I'm protected with iThemes and/or Sucuri, I don't need this tool

Those tools are great! But they don't address the root problem of many Wordpress security vulnerabilities. The root problem is outdated software. A WAF can give you some kind of protection for DDOS events, SQL injection or other aberrant requests, but it's another layer, another world. So please keep using these WAFs alongside a decent update policy, in which this tool can be a bit of help.

A Whitebox scanner

At first I was experimenting with wpscan, more like a hacker tool because its a black-box scanner. It generated lots of I/O at the server I was working on, and gave lots of false positives as many plugins are hiding version numbers or have different semantics of naming them. So this wasn't suitable for the monitoring solution I was building on.

It must be a whitebox scanner then. After googling around I found Wordstress, which is a combination of a Wordpress plugin exposing all versions of core, plugins and themes (accessable trough web with a predefined key) and a Ruby gem that held the found versions against wpvulndb.com. This was the thing I was looking for!

Until recently the plugin broke after WP core update 4.6 and my monitoring solution wasn't reliable anymore. On top of that the Wordstress plugin wasn't updated anymore. Something needed to be done, so I decided to make a rewrite, inspired by the fundamentals of Wordstress.

Based on a proven standard (WP-CLI), it appeared to be not so much work I was fearing for. I even got time to write this little site :-)