Professional security audit tool for WordPress sites (exclusive ethical use).
🔗 Official website: https://wpat.netlify.app/
-
🔍 Specialized Modules:
- 🕵️ User Enumeration Detection
- 🛑 XML-RPC Vulnerability Analysis
- 📂 Exposed Sensitive Files Scanner
- 🔖 WordPress Version Fingerprinting
- 📡 REST API Endpoints Audit
- 🧩 Plugin Scanner (detects active installations)
- 🎨 Theme Scanner (detection by CSS style)
- 🔓 Optimized Brute Force (WordPress Login)
- 🔐 SSL/TLS Audit (Certificates and Encryption)
- 🗒️
security.txtfile detection (New) - 🌐 CORS configuration detector (New)
-
🛠 Key Features:
- 🎨 Intuitive interface with color scheme and ASCII banners
- 🖥️ New interactive GUI
- 📁 Automatic generation of detailed logs with timestamps
- ⚡ Configurable multi-threaded scanning (1-50 threads)
- 🔄 Interactive menu with simplified navigation
- 🚨 Enhanced error handling and Ctrl+C system
- 📦 Official Wordlist Generator (Plugins/Themes)
# Install WPAT (CLI only, no GUI)
pip install wpat
# Run WPAT in CLI mode
wpat# Install WPAT with GUI support (PyQt5)
pip install "wpat[gui]"
# Run the GUI
wpat-gui
pipxallows for global and isolated installation, ideal for CLI tools.
# Install pipx if not available
python -m pip install --user pipx
python -m pipx ensurepath
# Install WPAT (CLI only)
pipx install wpat
# Run it
wpat# GUI version using pipx (with graphical dependencies)
pipx install "wpat[gui]"
# Run GUI
wpat --guiOption A – CLI only:
pipx install git+https://github.com/Santitub/WPAT.gitOption B – With GUI support:
pipx install 'git+https://github.com/Santitub/WPAT.git#egg=wpat[gui]'Ideal for contributors or developers.
git clone https://github.com/Santitub/WPAT.git
cd WPAT
pip install ".[gui]"# Download the official WPAT image
sudo docker pull santitub/wpat
# Run WPAT in Docker container
sudo docker run -it --rm santitub/wpat- Python 3.8 or higher
- pip / pipx
- Internet access for updates
- Desktop environment if using the GUI (PyQt5)
These are the libraries required for WPAT to work properly:
colorama— Console color systemrequests— Advanced HTTP requestsbeautifulsoup4— HTML parsertqdm— Interactive progress barspyqt5— GUI supportPyQtWebEngine— Web rendering engine embedded in the GUIurllib3— Advanced HTTP connection handling
# From pip/pipx
wpat / wpat --gui)
# From Docker
docker run -it --rm santitub/wpat
# From GUI
python main.py --guiWorkflow:
- Enter the target URL
- Select modules from the interactive menu or GUI
- Analyze real-time results with clean output
- Review detailed logs in
/logs
[1] Detect User Enumeration [97] Full Audit
[2] Analyze XML-RPC [98] Generate Wordlists
[3] Sensitive Files Scanner [99] Exit
[4] Detect WordPress Version
[5] Audit REST API
[6] Plugin Scanner
[7] Theme Scanner
[8] Brute Force on Login
[9] Check SSL Certificate
[10] Check Security.txt
[11] Check CORS
WPAT/
├── main.py # Main script
├── gui.py # Graphical Interface (new)
├── requirements.txt # Dependencies
├── logs/ # Audit logs
├── wordlists/ # Generated official wordlists
└── scripts/ # Audit modules
├── __init__.py
├── ssl_checker.py
├── cors_detector.py # New
├── user_enumeration.py
├── xmlrpc_analyzer.py
├── sensitive_files.py
├── wp_version.py
├── rest_api_analyzer.py
├── security_txt.py # New
├── plugin_scanner.py
├── theme_scanner.py
└── brute_force.py
- 🗒️ New module:
security_txt.py— Searches and interpretssecurity.txtfiles - 🌐 New module:
cors_detector.py— Detects potentially unsafe CORS configurations - 🐋 Official Docker image added — Simplifies execution without local installation
- 🖥️ New GUI — Experimental graphical interface
- 🌐 Official website — Documentation and updates centralized at https://wpat.netlify.app/
- 🧹 General improvements across all modules — More accurate detection, enhanced performance
Distributed under the GPL-3.0 license. See LICENSE for details.