WPScan
WPScan WordPress security scanner bot
About this crawler
WPScan is a web crawler identified by the regular-expression pattern WPScan in the User-Agent request header. It is categorised as scanner. Use the regex above to detect, log, allow, or block WPScan traffic in your web server, CDN edge rules, or robots.txt.
Block-rate · top 25k sites
0.26%
Technical details
- Name
- WPScan
- Pattern
WPScan- Tags
- scanner
- Reference
- https://wpscan.com
- Added
- 2026/04/07
- rDNS suffixes
.wpscan.com,.wpscan.org- Instances
- 2 known sample(s)
rDNS verification (FCrDNS)
Verify a request is genuinely WPScan with forward-confirmed reverse DNS: the client IP's PTR record must end in one of the suffixes below and a forward A/AAAA lookup of that hostname must return the same IP. UA strings alone are spoofable; FCrDNS is not.
.wpscan.com.wpscan.org
Sample User-Agent strings
WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)
Mozilla/5.0 (compatible; WPScan; +https://wpscan.com/wordpress-security-scanner)
Block this crawler
robots.txt — disallow WPScan:
User-agent: WPScan
Disallow: /
Apache .htaccess — return 403:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} WPScan [NC]
RewriteRule .* - [F,L]
Nginx — return 403 inside a server block:
if ($http_user_agent ~* "WPScan") {
return 403;
}
← back to all crawlers