— Using vScan

How the security score is calculated.

The Security Score is a single number from 0 to 100 that summarises your site's current vulnerability posture. A higher score means fewer and less severe vulnerabilities.

4 min read Updated June 22, 2026 Intermediate Applies to WordPress

Score overview

The Security Score is a 0–100 number calculated after each scan. It represents the overall health of your site’s software stack from a vulnerability perspective.

A score of 100 means no known vulnerabilities were found at the time of the scan. A score of 0 means the site has critical unpatched vulnerabilities across multiple components.

Scoring factors

The score is a weighted combination of:

FactorDescription
CVE severity (CVSS)Higher CVSS scores (e.g. 9.8 Critical) carry more weight than low-severity findings
Number of vulnerabilitiesMore CVEs lower the score
Component exposureCore files and actively-used plugins are weighted more heavily than inactive items
Fix availabilityComponents with a known patched version available are flagged as higher-priority

The exact weighting is designed to surface the most exploitable, most impactful findings first.

Score tiers

ScoreTierWhat it means
80–100GoodNo critical findings; any issues are low-severity
60–79FairAt least one medium-severity finding worth reviewing
40–59PoorHigh-severity vulnerabilities present; act within the week
0–39CriticalOne or more critical CVEs; act immediately

When the score changes

The score updates after every scan. It can go up or down:

  • Goes up — you update a vulnerable component, or new scan data shows a previously unknown item is not actually vulnerable.
  • Goes down — a new CVE is published that affects one of your installed components, or you install a new plugin/theme that has known vulnerabilities.

Because the AskarLabs vulnerability feed is updated continuously, your score can change between scans even if you have not touched anything on your site. This reflects real-world threat changes, not problems with the plugin.