Wappalyzer vs WhatRuns
Wappalyzer and WhatRuns are both Chrome extensions that tell you what technology a site uses. They overlap heavily, but WhatRuns is lighter and more consumer-oriented while Wappalyzer has the larger fingerprint database, the more-developer-ish UI and the better per-page depth. The real architectural difference — and the one most people don't notice until it matters — is that WhatRuns is backend-driven: each popup invocation sends the URL to WhatRuns servers for lookup. Wappalyzer's extension does its detection locally.
Context — which question are you really asking?
Both tools will give you a usable answer on a public page. The choice between them matters when you step off that happy path. Are you on your company's internal admin dashboard? Your staging environment? A customer's private preview URL? WhatRuns will still give you a nice popup, but it will have sent that URL to its servers, which is a data-handling detail you may need to explain to your security team. Wappalyzer — and Sourcemap Explorer — do their work locally. That difference alone often dictates the choice for developers working with anything non-public.
Head-to-head table
Architecture
Wappalyzer: Local-first extension: fingerprints are bundled in the extension, detection runs in the browser.
WhatRuns: Backend-driven: the extension sends the page URL to WhatRuns servers and receives the technology list in response.
This is the most underrated difference. On public sites it's invisible; on private sites it matters.
UI density
Wappalyzer: Detailed popup with category grouping and versions where the fingerprint can extract them.
WhatRuns: Cleaner, flatter list. Faster to scan, less information per scan.
Fingerprint database size
Wappalyzer: Thousands of technologies across 111 categories.
WhatRuns: Smaller curated set. Fewer but generally well-calibrated rules.
Change notifications
Wappalyzer: Not a first-party feature.
WhatRuns: Paid 'track technology changes' product with email alerts for marketing teams watching competitors.
Privacy
Wappalyzer: No per-lookup backend call (free extension). Paid API is a separate surface.
WhatRuns: Every popup invocation is a backend call with the URL.
WordPress depth
Wappalyzer: Handful of explicit plugin rules, CMS-level detection.
WhatRuns: Similar or slightly thinner.
Pricing
Wappalyzer: Free extension; paid API for bulk use.
WhatRuns: Free extension; paid change-alerts tier.
Pick by scenario
If you are: Developer on public web browsing who likes a clean UI
Pick: WhatRuns
For casual public-page use the backend call is a non-issue and the UI is faster to scan.
If you are: Developer who regularly hits internal admin dashboards and staging URLs
Pick: Wappalyzer or Sourcemap Explorer
You don't want those URLs going to a third-party SaaS on every popup. Local-only detection is the right default.
If you are: Marketing team tracking competitor tech changes via email alerts
Pick: WhatRuns (paid tier)
This is the one feature WhatRuns has that Wappalyzer doesn't at a similar price point.
If you are: Developer who wants deep per-page detail including exact versions
Pick: Sourcemap Explorer
Neither Wappalyzer nor WhatRuns reads sourcemaps, so neither gives you precise versions or ad-hoc package detection. Sourcemap Explorer does.
Wappalyzer vs WhatRuns on privacy: local detection vs a backend call
The privacy difference between Wappalyzer and WhatRuns is the part most comparisons skip, and it's the one that decides the tool for anyone working on non-public sites. WhatRuns is backend-driven: opening the popup sends the current page URL to WhatRuns servers, which return the technology list. On a public marketing site that's harmless. On your company's internal admin dashboard, a client's private preview link, or a staging URL with a guessable token, you've just handed that URL to a third-party SaaS.
Wappalyzer's free extension does its detection locally — the fingerprints are bundled and matched in your browser, with no per-lookup call. Sourcemap Explorer is local-first for the same reason. If you routinely inspect anything behind a login, local-only detection isn't a nice-to-have; it's the baseline your security team will ask about.
Detection depth: why exact versions beat a longer category list
WhatRuns leans on a cleaner, flatter popup; Wappalyzer ships a larger fingerprint database with category grouping. Both are useful for the 'what's roughly running here' question, and both top out at the same ceiling: regex fingerprints can name a technology but rarely pin its exact version.
For developers doing real teardown — checking whether a site runs a vulnerable release, auditing a dependency, or reverse-engineering a competitor's build — the version is the answer, not the category. Sourcemap Explorer reads the exact semver from exposed sourcemaps and enumerates WordPress plugins by their `/wp-content/plugins/<slug>/` paths, so the output is specific enough to act on rather than a list of labels to verify by hand.
Verdict
FAQ
Does WhatRuns send the URL to its servers?
Yes. WhatRuns is backend-driven — each time you open the popup it sends the current page URL to WhatRuns servers and gets the technology list back. Wappalyzer's free extension and Sourcemap Explorer detect locally in your browser, so private and staging URLs never leave your machine.
Is Wappalyzer better than WhatRuns?
Wappalyzer has the larger fingerprint database, more developer-focused detail, and local (no-backend) detection. WhatRuns has a cleaner popup and a paid technology-change-alerts product. For local, version-level per-page analysis, Sourcemap Explorer goes deeper than both and is free.
Are Wappalyzer and WhatRuns free?
Both have free browser extensions. Wappalyzer charges for its API; WhatRuns charges for change-alert tracking. Sourcemap Explorer is free and adds exact version detection and WordPress plugin enumeration on top.
Which works on internal or staging sites?
Wappalyzer and Sourcemap Explorer, because they run locally in your browser session. WhatRuns will still show a result, but it does so by sending the URL to its servers — usually a dealbreaker for internal or pre-release pages.
Can either tool show the exact version of a library?
Not reliably — both are regex-based and usually return major versions or nothing. Reading the site's sourcemaps is the only way to get exact semver at scale, which is what Sourcemap Explorer is built for.
Related
A third option for developers: Sourcemap Explorer.
Free, local-first browser extension that pulls exact library versions from exposed sourcemaps, enumerates WordPress plugins, and isolates third-party trackers from your stack output.