Wappalyzer Went Closed Source: What Changed and What to Use Instead
In August 2023, Wappalyzer archived its GitHub repository, ending over a decade of open-source development. The wappalyzer and wappalyzer-core npm packages still exist on npm, but they're frozen at the last open-source version and no longer receive updates.
If you relied on Wappalyzer's open-source codebase—whether self-hosting it, building on its fingerprinting engine, or contributing new technology signatures—this changed everything. Here's what happened, what the alternatives look like, and where DetectZeStack fits in.
What Happened
Wappalyzer was one of the most widely used open-source projects for website technology detection. Its GitHub repo had thousands of stars and a large contributor base adding new technology fingerprints. In August 2023, the repository was archived—marked read-only, with no further commits, issues, or pull requests accepted.
The project didn't disappear. Wappalyzer continues as a commercial product: a browser extension, a lookup service, and a paid API. But the engine that powered it—the open-source fingerprinting rules, the community contributions, the ability to self-host—is no longer available under an open-source license.
What Changed for Users
Self-hosting is frozen
If you were running Wappalyzer on your own infrastructure, you can still use the last open-source version. But no new technology signatures will be added. As the web evolves—new frameworks, new CDNs, new SaaS tools—a frozen fingerprint database falls further behind.
The API is paid-only
Wappalyzer's commercial API now starts at $100/month (Starter plan) and goes up to $250/month (Pro plan). There's no free tier for API access. Credits purchased on any plan expire after 60 days, so unused capacity doesn't roll over.
Community contributions stopped
The open-source model meant anyone could submit a pull request to add a new technology fingerprint. That community-driven growth was a core advantage. With the repo archived, fingerprint updates are now internal to the Wappalyzer team.
The Alternatives Today
Open-source forks
Several forks of the Wappalyzer repository appeared after the archive. Most are unmaintained—they inherit the same frozen fingerprint database and don't add new signatures. Some have diverged in ways that make them incompatible with the original rule format. If you're considering a fork, check when it was last updated and how many new signatures have been added since the archive.
BuiltWith
BuiltWith offers comprehensive technology profiling with historical data. Their API starts at $295/month (Basic plan). It's aimed at enterprise customers doing large-scale market research and lead generation. If you need bulk data on millions of sites, BuiltWith is the established player—but the price point puts it out of reach for most individual developers and small teams.
WhatRuns
WhatRuns is a free browser extension for manual tech lookups. It works well for one-at-a-time checks, but has no API. If you need programmatic access, WhatRuns isn't an option. See our detailed comparison.
DetectZeStack
DetectZeStack is a REST API for technology detection with a free tier (100 requests/month) and paid plans starting at $9/month. Beyond HTTP-based fingerprinting, it adds DNS CNAME detection (111 signatures covering CDNs, hosting, email) and TLS certificate analysis—layers that browser-based tools can't access.
What DetectZeStack Adds Beyond Wappalyzer
Even when Wappalyzer was open source, its detection was limited to what browsers can see: HTTP headers, HTML meta tags, JavaScript globals, and DOM patterns. DetectZeStack starts with the same approach (using the open-source Wappalyzer fingerprint engine via wappalyzergo) but adds three additional layers:
DNS CNAME detection
By resolving CNAME records, DetectZeStack identifies CDN providers (Cloudflare, CloudFront, Fastly, Akamai), hosting platforms (Netlify, Vercel, GitHub Pages, Heroku), and SaaS platforms (Shopify, Zendesk, HubSpot)—111 signatures in total. These are invisible to browser extensions because they operate at the DNS layer.
TLS certificate analysis
DetectZeStack inspects the TLS certificate chain to identify certificate authorities (Let's Encrypt, DigiCert, Sectigo) and extract organizational details. This reveals infrastructure choices that don't appear in HTTP responses.
CPE identifiers for vulnerability mapping
When a detected technology has a known CPE (Common Platform Enumeration) identifier, DetectZeStack includes it in the response. CPE identifiers map directly to the NVD vulnerability database, enabling automated security audits. Wappalyzer never provided CPE data.
Change tracking
The /changes endpoint tracks when websites add, remove, or change technologies over time. History ranges from 7 days on the free tier to 365 days on the Mega plan. This is useful for competitive monitoring, security alerting, and sales trigger detection.
Comparison Table
| Feature | Wappalyzer (closed source) | DetectZeStack |
|---|---|---|
| Source code | Closed source (was open until Aug 2023) | Closed source (built on open-source wappalyzergo) |
| API pricing | $100/mo Starter, $250/mo Pro | Free tier (100 req/mo), $9/mo Pro |
| Credit expiration | 60 days | No expiration |
| DNS detection | No | Yes (111 CNAME signatures) |
| TLS certificate analysis | No | Yes |
| CPE identifiers | No | Yes (NVD mapping) |
| Change tracking | No | Yes (7–365 days) |
| Batch analysis | Yes (API only) | Yes (up to 10 URLs) |
| Browser extension | Yes | No (API only) |
| Lookup service | Yes (website) | API only |
Quick Start
Get an API key from RapidAPI (free, no credit card required) and scan any website:
curl -s "https://detectzestack.p.rapidapi.com/analyze?url=stripe.com" \
-H "X-RapidAPI-Key: YOUR_KEY" \
-H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" | jq '.'The response includes every detected technology with categories, confidence scores, and CPE identifiers when available. DNS-detected technologies (CDNs, hosting) and TLS-detected technologies (certificate authorities) appear alongside HTTP-detected ones—all in a single request.
When to Use Which
Use Wappalyzer if...
You need a browser extension for quick manual lookups, or you're already paying for their API and the credit expiration model works for your usage pattern.
Use DetectZeStack if...
You need an affordable API with no credit expiration, DNS and TLS detection layers, CPE data for security workflows, or technology change tracking.
Bottom line: Wappalyzer's move to closed source removed a key option for developers who self-hosted or built on the open-source engine. DetectZeStack isn't open source either—but it offers a free API tier with no credit expiration, plus DNS, TLS, and CPE capabilities that Wappalyzer never offered.
See more comparisons: BuiltWith vs Wappalyzer vs DetectZeStack | DetectZeStack vs WhatRuns
Try DetectZeStack Free
100 requests/month, no credit card, no credit expiration. Full API with DNS, TLS, CPE, and change tracking.
Get Your API Key