WordPress
Scanner
See what attackers see. Check any WordPress site for exposed endpoints, outdated plugins, and missing protections.
Scan WordPress Site
Enter any URL to check for common WordPress security issues
What Does the WordPress Scanner Check?
The scanner runs eight security checks against any WordPress site, all from the outside. It tests whether the login page is exposed and protected (reCAPTCHA, rate limiting, or access blocking), whether XML-RPC is enabled (the most common brute force attack vector), and whether the REST API leaks usernames through user enumeration.
It also checks for WordPress version exposure in the page source and RSS feed, default files that shouldn't be public (readme.html and license.txt both confirm WordPress and often leak the version number), PHP debug mode left on in production, and missing security headers like Content-Security-Policy and X-Frame-Options.
For each detected plugin, the scanner extracts version numbers from the page source and compares them against the WordPress.org plugin directory. Outdated plugins are flagged so you can see which ones need updating.
Who Is This Tool For?
WordPress site owners who want to see what their site looks like to an attacker. Freelance developers auditing a client's WordPress installation before taking it on. Security-conscious business owners who've heard about WordPress hacks but don't know where to start. The scan is non-invasive and only checks publicly visible information.
Frequently Asked Questions
Yes. The scanner only checks publicly visible information by making standard HTTP requests to your site, the same as any web browser or search engine would. It does not attempt to log in, exploit vulnerabilities, or modify anything. Think of it as checking what the front door looks like from the pavement.
XML-RPC (xmlrpc.php) is a legacy WordPress endpoint that allows external applications to communicate with your site. The problem: attackers use it to try thousands of username/password combinations in a single request, bypassing most login attempt limiters. If you do not use Jetpack or the official WordPress mobile app, you almost certainly do not need it. Block it at the server level or with a security plugin.
The WordPress REST API at /wp-json/wp/v2/users can expose your admin usernames to anyone. Once an attacker has a valid username, they only need to guess the password. That cuts their work in half. Restrict this endpoint so it requires authentication, either with a small code snippet in your theme's functions.php or through a security plugin.
Not necessarily. A login page with CAPTCHA protection, rate limiting, or two-factor authentication is well defended. The scanner flags unprotected login pages because a bare wp-login.php with no defences is an open invitation for brute force bots. If you have protection in place, the scanner will detect CAPTCHA scripts and mark it as passed.
Yes. When your WordPress version is visible in the HTML source or RSS feed, attackers can look up known vulnerabilities for that exact version. Removing the version tag from your <meta name="generator"> output and RSS feed is a quick win. Add remove_action('wp_head', 'wp_generator') to your theme or use a security plugin that handles it.
A means no critical issues or warnings were found. B means minor warnings only. C means one critical issue exists. D means two critical issues. F means three or more critical issues were detected. The grade is based on what the scanner can see from outside your site, so internal-only protections (like a firewall plugin) may not be visible.
Fix critical items first: disable XML-RPC if you do not need it, restrict user enumeration, and address any PHP debug output. Then handle warnings: block readme.html, remove version exposure, and add missing security headers. Each finding includes a specific recommendation. For a managed solution, 365i WordPress hosting handles most of these at the server level.
Secure WordPress Hosting from 365i
Every 365i WordPress hosting plan includes brute force protection, malware scanning, and automatic updates. All included, no plugins needed.
