Is your WordPress site exposed?
Check any WordPress site for security problems in seconds. We test for the 13 most common weaknesses and give you a clear score. No plugin, no login, nothing to install.
Passive - read-only - safe to run on live sites
How it works
From URL to security score in three steps.
Enter your URL
Type your WordPress site address in the box above. No account or plugin needed.
We run 13 checks
Our tool checks your version, headers, config, plugins, and more. Takes under a minute.
Get your report
See a simple pass, warn, or fail result for each check. Each one includes advice on what to do.
What we check
13 weaknesses attackers look for first.
Each check looks for a real WordPress problem that attackers use. Here is exactly what our tool inspects.
WordPress Version
Checks if your WordPress version is old and if it leaks version info through readme.html or generator tags.
Readme Exposure
Checks if readme.html is public. This file gives attackers your exact version number.
Login Exposure
Checks if the standard WordPress login pages are available like normal.
User Enumeration
Checks if attackers can find usernames through /?author=1 for brute force attacks.
XML-RPC
Checks if xmlrpc.php is turned on. This can be used for brute force and DDoS attacks.
Open Registration
Checks if anyone can sign up for an account on your site without approval.
File Editor
Checks if the theme and plugin editor is accessible. DISALLOW_FILE_EDIT setting.
Debug Display
Checks if WP_DEBUG_DISPLAY leaks PHP error messages to your site visitors.
SSL / HTTPS
Checks if HTTPS is forced and if HTTP traffic redirects to the secure version.
Security Headers
Checks for X-Frame-Options, HSTS, CSP, Referrer-Policy and 3 other headers.
Directory Listing
Checks if wp-content folders show their file lists when visited directly.
Outdated Plugins
Checks readme.txt files of 6 common plugins like Yoast, Contact Form 7, Elementor, WooCommerce, and more.
TimThumb
Checks for exposed timthumb.php files that have known remote code execution flaws.
Why it matters
WordPress runs much of the web. It also gets attacked the most.
FAQ
Common questions.
Everything you need to know about this free WordPress security check.
Is this scan really free?
Yes. The tool runs all 13 checks against any public WordPress site at no cost. You do not need to sign up. Continuous monitoring is a separate paid product called vScan. But this one-time check is always free.
Do I need to install a plugin?
No. The check happens from outside your site. We only look at what your site shows to the public internet. Nothing gets installed on your server.
How long does a scan take?
Usually under a minute. The tool runs all 13 checks one after another and shows each result as it finishes. You see findings appear live.
Is it safe to run on a live site?
Yes. The tool only reads public pages. It never logs in, changes anything, or tries to break into your site.
How is the security score calculated?
Each check adds to a score out of 100. A pass gives full points, a warning gives partial points, and a fail gives zero. The total maps to a grade: Excellent, Good, Fair, or Poor.
How often should I re-scan?
New security issues come out every day. We suggest scanning after each plugin, theme, or core update. Or use vScan for ongoing monitoring that alerts you when something changes.
One scan is not enough
New security flaws come out every day. Let vScan keep an eye on your site all the time.
This check gives you a snapshot. vScan re-checks your site whenever a new problem is found and tells your team before attackers can use it.
