A WordPress security scanner checks your site for common vulnerabilities — including debug mode exposure, XML-RPC abuse, user enumeration, directory listing, and outdated software. Enter any WordPress site URL below for a free, instant 12-point security audit with actionable remediation steps. According to Sucuri's 2025 Website Threat Research Report, WordPress accounts for 96.2% of all CMS infections, with outdated plugins being the #1 attack vector.
Free tool. No login required. 12 security checks performed.
Scanning...
Running 12 security checks...
This scanner is designed specifically for WordPress sites. Try one of our other free tools instead.
Each scan tests for vulnerabilities that attackers actively exploit. Here's what we check and why it matters.
WP_DEBUG left on in production leaks file paths, database queries, and PHP errors to anyone visiting your site — giving attackers a roadmap. According to Sucuri (2025), debug data exposure contributed to 4.3% of WordPress compromises. For example, visiting yoursite.com/wp-content/debug.log on a site with WP_DEBUG_LOG enabled could expose database credentials and API keys.
XML-RPC enables brute-force amplification attacks where hundreds of password guesses are sent in a single request. Wordfence blocked over 10 billion XML-RPC attacks in 2024. For example, an attacker can use XML-RPC's system.multicall method to try 500 passwords in a single request — bypassing most login rate limiters.
If ?author=1 reveals usernames, attackers already have half the credentials they need. A 2025 Patchstack report found that user enumeration is the first step in 38% of successful WordPress brute-force attacks.
Open directory indexes in /wp-content/uploads/ let anyone browse your files. Attackers use this to find backup files, logs, and sensitive documents.
A publicly accessible wp-login.php is the primary target for brute-force attacks. Moving or restricting the login URL dramatically reduces attack surface.
Without proper HTTP→HTTPS redirect, visitors can access your site over an insecure connection, making them vulnerable to man-in-the-middle attacks.
The generator meta tag broadcasts your exact WordPress version. Attackers cross-reference this with known CVEs to find exploits specific to your version.
If wp-admin/install.php is accessible, an attacker could potentially reinitialize your database. This file should return a redirect or 403, never a form.
readme.html reveals your exact WordPress version and installation details. It's a trivial file to remove but often overlooked during hardening.
Publicly accessible wp-cron.php can be used for DDoS amplification. On high-traffic sites, replacing it with a real server cron job improves both security and performance.
The Really Simple Discovery link exposes your XML-RPC endpoint URL. Removing this meta tag reduces the information available to automated scanners.
An unrestricted REST API exposes user IDs, email addresses, and content endpoints. Restricting access to authenticated users prevents data harvesting.
"The most common WordPress hacks are entirely preventable. Basic hardening steps like disabling XML-RPC, hiding the WordPress version, and enforcing HTTPS stop the majority of automated attacks."
— Mark Maunder, CEO of Wordfence
In our experience securing hundreds of WordPress sites with GuardPress, we've found that fixing these 12 checks eliminates over 90% of common attack vectors.
| Vulnerability | Risk Level | % of WP Sites Affected | Fix Difficulty |
|---|---|---|---|
| Debug Mode Enabled | High | 8% | Easy |
| XML-RPC Enabled | Medium | 72% | Easy |
| User Enumeration | Medium | 54% | Easy |
| Directory Listing | High | 15% | Easy |
| Exposed Login Page | Medium | 89% | Medium |
| No HTTPS Redirect | High | 11% | Easy |
| Version Exposure | Medium | 61% | Easy |
Sources: Sucuri 2025 Threat Report, Wordfence 2025 Security Survey
Related tools: SSL Certificate Checker · HTTP Headers Checker · Hardening Checklist
Found malware? Follow this step-by-step guide to clean and harden your site.
SecurityFour recovery methods when brute force protection locks you out.
SecurityPhone lost, app reset. Four ways to regain access to your 2FA-protected site.
Yes, completely free. No registration, no email, no limits. Simply enter your WordPress site URL and get instant results with 12 security checks.
We run 12 security checks including debug mode exposure, XML-RPC status, user enumeration, directory listing, login page exposure, HTTPS redirect, WordPress version exposure, installation file access, readme file exposure, WP-Cron access, RSD link exposure, and REST API access.
No. All checks are read-only from the outside. We never log in, modify files, or make any changes to your site. The scanner only examines publicly accessible information.
Each failed check includes a specific recommendation on how to fix it. You can fix the issues manually or install a security plugin like GuardPress Pro that automates the fixes for you.
You start at 100 points. Critical issues deduct 20 points, High issues deduct 12, Medium deducts 7, Low deducts 3, and Info deducts 1. Grades are assigned as: A (90-100), B (75-89), C (60-74), D (40-59), F (0-39).