WP Security Scanner

Category 1 — SSL / HTTPS (1 check)

Check	What is tested	If fails	Severity
HTTPS Enforced	URL begins with `https://` — confirms encrypted transport is active	All data in transit is unencrypted; login credentials, cookies & form data are exposed	Critical

Category 2 — HTTP Security Headers (6 checks)

Header	What is tested	If missing	Severity
Strict-Transport-Security (HSTS)	Checks for `Strict-Transport-Security` header in HTTP response	Browsers may fall back to HTTP; vulnerable to SSL-stripping attacks	Warning
X-Frame-Options	Checks for `X-Frame-Options: DENY` or `SAMEORIGIN`	Site can be embedded in iframes on other domains; enables clickjacking	Warning
X-Content-Type-Options	Checks for `X-Content-Type-Options: nosniff`	Browsers may execute mis-typed scripts/styles; enables MIME-sniffing XSS	Warning
Content-Security-Policy (CSP)	Checks for presence of any `Content-Security-Policy` header	No script-injection whitelist; attackers can run arbitrary JS via XSS	Warning
Referrer-Policy	Checks for `Referrer-Policy` header in HTTP response	Full URL (including query strings with tokens) may leak to third-party sites	Info
Server Header Leak	Checks if `Server` or `X-Powered-By` exposes software version	Attackers can fingerprint server stack and target known CVEs for that version	Warning

Category 3 — WordPress-Specific (7 checks)

Check	URL probed	Risk if accessible	Severity
XML-RPC Enabled	`/xmlrpc.php`	Brute-force amplification (1 request = 1000 login attempts), DDoS reflection vector, pingback abuse	Critical
readme.html Exposed	`/readme.html`	Reveals exact WordPress version number; attackers cross-reference with CVE databases	Warning
license.txt Exposed	`/license.txt`	Contains version indicator; lower risk but unnecessary exposure	Info
Install Script Exposed	`/wp-admin/install.php`	Could allow a fresh WordPress installation if DB is wiped; full site takeover risk	Critical
Debug Log Exposed	`/wp-content/debug.log`	Contains database credentials, file paths, errors, and potentially passwords in plaintext	Critical
REST API User Enumeration	`/wp-json/wp/v2/users`	Exposes usernames for all authors; enables targeted credential-stuffing attacks	Warning
WP Version in Source	Homepage HTML source	Generator meta tag or `?ver=x.x.x` in asset URLs reveals exact WP version	Warning

Category 4 — Reconnaissance (1 check)

Check	Method	Purpose	Severity
WordPress Detection	Scans homepage HTML for `wp-content`, `wp-includes`, `WordPress` generator tag, `/wp-json/` paths	Confirms site is running WordPress before other WP-specific checks are interpreted	Info

Score Calculation

Score starts at 100. Each Critical issue deducts 20 points. Each Warning deducts 8 points. Info and Pass results have no deduction. Minimum score is 0. Score ≥75 = green, ≥50 = amber, <50 = red.

International Standards Followed

OWASP Secure Headers Project

Defines the 5 HTTP security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, and Referrer-Policy. Used by Mozilla Observatory, Google, and major security scanners worldwide.

OWASP Top 10

Our checks map to: A02 (debug.log = sensitive data), A03 (missing CSP = Injection/XSS), A05 (server header = Security Misconfiguration), A07 (XML-RPC = Auth Failures).

WordPress Hardening Guide

Official WordPress.org documentation at wordpress.org/support/article/hardening-wordpress explicitly recommends disabling xmlrpc.php, removing readme.html, restricting install.php and debug.log.

WPScan Methodology

WPScan (the industry-standard WordPress vulnerability scanner used by Kali Linux and security professionals) checks the same set of exposed paths, version disclosure, and REST API enumeration.

Sucuri SiteCheck Checks

Sucuri's free scanner — used by millions of WordPress site owners — identifies the same XML-RPC, exposed file, and header issues. Our check set is aligned with their free-tier methodology.

Mozilla Observatory (Grade A–F)

Mozilla's free header scanner grades the same 5 security headers. A site passing our header checks should score B+ or higher on observatory.mozilla.org.

RFC 6797 (HSTS)

The HSTS check follows IETF RFC 6797 which formally defines the Strict-Transport-Security header, its directives, and browser enforcement behaviour.

CWE / MITRE Mappings

Checks map to: CWE-16 (Configuration), CWE-200 (Information Exposure), CWE-693 (Missing Security Header), CWE-732 (Incorrect Permission Assignment).

Severity Classification

Critical — Directly exploitable; no attacker skill required (XML-RPC brute force, debug.log credential leak, install.php exposure). Fix immediately.

Warning — Increases attack surface or enables reconnaissance. Exploitable in combination with other vulnerabilities. Fix within 30 days.

Info — Informational; low direct risk but useful for attacker reconnaissance. Good to fix but not urgent.

Technical Method — Step by Step

#	Step	Technical Detail
01	URL Validation	Input is parsed with the browser's native `URL()` API. `https://` prefix is auto-added if missing. Origin is extracted to avoid path leakage.
02	HTTPS Check	Protocol is read directly from the parsed URL. No network request needed — if the browser can reach `https://` it confirms TLS is active.
03	Header & Page Fetch	Homepage is fetched via `https://api.allorigins.win/get?url=...` — a free CORS proxy. Response headers and body text are returned as JSON. All header keys are normalized to lowercase for consistent matching.
04	WordPress Detection	Homepage HTML body is scanned with 6 regex patterns: `/wp-content/`, `/wp-includes/`, `/WordPress/`, `/xmlrpc\.php/`, `/\/wp-json\//`, and the generator meta tag pattern.
05	Version Detection	HTML source is searched for `<meta name="generator" content="WordPress X.X">` and for `?ver=X.X.X` query parameters in asset URLs (scripts/styles).
06	Header Checks	Each of 6 security headers is looked up by exact key in the normalized header dictionary. Presence = pass, absence = warning/info depending on severity classification.
07	Path Probing	5 WordPress-specific paths are probed via allorigins.win. HTTP status code from the proxy's `status.http_code` field is checked. HTTP 200–399 = accessible (bad). 404/403/410 = blocked (good). 8-second timeout per request.
08	REST API User Enum	`/wp-json/wp/v2/users` is fetched. Response body is checked for presence of `"id"`, `"name"`, and `"slug"` fields simultaneously — all three present = user list is exposed.
09	Score Calculation	Score = 100 − (criticals × 20) − (warnings × 8), clamped to [0, 100]. Rendered as an animated SVG ring with colour thresholds at 75 (green) and 50 (amber).

Scan Type: Passive / Non-Intrusive

All checks are read-only and passive. The scanner never sends login attempts, never modifies files, and never exploits vulnerabilities. It performs the same reconnaissance an attacker would do in the first few minutes — checking what is publicly visible. No data is stored; all processing happens in your browser. Your URL is sent only to api.allorigins.win (open-source CORS proxy) for fetching, and to no other third party.

Free Tools to Cross-Verify Each Result

securityheaders.com

Best for: All 5 HTTP header checks. The industry gold standard for header auditing. Enter the URL and compare A–F grade. Our header checks should match their findings exactly. If there is a discrepancy, a CDN (like Cloudflare) may be serving headers conditionally.

observatory.mozilla.org

Best for: Headers + HTTPS + cookies. Mozilla Observatory uses the same OWASP Secure Headers standards. A site passing all our header checks should score B+ or higher here. Free, no login required.

sitecheck.sucuri.net

Best for: WP file exposure + malware. Sucuri's free scanner checks the same xmlrpc.php, readme.html, debug.log and version disclosure issues. Also adds malware scanning not present in our tool.

wpscan.com (free tier)

Best for: Deep WordPress audit. WPScan CLI or web checks vulnerable plugins, themes, user enumeration, and the same exposed paths. The most authoritative WP-specific scanner. Requires account for web version; CLI is fully free and open source.

curl -I (terminal)

Best for: Raw header verification. Run curl -I https://yoursite.com in any terminal. This shows the exact headers your server returns — use it to confirm or dispute any header check result without a proxy in the way.

Browser DevTools

Best for: Quick header check. Press F12 → Network tab → click the main page request → Response Headers. All security headers (or their absence) are listed there. Zero tools needed. Most reliable source since it shows what your actual browser received.

Direct URL test

Best for: Path exposure checks. Manually visit https://yoursite.com/xmlrpc.php, /readme.html, etc. in a browser. If you see content = file is exposed. 404 page = blocked correctly.

When Results Differ Between Tools

CDN / WAF filtering: Cloudflare, Akamai, Sucuri WAF, and similar services may return different headers to different request origins. Our proxy (allorigins.win) may receive different headers than your browser or curl. The curl -I method gives the most canonical server-level response.

Geolocation routing: CDNs may serve different content to different geographic regions. The allorigins.win proxy is hosted in the US/EU — results may differ for sites with region-locked configurations.

Bot detection: Some WAFs block automated requests and return 403/404 for all paths regardless of whether files exist. A "blocked" result may mean protected, not absent.

What This Scanner Cannot Detect

Outdated plugin / theme versions — Requires authenticated access or a vulnerability database like WPVulnDB. WPScan CLI with a free API key covers this.
SQL injection / XSS vulnerabilities — Active exploitation testing requires sending crafted payloads. This is beyond passive scanning. Use Burp Suite, OWASP ZAP, or hire a penetration tester.
Malware / backdoors in files — Requires file-system access or hash comparison against known clean WordPress files. Use Sucuri SiteCheck or Wordfence for this.
Brute-force protection on wp-login.php — Cannot test whether rate limiting or 2FA is active without sending login attempts.
Database security — Cannot check if the database user has excessive privileges, or if the database port is exposed externally.
File permissions — Cannot verify wp-config.php permissions (should be 400/440), uploads folder execute permissions, or .htaccess rules without server access.
SSL certificate validity / expiry — Does not check certificate chain, cipher strength, or expiry date. Use ssllabs.com/ssltest for a full TLS audit.
Admin username is "admin" — Cannot test login page for default username without sending requests that may trigger lockouts.
Disabled directory listing — Cannot reliably test if /wp-content/uploads/ directory listing is open via the proxy.
Email security (SPF/DKIM/DMARC) — Not in scope for this tool. Use mxtoolbox.com to check email sender reputation records.

For a Complete Security Audit, Also Use

ssllabs.com/ssltest

Full TLS/SSL certificate audit — cipher suites, protocol versions, certificate chain, HSTS preloading, and expiry. Free, no login.

WPScan CLI

Open-source, runs locally, checks plugins/themes against CVE database. Free API key gives 25 scans/day. wpscan --url https://site.com --enumerate vp,vt,u

Wordfence (plugin)

Server-side WordPress security plugin. Detects malware, checks file integrity against WordPress.org checksums, and provides firewall rules. Free tier available.

mxtoolbox.com

Checks SPF, DKIM, DMARC email security records. Prevents your domain being used for phishing/spoofing. Free.

WordPressSecurity Scanner

WordPress
Security Scanner