)

For authenticated, server-side checks (MFA audit, DB triggers, wp-cron jobs, webhook URL inventory): install the companion plugin into your WordPress. It exposes a read-only, token-gated REST endpoint that WPSecScan reads.

⬇ Download wpsecscan-companion.zip

GPL-2.0+, ~130 KB. Install via Plugins → Upload Plugin in your WP admin.

Trust signals

SHA256SUMS.txt

Hash of every binary in this release.

sbom.cyclonedx.json

Full Software Bill of Materials.

Per-binary .sig + .pem Sigstore signatures and .intoto.jsonl SLSA L3 attestations are on the release page. Full verification guide →

First-time use

$ wpsecscan --demo                       # walk every check with a fake site
$ wpsecscan db update                    # pull latest CVE feed
$ wpsecscan db source-stats              # per-source breakdown
$ wpsecscan scan https://your-site.com   # real scan
$ wpsecscan-gui                          # launch the GUI