Name

WPAT (WordPress Professional Audit Tool)

Version

2.0 latest release, tagged “2.0”, released 7 May 2025). Please use the release/tag 2.0 (do not use the repository head)

Homepage

Project README / homepage: https://wpat.netlify.app/ and GitHub repository at https://github.com/WPAT-Project/WPAT for full docs and examples.

Download

Release assets / source tarball for v2.0 (use the release/tag, e.g. the GitHub releases page for 2.0). Example (release page): https://github.com/WPAT-Project/WPAT/releases/tag/2.0. Use that tagged release (tarball/zip) when building the package

Author

Maintained under the WPAT-Project repository (maintainers/active contributor: Santitub). See repo and maintainer profile for contact/issue tracker.

Licence

GPL-3.0 (project is distributed under GNU GPL v3). See repository LICENSE file.

Description

WPAT is a Python-based, modular WordPress audit tool intended for authorized security testing. Main capabilities include:

• WordPress version and fingerprinting.
• User enumeration checks (author archives, REST endpoints).
• XML-RPC probing.
• REST API exposure checks.
• Sensitive files / backup detection.
• Plugin and theme discovery (passive and asset-based).
• Optimized (configurable) brute-force module for login testing.
• SSL/TLS certificate checks (expiry, issuer, cipher support).
• security.txt discovery and CORS configuration detection.
• Multithreaded scans with JSON + human-readable logs)

Dependencies

Python 3.8+; typical Python dependencies listed in requirements.txt include requests, beautifulsoup4, tqdm, colorama, and optional GUI deps PyQt5 / PyQtWebEngine for the GUI. See repository requirements.txt and README. ([GitHub][1])

Similar tools

Common comparable WordPress security scanners:

• WPScan (Ruby-based, widely used; WP vulnerability DB integration). ([GitHub][2], [WPScan][3])
• WPSeku (Python-based WordPress security scanner). ([GitHub][4])

Activity

The repository shows an active release history (11 releases listed) with the latest stable release tagged 2.0 (7 May 2025). The project README and releases are up-to-date on GitHub. (Check the release page for changelog and assets).

How to install

Important: packaging for Kali must use a tagged release (tarball) rather than head/branch. Recommended steps for packaging from the v2.0 release:

1. Download the release tarball (tag 2.0) and verify integrity:

Example: download the tagged release tarball (replace with real URL if hosting assets)

wget https://github.com/WPAT-Project/WPAT/archive/refs/tags/2.0.tar.gz -O WPAT-2.0.tar.gz
tar xzf WPAT-2.0.tar.gz
cd WPAT-2.0

2. Build / install in a clean environment (for testing):

python3 -m venv venv && . venv/bin/activate
python3 -m pip install --upgrade pip setuptools wheel
python3 -m pip install .

or if packaging into a Debian package, build wheel and include it as upstream orig tarball

python3 -m pip wheel . -w dist

3. Alternative: Debian packagers can build from the upstream tarball and create a debian/ directory, use dh_make/debhelper, and ensure dependencies are declared (python3, python3-requests, python3-bs4 (or python3-beautifulsoup4), python3-tqdm, python3-colorama, and optional python3-pyqt5, python3-pyqtwebengine for GUI). The upstream README also documents pip/pipx install methods — but for Kali packaging please rely on the release tarball.

How to use

Use only on targets you own or have explicit permission to test

Packaged

Not currently packaged for Debian/Kali (no official Debian package or Kali package found). The GitHub repository does not expose an official debian/ packaging folder in the main tree (packagers will need to create Debian packaging using the upstream release tarball). If maintainers want, I can provide a Debian packaging template (debian/control, rules, changelog) based on the release metadata and dependencies.