Find vulnerabilities
before attackers do
Comprehensive WordPress security scanning. 36 checks across 4 categories, instant results, zero server access required.
36
Security Checks
4
Scan Categories
<3s
Average Scan
24/7
Uptime Monitoring
Simple Process
How It Works
Three simple steps to a full security audit. No installation, no credentials, no waiting.
Enter URL
Paste any WordPress site URL. No signup, no plugins, no server access needed.
We Scan
36 scanners run in parallel across 4 categories. Results stream in real-time via SSE.
Get Report
Receive a detailed report with scores, issues, severity ratings, and step-by-step fixes.
Lightning Fast
Full 36-scanner analysis completes in seconds using parallel HTTP checks.
Fully External
No plugins, agents, or credentials needed. Scan any WordPress site you can reach.
Actionable Results
Every finding includes severity rating, detailed explanation, and step-by-step fix.
Trusted Worldwide
Securing WordPress at Scale
12.1M+
Sites Scanned
1.4M+
Vulnerabilities Found
99.9%
Uptime Tracked
50K+
CVEs Checked
Comprehensive Coverage
36 Checks. 4 Categories. One Scan.
Every scan covers WordPress core, infrastructure, DNS security, and reputation — all without server access.
WordPress Security
WordPress Version & CVEs
Detects exposed WP version and matches against known CVE databases
XML-RPC Endpoint
Checks if xmlrpc.php is accessible for brute-force attacks
User Enumeration (REST)
Tests if the REST API exposes user data publicly
Author Enumeration
Checks if author archives reveal usernames
Directory Listing
Scans for open directory indexes on sensitive paths
Debug Log Exposure
Checks if debug.log is publicly accessible
Readme Exposure
Detects if readme.html reveals WordPress version info
Plugin Detection
Identifies installed plugins and known vulnerabilities
Sensitive Files
Scans for .git repos, backup archives, SQL dumps, and config files
Login & Admin Hardening
Login exposure, rate limiting, CAPTCHA, 2FA, and open registration
Upload PHP Execution
Detects if the uploads directory allows PHP code execution
REST API Exposure
Checks settings, media, comments, and _embed metadata leaks
WP-Cron Exposure
Detects publicly accessible wp-cron.php for DoS risk
Database Prefix
Checks if default wp_ table prefix is exposed in API responses
Upload Malware Scan
Probes for common web shells and backdoors in uploads
File Editor Exposure
Detects if the plugin/theme file editor is accessible without DISALLOW_FILE_EDIT
Source Map Exposure
Checks for publicly accessible .map files that reveal unminified source code
.htaccess Exposure
Detects if .htaccess configuration is publicly readable
License.txt Exposure
Checks if license.txt confirms WordPress installation
wp-config-sample.php Exposure
Detects if the sample config file is publicly accessible
CMS Fingerprint
Identifies WordPress deployment type: Classic, Bedrock, Headless, or Multisite
Infrastructure & Headers
Security Headers
Validates CSP, X-Frame-Options, HSTS, and more
SSL/TLS Analysis
Validates certificate, protocol version, and expiry date
CSP Analysis
Deep analysis of Content Security Policy for unsafe directives
Robots.txt Analysis
Analyzes robots.txt for sensitive path disclosures
PHP Version
Detects exposed PHP version via server headers
Cookie Security
Checks Secure, HttpOnly, and SameSite cookie flags
WAF Detection
Identifies Web Application Firewall protection
Security.txt
Checks for RFC 9116 security.txt for responsible disclosure
Email Exposure
Detects public email addresses and mailto links in page source
PCI-DSS Compliance
Verifies HTTPS, TLS 1.2+, payment tokenization, secure cookies, and CSP on checkout pages
Mixed Content
Detects HTTP resources loaded on HTTPS pages that break security
Cookie Consent & GDPR
Checks for tracking cookies set without consent and missing cookie banners
DNS & Domain
DNS & Domain Security
SPF, DKIM, DMARC, DNSSEC, and domain expiry
Theme Detection
Active theme, version, and child theme usage
Reputation & Blocklists
Blocklist & Malware
Google Safe Browsing and DNS-based blocklist checks
Full Platform
Everything You Need
Scan, monitor, report, and track WordPress security at scale.
Real-Time Streaming
Live results as each scanner completes via SSE-powered progress updates.
Uptime Monitoring
24/7 site monitoring with response time tracking and instant downtime alerts.
Bulk Scanning
Scan up to 20 sites at once. Perfect for agencies managing multiple sites.
PDF & JSON Reports
Professional security reports in PDF or JSON format with scores and recommendations for clients.
Side-by-Side Compare
Compare two sites head-to-head with score diffs and unique issues.
Scan History
Track security changes over time with per-domain score trend charts.
REST API
Integrate scans into your workflow. Create and manage API keys with tracking.
Share & Email
Share results via unique links or email reports to clients and teams.
Vulnerability DB
Cross-references plugins against known CVE databases for real-time alerts.
One-Click Fix Guides
Copy-paste code snippets for Nginx, Apache, .htaccess, and wp-config.php. Not vague advice — real fixes.
Plugin Risk Score
Rates each plugin by popularity, freshness, CVEs, rating, and compatibility — one composite risk metric.
Security Changelog
Timeline showing exactly what changed between scans — new issues, resolved findings, plugin updates.
PCI-DSS Compliance
Automatic ecommerce detection with 8 PCI-DSS checks — HTTPS, TLS, tokenization, CSP, and more.
Agency Workspace
Team collaboration with roles, shared scans, and a multi-site portfolio dashboard for agencies.
Scheduled Scans
Automated daily, weekly, or monthly rescans with email alerts when security scores drop.
Your Security Hub
A Personal Dashboard for Every User
Create a free account and get your own security dashboard. Track scans, monitor sites, and unlock more features as you grow.
- 3 scans per day
- Scan history & score trends
- Detailed security reports
- Shareable result links
- 25 scans per day
- Uptime monitoring & alerts
- Bulk scanning (up to 10 sites)
- Side-by-side comparisons
- PDF, JSON & email reports
- REST API access
- Unlimited daily scans
- Bulk scanning (up to 20 sites)
- Priority scan queue
- Advanced vulnerability DB
- Dedicated API rate limits
- Everything in Pro
Every plan includes comprehensive security analysis with detailed findings, severity ratings, and actionable remediation steps.
Comparison
See How We Stack Up
| Feature | WPSentry | WPScan | Sucuri | Wordfence |
|---|---|---|---|---|
| No installation required | ||||
| Real-time streaming results | ||||
| 36 security scanners | ||||
| Bulk scanning (20 sites) | ||||
| Side-by-side comparison | ||||
| Uptime monitoring & alerts | ||||
| DNS & email auth checks | ||||
| CSP analysis | ||||
| Blocklist & malware checks | ||||
| WP core CVE matching | ||||
| PDF & JSON reports | ||||
| Email reports | ||||
| REST API access | ||||
| Scan history & trends | ||||
| Plugin vulnerability check | ||||
| SSL/TLS analysis | ||||
| WAF detection | ||||
| Cookie security audit | ||||
| Plugin risk scoring | ||||
| Security score changelog | ||||
| PCI-DSS compliance checks | ||||
| Agency team workspace | ||||
| Scheduled recurring scans | ||||
| Free tier available | ||||
| Mixed content detection | ||||
| GDPR / cookie consent audit | ||||
| CMS deployment fingerprinting | ||||
| Abandoned plugin detection |
Sucuri and Wordfence also offer active protection features (WAF, brute-force blocking, malware cleanup) that require server-side plugin installation. WPSentry focuses on external security auditing — no installation needed.
Testimonials
Trusted by Security Teams Worldwide
Join thousands of developers and security professionals who rely on our scanner to keep their WordPress sites safe.
“We switched from manual audits to automated scans. Catches misconfigurations we'd miss every time.”
“The plugin detection alone saved us hours. Found a vulnerable plugin on a client site before it was exploited.”
“Finally a scanner that checks what matters — headers, SSL, exposed files. Not just surface-level stuff.”
“Monitoring 40+ WordPress sites used to be a nightmare. Now I get alerts the moment something changes.”
“Our clients love the PDF and JSON reports. Professional, detailed, and easy to understand. Worth every penny.”
“I run a scan before every site launch. It's become part of my deployment checklist. Indispensable tool.”
“We switched from manual audits to automated scans. Catches misconfigurations we'd miss every time.”
“The plugin detection alone saved us hours. Found a vulnerable plugin on a client site before it was exploited.”
“Finally a scanner that checks what matters — headers, SSL, exposed files. Not just surface-level stuff.”
“Monitoring 40+ WordPress sites used to be a nightmare. Now I get alerts the moment something changes.”
“Our clients love the PDF and JSON reports. Professional, detailed, and easy to understand. Worth every penny.”
“I run a scan before every site launch. It's become part of my deployment checklist. Indispensable tool.”
“The API integration was seamless. We built it into our CI/CD pipeline in under an hour.”
“Detected an exposed debug.log with database credentials. That single find justified the entire subscription.”
“Bulk scanning 20 sites at once? Game changer. What took a full day now takes minutes.”
“The DNS and reputation checks caught a blacklisted IP we inherited from a previous hosting provider.”
“I recommend this to every client. The scan results are clear enough for non-technical stakeholders.”
“Security was always a black box for us. This tool made it visible and actionable for the whole team.”
“The API integration was seamless. We built it into our CI/CD pipeline in under an hour.”
“Detected an exposed debug.log with database credentials. That single find justified the entire subscription.”
“Bulk scanning 20 sites at once? Game changer. What took a full day now takes minutes.”
“The DNS and reputation checks caught a blacklisted IP we inherited from a previous hosting provider.”
“I recommend this to every client. The scan results are clear enough for non-technical stakeholders.”
“Security was always a black box for us. This tool made it visible and actionable for the whole team.”
“We switched from manual audits to automated scans. Catches misconfigurations we'd miss every time.”
Start securing your sites today
Free to start, no credit card required. Run your first scan in seconds and see exactly where your WordPress site is vulnerable.