Automattic has acquired WPScan, a ten-year-old service that provides a database for WordPress core, plugin, and theme vulnerabilities. The company has sponsored WPScan for a number of years and has already been white labeling its use in Jetpack Scan.
Pricing for WPScan is based on API requests per day, with a free version limited to 25. Monthly pricing is tiered based on requests and additional features. The pricing matrix estimates that WordPress websites have 22 plugins installed, on average, and each one makes an API request, as well as one each for the core version and themes.
“Our goal for this acquisition is to make malware data and APIs more open source,” Jetpack marketing representative Rob Pugh said. “We want to ensure that WPScan continues to be a high-quality security resource for the entire WordPress community. To that effect, we’ll be exploring ways to make the API completely free for non-commercial sites.”
Some users may be wondering whether the WPScan plugin offers more than what is built into Jetpack Scan. The two provide complementary features and can be used at the same time.
“[WPScan] does do some different checks that Jetpack Scan doesn’t do such as weak passwords and https,” Pugh confirmed. “Conversely, Jetpack Scan does some things that WPScan doesn’t, such as a library of signatures checking for malicious code.”
Automattic has not ruled out requiring WPScan users to have Jetpack installed in order to use the plugin in the future. When asked if Automattic is considering the possibility of requiring Jetpack in order to access WPScan, Pugh said, “We still need to evaluate what makes the most sense for Jetpack and WPScan long-term.”
Since the product was announced on the Jetpack blog as a Jetpack acquisition, it seems likely that Automattic will merge the branding under Jetpack Scan, rather than leave them separate. There is too much confusion regarding which security product offers which set of features and customers are more likely to respond to a streamlined, simple security package. It’s also possible the product could be combined and offered as a standalone plugin, like Jetpack Backup, Jetpack CRM, and Jetpack Boost. This may or may not require the core Jetpack plugin.
For now, there are no changes planned for the service. WPScsan founders Ryan Dewhurst and Erwan Le Rousseau will continue their work on the product at Automattic.
“WPScan will continue to operate independently in the near term and may be integrated into Jetpack Scan in the future,” Pugh said.