WPRecon
April 12, 2026 ยท View on GitHub
WPRecon
A powerful, template-driven WordPress reconnaissance and vulnerability scanning tool
Features โข Installation โข Usage โข Architecture โข Templates
๐ Overview
WPRecon is a modern WordPress security reconnaissance tool built with Go that helps security engineers identify vulnerabilities, misconfigurations, and information disclosure issues in WordPress installations.
Unlike traditional vulnerability scanners with hardcoded checks, WPRecon uses a YAML-driven template architecture, enabling:
- โ Easy extensibility without recompilation
- โ Team collaboration via shared templates
- โ Rapid deployment as a single binary
- โ High-performance parallel scanning
- โ Flexible matching and extraction capabilities
Key Statistics
- Single Binary - No runtime dependencies
- 150+ Templates - Comprehensive WordPress coverage
- Parallel Scanning - Configurable worker pools
- Minimal Code - ~1,200 lines of production code
- Production Ready - Battle-tested architecture
โก Features
Core Capabilities
| Feature | Description |
|---|---|
| Parallel Scanning | Configurable worker pool (default: 10 workers) for concurrent requests |
| Rate Limiting | Built-in request throttling (default: 50 req/s) to be network-friendly |
| Auto Retry | Automatic retry logic for failed HTTP requests |
| Hot Reload Templates | No recompilation needed - add templates and scan |
| Variable Resolution | Dynamic variables: {{BaseURL}}, {{Timestamp}}, {{RandomInt}} |
| Multi-Format Output | Human-readable tables and structured JSON |
| CLI & API Modes | Both command-line and REST API interfaces |
| Severity Levels | Findings classified as info, low, medium, high, critical |
HTTP Operations
- All standard HTTP methods (GET, POST, PUT, DELETE)
- Custom headers and cookies
- Request body parameters
- SSL/TLS support
- Configurable timeouts
Matchers (5 Types)
Identify positive hits in responses:
- Status - HTTP status code matching (200, 404, 500, etc.)
- Word - Substring presence in response body
- Regex - Pattern matching with capture groups
- Header - Response header validation
- Size - Response body size checks
Extractors (2 Types)
Extract actionable data from matched responses:
- Regex - Extract capture groups using regular expressions
- JSON - Simple JSON path extraction
Template Library
150+ production-ready templates covering:
- WordPress Detection - Core detection and version fingerprinting
- Plugin Detection - Popular plugin discovery and version detection
- User Enumeration - WordPress user discovery
- CVE Checks - Known vulnerability detection
- Exposures - Information disclosure (backups, .git, .env, etc.)
- WAF Detection - Cloudflare, AWS WAF, ModSecurity, Sucuri, Wordfence
- Security Analysis - Misconfiguration detection and security headers
- Database - Database exposure and repair detection
๐ฆ Installation
Requirements
- Go 1.17 or higher
- Linux, macOS, or Windows
From Source
# Clone the repository
git clone https://github.com/ffx64/wprecon.git
cd wprecon
# Build the binary
go build -o wprecon ./cmd/wprecon/main.go
# Move to your PATH (optional)
sudo mv wprecon /usr/local/bin/
Install via Go
go install github.com/ffx64/wprecon/cmd/wprecon@latest
Docker (Optional)
docker build -t wprecon .
docker run wprecon scan https://example.com
๐ Usage
Command-Line Interface
Basic Scan
Scan a WordPress website with all available templates:
wprecon scan https://example.com
Scan with Specific Templates
Run only selected templates:
wprecon scan https://example.com -t wordpress-detection,plugin-detection,user-enumeration
Custom Output Format
# JSON output for automation
wprecon scan https://example.com --output json
# Pretty-printed table (default)
wprecon scan https://example.com --output table
Control Parallelization and Rate Limiting
# Use 20 concurrent workers and 100 requests/sec
wprecon scan https://example.com --workers 20 --rate-limit 100
List Available Templates
wprecon list-templates
Show Help
wprecon --help
๐ Example Output
When running a scan, WPRecon produces detailed findings:
Table Format:
ID | Template | Name | Severity | Target | Evidence
---------------------|------------------------|--------------------------|----------|---------------------|----------
finding_001 | wordpress-version | WordPress Version Found | info | example.com | 6.2.1
finding_002 | plugin-detection | Plugin Detected | low | example.com | Yoast SEO 16.0
finding_003 | security-headers | Missing Security Headers | medium | example.com | X-Frame-Options
JSON Format:
{
"scan_id": "scan_uuid_001",
"timestamp": "2026-04-10T14:37:00Z",
"target": "https://example.com",
"total_findings": 15,
"findings": [
{
"id": "finding_uuid_001",
"template_id": "wordpress-detection",
"name": "WordPress Installation Detected",
"description": "WordPress CMS installation identified on target",
"severity": "info",
"cvss_score": 0.0,
"matched_url": "https://example.com/wp-admin/",
"http_method": "GET",
"status_code": 200,
"response_time_ms": 245,
"evidence": {
"version": "6.2.1",
"wp_version_header": "6.2.1"
},
"timestamp": "2026-04-10T14:37:00Z",
"remediation": "Keep WordPress updated to the latest version"
}
]
}
๐๏ธ Architecture
Project Structure
wprecon/
โโโ cmd/wprecon/
โ โโโ main.go # CLI entrypoint
โโโ internal/
โ โโโ app/
โ โ โโโ cli.go # CLI command handlers
โ โ โโโ api.go # REST API handlers
โ โโโ engine/
โ โ โโโ scanner.go # Scan orchestration
โ โ โโโ worker_pool.go # Parallelization engine
โ โ โโโ context.go # Scan context management
โ โ โโโ logger.go # Logging utilities
โ โ โโโ rate_limit.go # Rate limiting
โ โโโ executor/
โ โ โโโ http_executor.go # HTTP client
โ โ โโโ request_builder.go # Request construction
โ โ โโโ variables.go # Variable resolution
โ โโโ matchers/
โ โ โโโ matchers.go # Response matching logic
โ โโโ extractors/
โ โ โโโ extractors.go # Data extraction
โ โโโ templates/
โ โ โโโ loader.go # Template discovery
โ โ โโโ parser.go # YAML parsing
โ โโโ pipeline/
โ โ โโโ pipeline.go # Scan workflow
โ โโโ domain/
โ โโโ template.go # Data models
โ โโโ finding.go
โ โโโ http.go
โ โโโ matcher.go
โ โโโ extractor.go
โโโ templates/ # YAML template library
โ โโโ wordpress/ # WordPress-specific
โ โโโ cves/ # CVE detection
โ โโโ exposures/ # Info disclosure
โ โโโ common/ # Generic checks
โ โโโ waf/ # WAF detection
โโโ go.mod # Dependencies
Architecture Diagram
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ User Interface (CLI/API) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโ Template Loader
โโโ Rate Limiter
โโโ Worker Pool Manager
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Scan Pipeline Engine โ
โ โโโโโโโโโโ Request Builder โ
โ โ โโโโโโโโโโ HTTP Executor โ
โ โ โ โโโโโโโโโโ Matcher (5 types) โ
โ โ โ โ โโโโโโโโโโ Extractor (2 types) โ
โ โ โ โ โ โโโโโโโโโโ Finding Report โ
โ โ โ โ โ โ โ
โ โผ โผ โผ โผ โผ โ
โ Template โ Request โ Response โ Finding โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Output Formatters & Storage โ
โ (JSON, Table, Report Generation) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Design Principles
- Single Responsibility - Each module has clear, focused purpose
- Template-Driven - All scanning logic lives in YAML, not code
- Horizontal Scalability - Modular design allows easy extension
- Factory Pattern - Simple addition of new matchers and extractors
- No External Dependencies - Only UUID and YAML parsing libraries
- Thread-Safe - Safe concurrent scanning with worker pools
๐ Templates
Templates are YAML files that define how WPRecon should scan for specific vulnerabilities or information.
Template Structure
id: wordpress-version-detection
name: WordPress Version Detection
description: Detects and extracts WordPress version from readme.html
severity: info
author: WPRecon Team
requests:
- url: "{{BaseURL}}/readme.html"
method: GET
matchers:
- type: status
status:
- 200
- type: word
words:
- "WordPress"
extractors:
- type: regex
regex:
- 'Version (\d+\.\d+\.\d+)'
Template Categories
WordPress Core
| Template | Purpose |
|---|---|
wordpress-detection | Detect WordPress installation |
wordpress-version | Fingerprint WordPress version |
plugins.yaml | Detect installed plugins |
themes.yaml | Detect installed themes |
users.yaml | Enumerate WordPress users |
Vulnerabilities
- CVE detection for WordPress plugins
- Known vulnerability checks
- Security misconfiguration detection
Information Disclosure
- Backup file exposure (wp-config.php.bak, .sql)
- Git repository exposure (.git/)
- Environment file exposure (.env)
- S3 bucket misconfiguration
WAF Detection
- Cloudflare
- AWS WAF
- ModSecurity
- Sucuri
- Wordfence
- Generic WAF detection
Security Analysis
- Missing security headers
- Weak authentication
- CORS misconfiguration
- Debug mode detection
Adding Custom Templates
- Create a new YAML file in
templates/custom/ - Follow the template structure (see example above)
- Run WPRecon - templates are auto-discovered
Example:
# Create custom template
cat > templates/custom/my-check.yaml << 'EOF'
id: my-custom-check
name: My Custom Check
description: Detects custom vulnerability
severity: medium
author: Your Name
requests:
- url: "{{BaseURL}}/vulnerable-endpoint"
method: GET
matchers:
- type: status
status:
- 200
- type: word
words:
- "vulnerable"
EOF
# Scan with custom template
wprecon scan https://example.com -t my-custom-check
๐ง Configuration
Environment Variables
# HTTP timeout (default: 10s)
export WPRECON_TIMEOUT=15
# Number of workers (default: 10)
export WPRECON_WORKERS=20
# Requests per second (default: 50)
export WPRECON_RATE_LIMIT=100
# Log level (default: info)
export WPRECON_LOG_LEVEL=debug
# Template directories (default: ./templates)
export WPRECON_TEMPLATE_DIRS=/path/to/templates:/path/to/more/templates
CLI Flags
wprecon scan <target> \
--templates-dir ./custom-templates \
--workers 20 \
--rate-limit 100 \
--timeout 15 \
--output json \
--log-level debug
๐ผ Use Cases
Security Assessments
Comprehensive security evaluation of WordPress installations:
wprecon scan https://example.com --output json > assessment_report.json
CI/CD Integration
Automated vulnerability scanning in deployment pipelines:
# GitHub Actions example
- name: WordPress Security Scan
run: |
wprecon scan ${{ secrets.STAGING_URL }} \
--output json \
--templates wordpress-detection,plugin-detection,cve-checks
Mass Reconnaissance
Scan multiple targets efficiently:
cat targets.txt | while read target; do
wprecon scan "$target" --output json >> results.json
done
๐ ๏ธ Development
Prerequisites
- Go 1.17+
Building
# Build binary
go build -o wprecon ./cmd/wprecon/main.go
# Build for multiple platforms
GOOS=linux GOARCH=amd64 go build -o wprecon-linux ./cmd/wprecon/main.go
GOOS=darwin GOARCH=amd64 go build -o wprecon-darwin ./cmd/wprecon/main.go
GOOS=windows GOARCH=amd64 go build -o wprecon-windows.exe ./cmd/wprecon/main.go
Project Dependencies
google/uuid v1.6.0 - UUID generation for findings
gopkg.in/yaml.v3 - YAML template parsing
Code Structure
- Minimal Dependencies - Only essential libraries
- Clean Architecture - Layered design for maintainability
- Extensible - Easy to add matchers, extractors, and templates
- Well-Documented - Clear code comments and documentation
๐ค Contributing Templates
- Fork the repository
- Create a feature branch (
git checkout -b feature/my-template) - Add your template to
templates/ - Test thoroughly:
wprecon scan https://test.site -t your-template - Submit a Pull Request
๐ License
This project is licensed under the MIT License - see LICENSE file for details.
Made with โค๏ธ for Matheus (ffx64)