Find Companies Using WordPress: Build Targeted Lead Lists

WordPress runs roughly 43% of the web. If you sell anything that plugs into WordPress—a plugin, a hosting upgrade, a security service, a managed-WP migration offer, a page builder, an SEO tool—then "company that already runs WordPress" is the single most useful filter you can apply to a prospect list. Everyone else is education work; WordPress users are pre-qualified.

The problem is going from "I want WordPress users" to "here is a CSV of 412 confirmed WordPress companies in my ICP." This post walks the practical pipeline: where the domains come from, how to detect WordPress at scale via the DetectZeStack API, which signals to filter on, and what to do with the output.

Why Sales Teams Want to Find Companies Using WordPress

Technographic prospecting beats firmographic prospecting whenever the product has a hard compatibility requirement. WordPress is the cleanest example. A page-builder plugin literally cannot run on Squarespace. A managed-WordPress host has zero relevance to a Webflow site. A WooCommerce optimization service is irrelevant outside the WordPress ecosystem. Filtering out non-WordPress prospects before outreach is not a "nice to have"—it is the difference between a 6% reply rate and a 0.4% one.

Concrete examples of teams that want a "find companies using WordPress" pipeline:

• WordPress plugin and theme businesses. Reaching out to non-WordPress sites is pure waste. Reaching out to WordPress sites that already use a competitor plugin is high-intent migration outreach.
• Managed WordPress hosts. WP Engine, Kinsta, Pressable, and the like need lead lists of self-hosted WordPress sites that look bigger than $20/month shared hosting.
• Agencies that specialize in WordPress. Filter by "running WordPress" and "Google Analytics present" and "no CDN configured" to find sites where you can quote a clear performance audit.
• Security and backup vendors. WordPress is the largest CMS attack surface on the web. Knowing a prospect runs WordPress is what makes the security pitch relevant at all.

In every one of these cases the bottleneck is not lead supply—it is lead quality. Random scraped domain lists waste sales time. A WordPress-confirmed list, ideally enriched with hosting provider and CDN, converts dramatically better.

What Counts as a "WordPress Company" (Self-Hosted vs WordPress.com vs WP Engine)

Before you scan anything, decide which WordPress sub-population you want. The detection API will catch all of them, but they have very different sales characteristics.

The DetectZeStack response returns both WordPress in the technologies array and any associated managed host (WP Engine, Kinsta) when detected. That lets you filter to the segment you actually want before the data ever reaches your CRM.

Three Ways to Find Companies Using WordPress

Manual Domain Checks (Slow but Free)

For one-off due-diligence on a single prospect, you do not need an API. The fastest manual check is to visit example.com/wp-login.php or example.com/wp-admin and see if the WordPress login screen loads. If it does, the site runs WordPress. We cover four other manual methods in our guide to checking if a website uses WordPress.

The manual approach falls apart the moment you have more than a few dozen prospects. Hardened sites rename /wp-admin, some hosts return 403 on every probe, headless sites have no WordPress paths in the frontend at all. You also cannot script "open a browser and look at the screen" cheaply at scale.

Bulk CSV Enrichment via the DetectZeStack API

The practical workflow: you start with a CSV of domains (from LinkedIn Sales Navigator, Crunchbase, Apollo, a directory scrape, anywhere) and you call the API to add a "uses WordPress" column plus a full tech-stack column. Rows where WordPress is detected become your prospect list. Rows where it is not get filtered out or routed to a different campaign.

This is what the rest of this post covers in detail.

Continuous Monitoring for New WordPress Adopters

For ongoing pipeline, set up tech-change monitoring on a watchlist of domains so you get notified when one of them adds WordPress (a migration), removes it (an opportunity for a different campaign), or changes hosting provider. The DetectZeStack webhook tech change alerts feature handles this. The same scan that builds today's lead list can feed tomorrow's monitoring queue.

Detect WordPress on a Single Domain with the API

Start with a single-domain test before running a thousand. The public demo endpoint requires no API key and is rate-limited per IP, so you can try the workflow on your own site or a known WordPress prospect right now:

curl -s "https://detectzestack.com/demo?url=techcrunch.com" | jq '.'

The response is the same shape you get from the authenticated endpoint:

{
  "url": "https://techcrunch.com",
  "domain": "techcrunch.com",
  "technologies": [
    {
      "name": "WordPress",
      "categories": ["CMS", "Blogs"],
      "confidence": 100,
      "description": "WordPress is a free and open-source content management system written in PHP.",
      "website": "https://wordpress.org",
      "icon": "WordPress.svg",
      "source": "http",
      "version": "",
      "cpe": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*"
    },
    {
      "name": "PHP",
      "categories": ["Programming languages"],
      "confidence": 100,
      "description": "",
      "website": "https://www.php.net",
      "icon": "PHP.svg",
      "source": "http",
      "version": "",
      "cpe": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"
    },
    {
      "name": "Cloudflare",
      "categories": ["CDN"],
      "confidence": 100,
      "description": "",
      "website": "https://www.cloudflare.com",
      "icon": "CloudFlare.svg",
      "source": "http",
      "version": "",
      "cpe": ""
    }
  ],
  "categories": {
    "CMS": ["WordPress"],
    "Blogs": ["WordPress"],
    "Programming languages": ["PHP"],
    "CDN": ["Cloudflare"]
  },
  "meta": {
    "status_code": 200,
    "tech_count": 14,
    "scan_depth": "full"
  },
  "cached": false,
  "response_ms": 1842
}

The fields that matter for prospecting are technologies[].name (filter for WordPress), technologies[].categories (filter by CMS category if you want any WordPress-family CMS), and the full categories map for stack-neighbor filtering. meta.tech_count tells you how many technologies were detected total—a low number on a hardened site is a hint that detection was partial.

For authenticated production use, swap to the RapidAPI endpoint and add the headers:

curl -s "https://detectzestack.p.rapidapi.com/analyze?url=techcrunch.com" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
  | jq '.technologies[] | select(.name == "WordPress")'

If the jq filter returns an object, the domain runs WordPress. If it returns nothing, it does not. That is the entire detection logic.

Batch-Enrich a List of 1,000 Domains

The /analyze/batch endpoint accepts up to 10 domains per call. To enrich 1,000 domains you make 100 batch calls. Here is a complete Python script that takes a domains.txt file, calls the batch endpoint, and writes a wordpress_prospects.csv containing only the WordPress hits along with their managed-host and CDN tags:

import csv
import json
import time
import requests

API_KEY = "YOUR_RAPIDAPI_KEY"
HEADERS = {
    "X-RapidAPI-Key": API_KEY,
    "X-RapidAPI-Host": "detectzestack.p.rapidapi.com",
    "Content-Type": "application/json",
}
BATCH_URL = "https://detectzestack.p.rapidapi.com/analyze/batch"
BATCH_SIZE = 10  # /analyze/batch hard-caps at 10 URLs per request

MANAGED_WP_HOSTS = {"WP Engine", "Kinsta", "Pressable", "Flywheel"}

def chunks(seq, n):
    for i in range(0, len(seq), n):
        yield seq[i:i + n]

def scan_batch(urls):
    body = json.dumps({"urls": urls})
    r = requests.post(BATCH_URL, headers=HEADERS, data=body, timeout=60)
    r.raise_for_status()
    return r.json()

def extract_prospect(item):
    # /analyze/batch returns {"results": [{"url": ..., "result": {...AnalyzeResponse...}, "error": ...}, ...]}
    # The detector payload (technologies, categories, meta) lives under item["result"],
    # NOT directly on item — reading the wrong level returns nothing silently.
    analysis = item.get("result") or {}
    techs = analysis.get("technologies", [])
    names = [t["name"] for t in techs]
    if "WordPress" not in names:
        return None

    managed_host = next(
        (n for n in names if n in MANAGED_WP_HOSTS),
        "self-hosted or unknown",
    )
    cdn = ", ".join(analysis.get("categories", {}).get("CDN", []))
    analytics = ", ".join(analysis.get("categories", {}).get("Analytics", []))

    return {
        "domain": analysis.get("domain", ""),
        "url": item.get("url", ""),
        "managed_host": managed_host,
        "cdn": cdn or "none detected",
        "analytics": analytics or "none detected",
        "tech_count": analysis.get("meta", {}).get("tech_count", 0),
        "all_technologies": ", ".join(names),
    }

def main():
    with open("domains.txt") as f:
        domains = [line.strip() for line in f if line.strip()]

    prospects = []
    for i, batch in enumerate(chunks(domains, BATCH_SIZE), start=1):
        print(f"Batch {i}: scanning {len(batch)} domains...")
        try:
            results = scan_batch(batch)
        except requests.HTTPError as e:
            print(f"  batch failed: {e}")
            continue

        for item in results.get("results", []):
            row = extract_prospect(item)
            if row:
                prospects.append(row)

        time.sleep(1)  # be polite, stay well under rate limits

    with open("wordpress_prospects.csv", "w", newline="") as f:
        writer = csv.DictWriter(f, fieldnames=[
            "domain", "url", "managed_host", "cdn",
            "analytics", "tech_count", "all_technologies",
        ])
        writer.writeheader()
        writer.writerows(prospects)

    print(f"\nDone. {len(prospects)} WordPress prospects out of {len(domains)} domains.")

if __name__ == "__main__":
    main()

Run it with a one-domain-per-line text file:

$ cat domains.txt
techcrunch.com
nytimes.com
sfgate.com
example-saas.com
...

$ python find_wordpress.py
Batch 1: scanning 10 domains...
Batch 2: scanning 10 domains...
...
Done. (Run against your own list; CSV will contain only confirmed WordPress hits.)

That gives you a clean CSV ready to import into HubSpot, Pipedrive, Salesforce, Close, or any CRM. Every row is a confirmed WordPress company tagged with managed host, CDN, and analytics platform.

For a deeper walkthrough of the batch endpoint, including retry logic, partial-result handling, and parallelism, see How to Batch Scan 1,000 Websites for Tech Stack Data at Scale.

Filtering Signals That Improve Lead Quality (Hosting, CDN, Plugins)

A "uses WordPress: yes/no" column is a starting point, not the finish. The stack neighbors returned in the same API response are what make the lead list actually qualified. A few practical filters:

Filter by managed WordPress host

If your product targets businesses spending real money on infrastructure, filter for managed WordPress hosts. The DetectZeStack API returns WP Engine, Kinsta, Pressable, and Flywheel as separate technologies when their fingerprints are present. A row tagged WordPress + WP Engine is a higher-ticket prospect than a row tagged WordPress + unknown host.

Filter by CDN presence

Sites with Cloudflare or Fastly in front of them tend to be either traffic-heavy (worth pitching premium services to) or technically sophisticated (more receptive to developer-friendly tools). Sites with no CDN detected are good targets for performance-optimization pitches. The categories.CDN array on the response gives you the filter directly. For more on this signal, see How to Detect a Website's CDN and Hosting Provider.

Filter by analytics provider

Google Analytics, Plausible, Fathom, Matomo, and Mixpanel each get returned as separate technologies. Filtering for Google Analytics identifies sites already comfortable with paid-pixel tracking. Filtering for Plausible or Fathom identifies privacy-conscious operators who may pay for a cookie-banner alternative.

Filter by what is missing

For some pitches the absence of a technology is the strongest signal. "WordPress sites with no CDN" is a clear performance-services lead list. "WordPress sites with no security headers" is a security-services list—you can detect that with the same scan since DetectZeStack also surfaces the security-header posture. "WordPress sites with no caching plugin detected" is a hosting-upgrade list.

For the full mental model on multi-signal qualification, our piece on tech stack enrichment for sales teams walks through how technographic data layers on top of firmographic data to produce qualified outreach.

Building a Repeatable Lead List Pipeline

Once the one-off batch script works, productize it. A repeatable WordPress lead-list pipeline has four moving parts.

1. Domain source. Decide where new domains come from each week. LinkedIn Sales Navigator exports filtered by industry and headcount, Crunchbase queries for newly funded companies, scraped lists from industry directories, customer-logo pages of WordPress-adjacent products. Save them to a single incoming/ folder as text files.
2. Detection job. A scheduled script (cron, GitHub Actions, a workflow runner) that picks up new domain files, runs the batch script above, and writes results to a results database or Google Sheet.
3. Filtering and routing. A view or a saved filter that splits the WordPress hits by managed host, CDN, and category. This is what your sales team actually opens.
4. Change monitoring. For the rows where WordPress was not detected, drop the domains into a watch list. When a non-WordPress prospect adds WordPress, the webhook alert tells you about a migration in progress—some of the hottest leads you will ever get.

For the full end-to-end version including CRM-import patterns, see How to Build a Lead Enrichment Pipeline with Tech Detection.

Pricing and Getting an API Key

DetectZeStack lists on RapidAPI with a free tier that requires no credit card. The plans relevant to prospecting work:

For comparison, BuiltWith's prospecting tools start at $295/month and HG Insights enterprise plans run into five figures per year. If you need a polished pre-built UI with millions of pre-scanned domains, those products are worth their price. If you can run a Python script, you get the same underlying detection through DetectZeStack at a fraction of the cost. See technographic data pricing for the full vendor comparison.

Conclusion

Finding companies using WordPress is no longer an enterprise-only capability. A 100-line Python script, a CSV of target domains, and $9/month gives you the same lead list a sales operations team used to pay $295/month for. The technographic filter (uses WordPress) plus stack-neighbor filters (managed host, CDN, analytics) plus firmographic filters from your existing data sources is what produces qualified outreach.

The pipeline is the asset, not any individual scan. Build it once, point it at new domain sources every week, and you have a continuously refreshing WordPress lead list keyed to your ICP.