How to Detect WordPress Plugins on Any Website

WordPress powers over 40% of the web, and much of its functionality comes from plugins. Knowing which plugins a WordPress site uses is valuable for competitive research, sales prospecting (selling WordPress services or integrations), security auditing, and understanding how a site was built.

Here is how to identify WordPress plugins on any website, from manual techniques to automated detection.

1. Check /wp-content/plugins/ Paths

The most reliable way to detect WordPress plugins is by looking at the script and stylesheet URLs loaded on the page. WordPress serves plugin assets from a predictable directory structure:

/wp-content/plugins/[plugin-name]/

Open the page source (Ctrl+U) and search for wp-content/plugins. Each unique directory name after /plugins/ corresponds to an installed and active plugin. For example:

• /wp-content/plugins/woocommerce/ → WooCommerce
• /wp-content/plugins/elementor/ → Elementor page builder
• /wp-content/plugins/contact-form-7/ → Contact Form 7
• /wp-content/plugins/wordpress-seo/ → Yoast SEO

This method works for any plugin that loads frontend CSS or JavaScript. Plugins that are purely backend (e.g., a backup plugin) will not appear in the page source.

2. Look for Plugin-Specific HTML Patterns

Many popular plugins inject recognizable HTML into the page. Here are common examples:

• Yoast SEO: Adds an HTML comment like <!-- This site is optimized with the Yoast SEO plugin --> near the top of the source.
• WooCommerce: Adds CSS classes like woocommerce and woocommerce-page to the body tag, and renders cart/shop elements with recognizable markup.
• Elementor: Adds elementor- prefixed CSS classes throughout the page, and loads its own widget system with data-elementor-type attributes.
• Contact Form 7: Renders forms with the wpcf7 CSS class and a data-wpcf7 attribute containing the form ID.
• Gravity Forms: Uses CSS classes like gform_wrapper and gfield on form elements.

3. Inspect Meta Tags

Some plugins add meta tags to the page head that reveal their presence:

• Yoast SEO: <meta name="generator" content="Yoast SEO" />
• Rank Math: <meta name="generator" content="Rank Math" />
• All in One SEO: <meta name="generator" content="AIOSEO" />
• WPBakery: Adds wpb-js-composer references in meta or script URLs.

The <meta name="generator"> tag is particularly useful because WordPress itself uses it to expose the core version, and many plugins follow the same convention.

4. Analyze Script and Style URLs

Beyond the /wp-content/plugins/ path, script and stylesheet URLs themselves often contain version information and plugin identifiers. Open your browser's DevTools Network tab and filter by JS/CSS to see all loaded resources.

Look for patterns like:

• elementor/assets/js/frontend.min.js?ver=3.18.0 — reveals both the plugin name and its version
• jetpack/_inc/build/ — indicates the Jetpack plugin
• woocommerce/assets/css/woocommerce.css — confirms WooCommerce

The ver= query parameter is especially valuable because it reveals the exact plugin version, which is useful for security auditing (checking for outdated or vulnerable versions).

Popular WordPress Plugins and Their Signatures

Here are some of the most commonly detected WordPress plugins and the signals they leave:

• WooCommerce: The leading WordPress ecommerce plugin. Detected via /wp-content/plugins/woocommerce/ paths, woocommerce body class, and Shopify-alternative checkout pages. See WooCommerce detection details
• Yoast SEO: Found on millions of WordPress sites. Adds a distinct HTML comment and meta generator tag. Commonly detected alongside WordPress core.
• Elementor: A visual page builder used on over 15 million sites. Its CSS classes (elementor-widget, elementor-section) are unmistakable.
• Contact Form 7: One of the most-installed WordPress plugins. Its form markup with wpcf7 classes is easy to identify.
• WP Super Cache / W3 Total Cache: Caching plugins that add HTML comments at the bottom of the page source indicating the page was served from cache.

Automated WordPress Plugin Detection

Manually scanning a page source for plugin signatures works, but it is slow and you will miss plugins you are not specifically looking for. WhatStack automates this process entirely. When you scan a WordPress site, it detects the core CMS, the theme framework, all identifiable plugins, and every other technology in the stack.

The detection engine matches against known plugin patterns in script URLs, HTML source, meta tags, cookies, and HTTP headers. Each detected technology includes a confidence score, version (when available), and category classification. This gives you a complete picture of the site's WordPress ecosystem in one scan.

Ready to try it? Scan any WordPress site with WhatStack and see the full plugin list in seconds. You can also browse the WordPress technology directory to see all WordPress-specific technologies we detect.