WPScan

What it does

Scans WordPress sites for known vulnerabilities in core, plugins, and themes. Maintains a comprehensive database of WordPress security issues. Available as CLI tool and API.

When to use it

• Scanning WordPress installations
• Finding vulnerable plugins/themes
• Security audits of WP sites

When not to use it

• Non-WordPress sites
• Code-level malware analysis
• When you need to decode obfuscated PHP

Limitations

• Requires API key for full features
• Only scans for known vulnerabilities
• Does not analyze custom code