Show HN: WP Detective – Show what theme and plugins a WordPress site is using

by codeakenon 4/14/2017, 9:48:44 PM with 14 comments
  • by tyingqon 4/14/2017, 10:34:10 PM

    Neat. Many questions. I assume you have some database of path matches for the theme/plugin js/CSS files or similar?

    How extensive is the database? Just free themes/plugins from one source, or popular themes from several sources? Paid ones too?

    Any namespace clashes where you have to dig deeper to tell which theme or plugin it is?

    Were you able to fully automate the creation and updating of the signature database?

  • by vidyeshon 4/15/2017, 2:03:43 AM

    There are a few other websites which do a similar job with similar issues.

    http://www.wpthemedetector.com/

    http://scanwp.net/

    http://whatwpthemeisthat.com/

    All these websites scan and output similar unknown plugins, as it sharing the same database or same method to detect plugins and themes.

    http://wpdetective.io/www.pmindia.gov.in

  • by orfon 4/15/2017, 2:04:05 AM

    So... wpscan[1] with a web frontend?

    1. https://github.com/wpscanteam/wpscan

  • by fjallstromon 4/15/2017, 8:42:46 AM

    hm it doesn't seem to pick up the wp installation if the WP_CONTENT_DIR is changed. should be an easy fix, se below.

    this site is very much wordpress: https://www.berghs.se/ but wpdetective won't detect wordpress at all. it has a custom WP_CONTENT_DIR.

    here's a similar but less polished version my team created some years ago: http://wppluginchecker.earthpeople.se/?wordpress-site=https%...

    it tries a few common variables for WP_CONTENT_DIR, and runs completely in the browser, should you want to take a peek on how we detect WP.

  • by arkadiyton 4/14/2017, 10:37:19 PM

    Looks like a web UI around wpscan?

    edit: apparently custom code

  • by vmastoon 4/14/2017, 11:13:00 PM

    Interesting.

    I'd be interested in the maintenance strategies you have in place (if any).

    I assume that for plugins who don't output styles or scripts you use other methods, maybe some HTML output etc, so you've probably hard coded a lot of stuff for some popular plugins.

    How have you set your tests and how do you plan on knowing when a certain plugin stops emitting the signature you're checking for? Most probably an E2E test with a local theme containing everything, care to share tech specifics ok this part?

  • by vladootzon 4/15/2017, 11:29:48 AM

    If a wordpress is installed in a subfolder example.com/wp/ it only searches in example.com and doesn't detect any wp install.

  • by lexicalityon 4/14/2017, 10:34:19 PM

    Very nice. I suppose it works by checking for js/css embeds and extracting names from the path?

  • by __david__on 4/15/2017, 8:43:03 AM

    It doesn't seem to work if the wordpress endpoint isn't at the root of a domain…

  • by randomsofron 4/14/2017, 11:32:12 PM

    It didn't detect revolution slider on my site, which is like one of the most popular plugins.

    Still great.

  • by shash7on 4/15/2017, 1:06:22 AM

    This is super useful for freelancers and people working with wordpress themes.

  • by NicoJuicyon 4/14/2017, 11:45:16 PM

    It only detects client side scripts. Nicely done! Tested it on my own shop