It took several years for WPScan, a security service for WordPress websites, to evolve from a side project to a full-time business.

But focusing on generating revenue helped Ryan Dewhurst and his team grow a profitable business that soon caught the eye of WordPress parent company Automattic.

Dewhurst was still studying computer science at the University of Northumbria in England when he developed WPScan in 2011 – “just for learning basically, and the joy of creating something,” he explained on the WPBuilds podcast.

But even simple tools can take a lot of time to create and release. Dewhurst, Erwan Le Rousseau and Christian Mehlmauer worked on WPScan in their spare time, Dewhurst recalled. As their free security scanner for WordPress websites got more popular, users relied on the WPScan team to find and catalog the various vulnerabilities the scanner sought to protect against.

Dewhurst said overcoming self-doubt was a huge hurdle for WPScan. “We were a very small team, but we delivered tremendous value to our users and the community,” he said. “For a long time, we didn’t know how best to monetize our business.”

Dewhurst said conversations with other entrepreneurs helped the team solidify its plans. WPScan transitioned from a side project to a full-time, formal company in 2018.

Trying different ways to monetize WPScan

Over the years, the team also released a WordPress vulnerability database and a WordPress security plugin that users could add to their website built on WordPress.

First, the startup began charging businesses who wanted to resell WPScan services by integrating WPScan tools into the services they were offering. That worked on an honor system, trusting businesses to disclose if they were using WPScan for their own enterprises.

But it wasn’t bringing in much money. WPScan then launched a commercial service so users could schedule daily, weekly or monthly scans. “That is growing slowly, but it didn’t take off as much as we thought,” Dewhurst told WPBuilds. The team found that a three-day free trial got a lot of people interested, but not enough to start paying for the service.

The next stage was to monetize the vulnerability database API, to cap the number of requests a user could make daily. That way, a normal user could run security scans, but a commercial user would reach the cap and be required to pay for their usage level.

The free scanning tool helped the company build its name in the WordPress community, earning them an audience of “hundreds of thousands” of free users, Dewhurst said. Paid users included big names such as Sony, Mercedes-Benz Group and Accenture.

WPScan eventually announced price points ranging from 5 euros per month to scan one website, to 100 euros per month to scan up to 20 sites for vulnerabilities. (One euro was worth $1 to $1.20 U.S. most of the time from the company’s founding to sale.)

“The biggest thing I did to grow my company was to recognize the value I was providing, and to start charging appropriately for that value,” Dewhurst said.

After 10 years, WPScan sells to Automattic

WordPress parent company Automattic was aware of WPScan’s work, and eventually became a sponsor of the company.

When WPScan’s founders were ready to sell, Automattic was ready to buy. In November 2021, the team sold access to its vulnerability data —more than 23,000 items the team of three had cataloged over 10 years — for an undisclosed price.

Though Automattic was an obvious fit to acquire WPScan, Dewhurst said it still took time to ensure all the documents were in order ahead of the sale. “Obviously the legal side of things is challenging too, as you want to make sure both parties are on the same page and in agreement with all the terms,” he said. But the sale process was “smooth and straightforward.”

As part of the sale, Dewhurst and Le Rousseau stayed on as employees, working to integrate WPScan into Jetpack, WordPress’s own security system. By June 2022, WPScan’s database had tracked 28,000 vulnerabilities for WordPress and its add-on products.

Dewhurst worked as a senior security engineer for Automattic for eight months before departing in mid-2022. He took a year off “to create the foundations of my new life and take a little ‘me time,’” and moved from France to Spain.

Now, he’s focusing on BuildVue, a startup providing digital tools for construction companies. Dewhurst launched the project in mid-2023.