Professional security audit tool for WordPress sites (exclusive ethical use).

🔗 Official website: https://wpat.netlify.app/

• 🔍 Specialized Modules:

  • 🕵️ User Enumeration Detection
  • 🛑 XML-RPC Vulnerability Analysis
  • 📂 Exposed Sensitive Files Scanner
  • 🔖 WordPress Version Fingerprinting
  • 📡 REST API Endpoints Audit
  • 🧩 Plugin Scanner (detects active installations)
  • 🎨 Theme Scanner (detection by CSS style)
  • 🔓 Optimized Brute Force (WordPress Login)
  • 🔐 SSL/TLS Audit (Certificates and Encryption)
  • 🗒️ security.txt file detection
  • 🌐 CORS configuration detector
  • 🧾 HTML Report Generator (New)

• 🛠 Key Features:

  • 🎨 Intuitive interface with color scheme and ASCII banners
  • 🖥️ New interactive GUI
  • 📁 Automatic generation of detailed logs with timestamps
  • ⚡ Configurable multi-threaded scanning (1-50 threads)
  • 🔄 Interactive menu with simplified navigation
  • 🚨 Enhanced error handling and Ctrl+C system
  • 📦 Official Wordlist Generator (Plugins/Themes)

# Install WPAT (CLI only, no GUI)
pip install wpat

# Run WPAT in CLI mode
wpat

# Install WPAT with GUI support (PyQt5)
pip install "wpat[gui]"

# Run the GUI
wpat-gui

pipx allows for global and isolated installation, ideal for CLI tools.

# Install pipx if not available
python -m pip install --user pipx
python -m pipx ensurepath

# Install WPAT (CLI only)
pipx install wpat

# Run it
wpat

# GUI version using pipx (with graphical dependencies)
pipx install "wpat[gui]"

# Run GUI
wpat --gui

Option A – CLI only:

pipx install git+https://github.com/Santitub/WPAT.git

Option B – With GUI support:

pipx install 'git+https://github.com/Santitub/WPAT.git#egg=wpat[gui]'

Ideal for contributors or developers.

git clone https://github.com/Santitub/WPAT.git
cd WPAT
pip install ".[gui]"

# Download the official WPAT image
sudo docker pull santitub/wpat

# Run WPAT in Docker container
sudo docker run -it --rm santitub/wpat

• Python 3.8 or higher
• pip / pipx
• Internet access for updates
• Desktop environment if using the GUI (PyQt5)

These are the libraries required for WPAT to work properly:

• colorama — Console color system
• requests — Advanced HTTP requests
• beautifulsoup4 — HTML parser
• tqdm — Interactive progress bars
• pyqt5 — GUI support
• PyQtWebEngine — Web rendering engine embedded in the GUI
• urllib3 — Advanced HTTP connection handling

# From pip/pipx
wpat / wpat --gui

# From Docker
docker run -it --rm santitub/wpat

# From GUI
python main.py --gui

Workflow:

1. Enter the target URL
2. Select modules from the interactive menu or GUI
3. Analyze real-time results with clean output
4. Review detailed logs in /logs

[1] Detect User Enumeration       [97] Full Audit
[2] Analyze XML-RPC               [98] Generate Wordlists
[3] Sensitive Files Scanner       [99] Exit
[4] Detect WordPress Version
[5] Audit REST API
[6] Plugin Scanner
[7] Theme Scanner 
[8] Brute Force on Login
[9] Check SSL Certificate
[10] Check Security.txt
[11] Check CORS

WPAT/
├── main.py             # Main script
├── gui.py              # Graphical Interface (new)
├── requirements.txt    # Dependencies
├── logs/               # Audit logs
├── wordlists/          # Generated official wordlists
└── scripts/            # Audit modules
    ├── __init__.py
    ├── ssl_checker.py
    ├── cors_detector.py          
    ├── user_enumeration.py
    ├── xmlrpc_analyzer.py
    ├── sensitive_files.py
    ├── wp_version.py
    ├── rest_api_analyzer.py
    ├── security_txt.py           
    ├── plugin_scanner.py
    ├── theme_scanner.py
    └── brute_force.py
    └── html_report.py           # New

• 🧾 New HTML report module
• ⚙️ Improved module request handling

Distributed under the GPL-3.0 license. See LICENSE for details.

⚠️ Ethical Use Note: This software should only be used on systems with explicit permission from the owner. It includes advanced features that may be considered intrusive if used without authorization. Misuse is the sole responsibility of the end user.