Enter your website address to run a quick, non-invasive scan for common WordPress security issues, exposed files, and risky server configurations. The scan checks only publicly available information and does not require access to your WordPress dashboard.
Enter a full website address to run a security scan.
| Check | Status |
|---|
What This Means
WP-JSON Accessible
What it is: This checks for the WordPress REST API, which lives at the /wp-json/ endpoint. This API allows plugins, themes, and apps to "talk" to your WordPress site.
Why it matters: By default, this is 'Enabled' and is not a vulnerability itself. However, certain endpoints within the API (like the one for users) can be a problem if not secured.
Severity: Informational. Not a vulnerability; useful context about the site or its configuration.
Recommended: Enabled (This is normal)
User Enumeration (Archives)
What it is: A method where attackers can discover valid usernames by visiting /?author=1, /?author=2, etc. WordPress often redirects these to the author's archive page (e.g., /author/admin/), revealing the username.
Why it matters: It gives attackers the first half of a login (the username). This makes it much easier for them to run "brute force" attacks to guess your password.
Severity: Low. Minor exposure or hardening issue with limited direct impact.
Recommended: Secure (Prevented)
User Enumeration (REST API)
What it is: On older or unsecured sites, the REST API endpoint /wp-json/wp/v2/users publicly lists all users on the site, including their usernames.
Why it matters: Just like author enumeration, this is a major information leak that helps attackers harvest usernames for brute-force attacks.
Severity: Low. Minor exposure or hardening issue with limited direct impact.
Recommended: Secure (Protected)
XML-RPC Enabled
What it is: XML-RPC is an older protocol that allowed remote publishing (e.g., from the old WordPress mobile app). It's found at /xmlrpc.php.
Why it matters: It is now largely outdated and is a *massive* target for attackers. It can be used for large-scale brute-force attacks (one request can try hundreds of passwords) and DDoS attacks. It should be disabled unless you have a specific, modern tool that requires it.
Severity: Low. Minor exposure or hardening issue with limited direct impact.
Recommended: Secure (Disabled)
Debug Log Public
What it is: When WordPress debugging is turned on, it can create a file at /wp-content/debug.log to log all PHP errors and warnings.
Why it matters: This file should *never* be public. It can reveal sensitive information about your server's file paths, plugin errors, and potentially even database information. Debugging should only be on for temporary development, never on a live site.
Severity: Medium. A meaningful weakness that could assist an attacker or expose sensitive information.
Recommended: Secure (Not Accessible)
readme.html Accessible
What it is: A default file (readme.html) included with every WordPress installation.
Why it matters: On older WordPress installs, this file prominently displays your exact WordPress version. This is an information leak that tells an attacker precisely which vulnerabilities to search for to exploit your site. However, WordPress 4.8 was the first release branch whose readme.html omitted the version number entirely. The version removal was backported to older maintained branches of WordPress, so an updated installation of an older branch might also have a versionless readme.html
Severity: Low. Minor exposure or hardening issue with limited direct impact.
Recommended: Secure (Not Found)
wp-config.php Backups
What it is: This checks for common backup files (like wp-config.php.bak, wp-config.php.old, etc.) that might be accidentally left in the root directory.
Why it matters: The wp-config.php file contains your database name, username, and password. If a backup copy is publicly accessible, an attacker can read it and gain *full control* of your database.
Severity: High. A serious condition with clear security impact or confirmed sensitive-data exposure.
Recommended: Secure (Not Found)
Open User Registration
What it is: This checks if the "Anyone can register" setting is enabled in your WordPress general settings.
Why it matters: Unless you run a membership or community site, this should be turned off. Leaving it open is an invitation for spam bots to create thousands of fake user accounts, which can slow down your site and clutter your database.
Severity: Low. Minor exposure or hardening issue with limited direct impact.
Recommended: Secure (Not Open)
Version Exposed (Meta Tag)
What it is: WordPress inserts a <meta> tag in your site's HTML source code showing the version (e.g., <meta name="generator" content="WordPress 6.4.1">).
Why it matters: Like the readme.html file, this is an unnecessary information leak that helps attackers target your site.
Severity: Low. Minor exposure or hardening issue with limited direct impact.
Recommended: Secure (Not Exposed)
Directory Listing
What it is: This checks if your server allows people to browse folders that don't have an index file (like /wp-content/uploads/). If enabled, visitors see a list of all files in that directory.
Why it matters: This lets attackers easily browse your uploaded files, see which plugins you use (by browsing the /plugins/ folder), and look for sensitive information.
Severity: Medium. A meaningful weakness that could assist an attacker or expose sensitive information.
Recommended: Secure (Disabled)
PHP Version Exposed
What it is: Some servers add an "X-Powered-By" header to every request, announcing which version of PHP is running.
Why it matters: If your server is running an old, outdated, or vulnerable version of PHP, this header advertises that fact to attackers, telling them exactly which exploits to use against your server itself.
Severity: Low. Minor exposure or hardening issue with limited direct impact.
Recommended: Secure (Not Exposed)
Missing Security Headers
What it is: This checks for modern HTTP headers (like Content-Security-Policy, X-Frame-Options, etc.) that tell the browser to enforce stricter security rules.
Why it matters: These headers provide a crucial layer of defense against common attacks like Cross-Site Scripting (XSS) and "Clickjacking" (where an attacker puts your site in an invisible frame).
Severity: Low. Minor exposure or hardening issue with limited direct impact.
Recommended: Secure (Present)
How to Fix These Issues
These are general recommendations. Always back up your website completely (both files and database) before making any changes. Editing server or theme files (like .htaccess, wp-config.php, or functions.php) can break your site if done incorrectly. If you are unsure, please consult a web professional.
User Enumeration (Archives & REST API)
Easy Way: Use a security plugin like Wordfence or Sucuri Security. Most have a one-click option to disable this.
Advanced Way (REST API): Add this code to your theme's functions.php file:
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) { return $result; }
if ( ! is_user_logged_in() ) {
return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );
}
return $result;
});
XML-RPC Enabled
Easy Way: Security plugins (like Wordfence) have an option to disable XML-RPC.
Advanced Way (.htaccess): Add the following to your .htaccess file, outside the #BEGIN WordPress and #END WordPress tags:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
Debug Log Public
How to Fix: Connect to your site via FTP or a cPanel File Manager. Open your wp-config.php file and look for these lines:
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
Change them to false. If they don't exist, you're likely fine. After, look for the file /wp-content/debug.log and delete it.
readme.html Accessible
How to Fix: Connect to your site via FTP or cPanel File Manager. Find the readme.html file in your main WordPress directory and simply delete it. This is safe to do and will not harm your site.
wp-config.php Backups
How to Fix: This is critical. Connect via FTP or cPanel File Manager immediately. Look for *any* files named like wp-config.php.bak, wp-config.old, wp-config.php~, etc. Delete them immediately.
Open User Registration
How to Fix: In your WordPress dashboard, go to Settings > General. Find the setting "Membership" and uncheck the box that says "Anyone can register."
Version Exposed (Meta Tag)
How to Fix: Add the following line to your theme's functions.php file:
remove_action('wp_head', 'wp_generator');
Directory Listing
How to Fix: Add the following line to your .htaccess file, outside the #BEGIN WordPress and #END WordPress tags:
Options -Indexes
PHP Version Exposed
How to Fix: This is a server-level setting, not a WordPress one. If you have cPanel, look for a "MultiPHP INI Editor". In the editor, add this line:
expose_php = Off
If you don't have this option, you may need to ask your web host to do it for you.
Missing Security Headers
Easy Way: A good security plugin (like Sucuri) or a dedicated "Headers" plugin can add these for you.
Advanced Way (.htaccess): You can add headers manually to your .htaccess file. For example, to add X-Frame-Options:
Header always set X-Frame-Options "SAMEORIGIN"
Adding a full Content-Security-Policy (CSP) is very complex and site-specific. Using a plugin is highly recommended for this.