High-performance WordPress plugin discovery, written in Rust & ready for Python.
π Official rate-limited, async, low-false-positive plug-in for WPAT (WordPress Professional Audit Tool).
plugins-ext is a Rust-native extension that turbo-charges WordPress plugin enumeration:
- β‘ Blazing fast β asynchronous, concurrent & lock-free
- π― Accurate β smart 404 / generic-title filtering β minimal false positives
- π Pythonic β drop-in import, progress callbacks,
asynciofriendly - π¦ Polite β exact request-per-second governor keeps target (and your ISP) happy
- π Secure β TLS-only, configurable timeout, no leaks / no
unsafe
-
Install (wheel coming soon β build from source for now)
# (1) get stable Rust curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # (2) clone git clone https://github.com/WPAT-Project/plugins-ext && cd plugins-ext # (3) compile & install Python wheel pip install maturin maturin develop --release
-
Enumerate
from plugins_ext import Scanner def live(feed, res): print(f"{feed:>4} β {res.plugin:<30} {res.state}") scanner = Scanner("https://example.com", rate_per_sec=40, timeout_secs=12) results = scanner.scan("wordlist/top-6000.txt", live) found = [r.plugin for r in results if r.state == "found"] print(f"\nβ {len(found)} plugins confirmed")
| Stage | Tech | Description |
|---|---|---|
| Wordlist ingestion | tokio::fs |
Async streaming, zero-copy trimming |
| Rate governor | tokio::time::Interval |
Burst-resistant, exact RPS |
| HTTP engine | reqwest + rustls-tls |
HTTP/2, keep-alive, low memory |
| 404 heuristic | Regex-free patterns | 25+ generic error markers + title checks |
| Confirmation | Multi-asset HEAD | readme.txt β¬ style.css β¬ icon-128x128.png |
| Python bridge | PyO3 |
GIL-safe, Py<PyAny> callbacks, no copy |
| Parameter | Type | Default | Notes |
|---|---|---|---|
target |
str |
β | Base URL of WordPress site (https://foo.com) |
rate_per_sec |
int |
30 |
Requests per second (clamped 1-256) |
timeout_secs |
int |
15 |
Per-request socket timeout |
wordlist: path-like (str,pathlib.Path) text file with one plugin slug per lineprogress: optional callablef(index: int, result: ScanResult) -> Noneinvoked on every completion- Returns:
list[ScanResult](order β input order β use.pluginto correlate)
| Attribute | Type | Value |
|---|---|---|
plugin |
str |
Slug tested |
state |
str |
found | possible | not_found | error:<msg> |
0 β akismet found
1 β jetpack found
2 β wordfence possible
3 β fake-plugin-xyz not_found
...
β
312 plugins confirmed
plugins-ext ships as a first-class plug-in inside WPAT.
| Hardware | Wordlist | Rate | Time | RAM |
|---|---|---|---|---|
| MBP M2 | 10 k | 200 rps | 50 s | β 35 MB |
| 8 vCPU VPS | 50 k | 500 rps | 100 s | β 90 MB |
(Your mileage depends on network latency and target response time.)
β Star the repo if it helped you