# ScanWordPress

> Free WordPress plugin security analysis platform — browsable website and REST API.

ScanWordPress provides security analysis data for 111,000+ WordPress plugins. Browse risk scores, OWASP findings, attack surface mapping, and security recommendations. Also offers fingerprint-based plugin and WordPress core version identification.

## Website

- [Home](https://scanwordpress.com/) — overview stats and high-risk plugins
- [Search Plugins](https://scanwordpress.com/search) — browse and filter all 111,000+ analyzed plugins by risk level
- [Plugin Detail](https://scanwordpress.com/plugin/{slug}) — full security analysis for any plugin (e.g., /plugin/woocommerce)
- [API Documentation](https://scanwordpress.com/api) — endpoint reference and examples

## API

Base URL: https://scanwordpress.com/api
No authentication required. All endpoints are public.

- [OpenAPI spec (JSON)](https://scanwordpress.com/api/openapi.json)
- [Interactive docs (Swagger UI)](https://scanwordpress.com/api/docs)
- [API reference (ReDoc)](https://scanwordpress.com/api/redoc)
- [Full API details for LLMs](https://scanwordpress.com/llms-full.txt)

## Key Capabilities

### Plugin Security Analysis
- Security analysis data for 111,000+ plugins with 12 analysis modules
- Attack surface mapping, OWASP recommendations, risk scoring, peer comparison
- Code metrics (PHPStan, PHPCS, Phan, PHPLOC)

### Plugin Fingerprinting
- Identify WordPress plugins and versions from file hashes (XXH3-128)
- Cross-plugin identification: submit file hashes from a site, get all matching plugins
- 86,000+ plugins fingerprinted across 779,000+ versions

### WordPress Core Fingerprinting
- Identify WordPress core version from file hashes (MD5)
- 809 WordPress versions covered

## Quick Start

Get plugin security details:
```
GET https://scanwordpress.com/api/v1/plugins/woocommerce
```

List all analyzed plugins:
```
GET https://scanwordpress.com/api/v1/plugins?limit=100
```

Search plugins by risk score:
```
POST https://scanwordpress.com/api/v1/plugins/search
Content-Type: application/json

{"min_risk_score": 70, "limit": 20}
```

Identify all plugins from file hashes:
```
POST https://scanwordpress.com/api/v2/plugin-fingerprints/identify-all
Content-Type: application/json

{"hashes": {"readme.txt": "7c8c268a192af7553a006e70cd8adedc"}}
```