A free, local-first alternative to Wappalyzer
The most-referenced name in website-technology detection — now a paid SaaS with a free browser extension, after its open-source repository was archived in 2023.
Founded 2008 · Pricing: Free Chrome extension with unlimited per-page lookups; paid SaaS tiers for bulk API, technology lead lists and technographics.
Overview
Wappalyzer is the reference product in the website-technology-detection category. It started in 2008 as a community-maintained Firefox add-on with a small library of fingerprints for CMSes, analytics tools and JavaScript frameworks, and grew into the de-facto dataset the rest of the industry calibrated against. Most of the alternatives you'll read about here — BuiltWith, WhatRuns, SimilarTech — were either built to chase Wappalyzer's coverage or were already close competitors that benefited from its data being open. When developers ask 'what tech does this site use?' they usually mean it in Wappalyzer terms: CMS, web framework, JavaScript library, CDN, analytics, ads, payment. That taxonomy came from Wappalyzer's categories.json and is now baked into the field. Under the hood a fingerprint is a JSON object listing signals — headers, cookies, meta tags, DOM selectors, JS globals, script-src regexes, HTML patterns, URL patterns — and every site gets evaluated against the whole database at detection time. Whichever signal hits, with whatever confidence, contributes to the final verdict. It's a remarkably simple idea and it held up for fifteen years.
History
Wappalyzer was founded by Elbert Alias in 2008 and was an open-source project for most of its life. The core repository on GitHub attracted thousands of community contributions across CMS patterns, framework hints and CDN signatures, and the data format became a de-facto standard. Around 2020–2022 the company pivoted hard toward its commercial SaaS — bulk technology API, CRM integrations, technographic reports — while the OSS repo kept receiving community updates. In August 2023 the main open-source repository was archived: no new commits, no new releases, no community PRs merged. The decision to go closed-source was framed as a sustainability move by the maintainers, but it left the community with a large, freshly-stale dataset and no official upgrade path. Multiple forks took over: the most active today is enthec/webappanalyzer, which continued adding categories and fingerprints under the same JSON schema. That's the fork we vendor inside Sourcemap Explorer. The original Wappalyzer product still exists and is still being updated — but as a SaaS, not as something you can self-host, audit, or extend without the company's involvement.
Who uses it and for what
Two audiences use Wappalyzer for two different things. The first is developers, researchers and security engineers who install the browser extension, browse normally, and use the popup as a quick 'what's this?' for any site they land on. That workflow is free and barely uses Wappalyzer's server side. The second is sales, marketing and market-research teams that pay for the API to build lead lists ('every SaaS company running Stripe + HubSpot + Next.js in Germany'), populate a CRM with technographics, or feed a competitive-intel dashboard. Most of Wappalyzer's revenue comes from that second group, which is why the product's direction over the last few years has been bulk-data features rather than deeper per-site detection. Both workflows coexist on the same engine, but developers rarely bump into the paid surface.
Pricing in detail
What Wappalyzer does well
Breadth of fingerprint coverage
The Wappalyzer database covers thousands of technologies — every mainstream CMS, most JavaScript frameworks, hundreds of WordPress plugins, dozens of CDN and hosting providers, build tools, payment processors, analytics vendors, and specialty tools (chat widgets, cookie banners, A/B testing, video embeds). Very few alternatives match that coverage at all, and none do so with Wappalyzer's calibration.
The reference taxonomy
Wappalyzer's 111 technology categories are the implicit taxonomy every other tool has learned to copy. If you build a detector, you end up using Wappalyzer's categories or you end up with a non-standard one that confuses your users. There's genuine value in the category discipline that decades of curation produced.
Multiple surfaces
Same data powers a free browser extension, a paid API, a bulk lookup UI, a CRM plugin and a technographic report generator. A technical buyer can trial the extension and upgrade to the API without rearchitecting their integration.
Active commercial maintenance
As a paid SaaS, Wappalyzer has staff adding new technology rules on a weekly cadence. New frameworks — recent ones like Astro, Qwik, Next.js App Router — get fingerprints relatively quickly after they reach meaningful market share.
Where Wappalyzer falls short
These are the gaps a developer-first, sourcemap-aware workflow cares about.
No longer open-source
The GitHub repository was archived in 2023. Community contributions are not merged back into the official product. If you want the same data Wappalyzer used to publish, you need a community fork (enthec/webappanalyzer is the most active) and accept that future coverage depends on that fork's volunteers, not a company's staff.
Regex-based version detection
Wappalyzer infers versions by running regex patterns against URLs and header values. That works for CDN-linked libraries (`jquery-3.6.0.min.js`) but fails for bundled code, because bundlers hash the filenames. The result is 'React' without a version on most modern apps, 'Next.js 14' at best (major-only) when `X-Powered-By` is present. Exact semver is rarely recoverable.
Sourcemap-blind
Wappalyzer does not read `.map` files. Any library that's bundled inside a webpack output (most of them on modern sites) stays invisible unless the site also exposes a DOM marker, a JS global or a distinctive URL. A huge swath of npm packages exists only inside the bundle, and Wappalyzer cannot see them.
Tracker pollution
Because Wappalyzer looks at every script the page loads, analytics and ad-tech vendors contribute their own internal libraries to your results. A site with Google Tag Manager gets reported as 'using' a handful of Google-internal libs that have nothing to do with the site's own stack. The signal-to-noise tanks on pages with heavy tracker footprints.
No WordPress plugin enumeration
Wappalyzer detects WordPress itself and a curated set of popular plugins that have explicit fingerprint rules. It does not enumerate unknown plugins by folder slug under `/wp-content/plugins/<slug>/`, which is the fastest way to see every plugin a WP site loads on the page.
Paywall escalates fast
Past a few dozen lookups per day you need the API. Past a few thousand you're into four-figure monthly plans. For a developer who just wants to check two or three sites a day, the extension is fine; the moment your workflow resembles 'do this to a hundred URLs' the cost curve gets steep.
Where Sourcemap Explorer wins
Not across the board — we don't run bulk API queries and we don't publish market-share dashboards. These are the things we do that Wappalyzerdoesn't.
Exact versions from sourcemaps
When a site exposes its JavaScript sourcemaps, Sourcemap Explorer parses the map, finds `node_modules/<pkg>/package.json` entries inside `sources[]`, and pulls the exact semver. That's the only way to get 'Next.js 14.2.3' or 'React 18.2.0' instead of an inferred major — Wappalyzer's regex approach cannot recover that from a minified bundle.
Ad-hoc npm package detection
Libraries that aren't in our built-in rule set — internal utilities, niche UI kits, one-off animation libraries — are picked up from the sourcemap, validated against the npm registry with an anonymous HEAD request (cached 30 days), and reported alongside the fingerprint-matched techs. Wappalyzer silently misses anything without an explicit rule.
WordPress plugin & theme enumeration
We scan every asset URL for `/wp-content/plugins/<slug>/` and `/wp-content/themes/<slug>/`, cross-reference known slugs against the fingerprint database, and list both known and unknown plugins/themes by slug. Wappalyzer detects the CMS plus a curated plugin set; we show you the actual list the page loads.
Third-party tracker isolation
A curated block list of ~90 tracker/analytics/ad/embed hosts — GA, GTM, Pixel, Hotjar, reCAPTCHA, Stripe Checkout, YouTube embed — prevents those services from contributing their internal libraries to the current site's stack. Your results describe the site, not its instrumentation.
Zero backend
Everything runs in your browser. No account, no crawl quota, no upload. Wappalyzer's free extension is similar on that axis, but the moment you want programmatic or bulk work you leave the free tier. Sourcemap Explorer has no bulk tier because there's nothing to rate-limit.
Matchers against original source
Because we have the sourcemap in memory, we can run `html` and `scriptSrc` patterns against the original source content — not just the HTML the server sent. Libraries that only appear inside bundled code (e.g. client-only trpc callers) are catchable; Wappalyzer cannot see them.
A concrete workflow example
You're studying a Next.js application that you suspect uses Prisma and tRPC. Wappalyzer correctly flags Next.js and React, but its Prisma rule is tied to header leaks that aren't present on a static export, and tRPC isn't in its rule set at all. Sourcemap Explorer opens the sourcemap, finds `node_modules/@prisma/client/package.json` (Prisma 5.10.0), finds `node_modules/@trpc/client/` and `@trpc/react-query/` (both 10.x from the embedded manifests), and surfaces them as categorized entries. You also see the WordPress-like enumeration working the other way: the ad-hoc layer catches your custom `@company/dashboard-ui` design system because the sourcemap includes it, and either flags it as an unverified internal package or filters it based on the npm existence check.
Which one should you use?
Migration notes
You don't need to choose. Many developers keep Wappalyzer installed for its quick-categorical view and run Sourcemap Explorer for the deeper per-page answer. The two don't interfere with each other. If you're replacing Wappalyzer entirely, expect the Sourcemap Explorer Stack tab to cover the same surface — headers, cookies, DOM, JS globals, URL patterns — plus the sourcemap layer on top, so your per-page answer gets better, not worse.
FAQ
Is Sourcemap Explorer a drop-in Wappalyzer replacement?
For per-page browsing, yes — and arguably better, because it reads sourcemaps for exact versions, enumerates WordPress plugins by slug, and isolates third-party scripts. If your workflow relies on Wappalyzer's bulk API, CRM plugin or technology-usage lead lists across thousands of domains, that's a different product. Keep Wappalyzer for that layer if you use it.
Do you use the same fingerprint database as Wappalyzer?
We vendor the enthec/webappanalyzer fork, which inherited the open-source Wappalyzer fingerprints before the original GitHub repo was archived in August 2023. That data gets augmented with our own overlays (sourcePath matchers, tightened patterns to kill false positives) and layered with sourcemap-derived signals that Wappalyzer doesn't have.
Is Sourcemap Explorer free?
Yes. Free, no sign-up, no paid tier, no backend. The extension's only outbound requests are to the site you're already browsing — for its JS, CSS and sourcemap files — and anonymous HEAD requests to registry.npmjs.org to verify ad-hoc package names. No account, no telemetry, no analytics, no usage reporting.
Why did Wappalyzer close-source?
The maintainers framed the 2023 decision as a sustainability move — keeping a curated dataset current takes dedicated staff, and running a paid SaaS funds that work. Whether that's the right trade-off depends on whether you primarily consume the data (the SaaS fits you) or depend on being able to extend and audit it (the closed model hurts). Open-source community forks continue from where the public repo left off.
Can Sourcemap Explorer handle non-JavaScript detections?
Yes. The fingerprint schema supports headers, cookies, meta tags, DOM selectors, URL patterns and generic HTML regexes — all the non-JS matchers Wappalyzer uses. The additional sourcemap-derived signals (`sourcePath`, `sourceContent`, package-scan) are layered on top; they don't replace the traditional matchers.
Other alternatives to compare
Try Sourcemap Explorer on the next site you study.
Install the extension, browse normally. When a site exposes sourcemaps, the toolbar icon turns green — click it and you'll see the full project tree plus the detected stack, with exact versions.