• Latest
  • Trending
  • All

SecuChecker: Free WordPress Security Audit (Headers, SSL, Version Disclosure, Exposures)

May 27, 2026
WordPress Security Hardening Checklist: 34 Scored Controls with Copy-Paste Fixes - cover image

WordPress Security Hardening Checklist: 34 Scored Controls with Copy-Paste Fixes

June 3, 2026
Maximizing Website Speed with Image Optimization Techniques for 2026 - cover image

Maximizing Website Speed with Image Optimization Techniques for 2026

June 3, 2026
SSL certificate renewal manager - 8 ACME clients, expiry calculator and monitoring - cover image

SSL Certificate Renewal Manager: certbot, acme.sh, lego, Caddy, cert-manager

June 3, 2026
CORS policy generator - 14 server and framework configs with presets and live security review - cover image

CORS Policy Generator: Headers + Nginx, Apache, Express, FastAPI, Django Config

June 3, 2026
netsh wlan command reference - 72 commands with example output and copy - cover image

netsh wlan Commands: Windows Wi-Fi Cheat Sheet (Show Password, Profiles, Hotspot)

June 2, 2026
Fix: ESXi Host Not Responding / Disconnected in vCenter (2026) - cover image

Fix: ESXi Host Not Responding / Disconnected in vCenter (2026)

June 1, 2026
VMware ESXi Purple Screen of Death (PSOD): Diagnose and Recover (2026) - cover image

VMware ESXi Purple Screen of Death (PSOD): Diagnose and Recover (2026)

June 1, 2026
VMware PowerCLI command generator cover

VMware PowerCLI Command Generator: VM, Snapshots, Networking, esxcli

June 1, 2026
dd Command Generator: Write ISO to USB, Image Disks, Wipe Drives - cover image

dd Command Generator: Write ISO to USB, Image Disks, Wipe Drives

June 1, 2026
SSH Tunnel Command Generator: Local, Remote and Dynamic Forwarding - cover image

SSH Tunnel Command Generator: Local, Remote and Dynamic Forwarding

June 1, 2026
sed Command Generator: Build Substitute, Delete and Print Commands - cover image

sed Command Generator: Build Substitute, Delete and Print Commands

May 31, 2026
VMware Workstation and Hyper-V on the Same Machine (2026 Fix) - cover image

VMware Workstation and Hyper-V on the Same Machine (2026 Fix)

May 31, 2026
  • Online Tools
  • Network Tools
  • Developer Tools
  • Security Tools
Wednesday, June 3, 2026
  • Login
People Are Geek
  • Online Tools
  • Network Tools
  • Developer Tools
  • Security Tools
No Result
View All Result
People Are Geek
No Result
View All Result
Home Security Tools

SecuChecker: Free WordPress Security Audit (Headers, SSL, Version Disclosure, Exposures)

by People Are Geek
May 27, 2026
in Security Tools, Server Tools
0
0
SHARES
1
VIEWS
Share on FacebookShare on Twitter

Free WordPress security audit

Scan any public WordPress site for the security gaps that account for the majority of real-world incidents: missing HTTP security headers, weak TLS settings, version disclosure, accessible xmlrpc.php, exposed readme.html, open wp-includes directory listing, public user enumeration, and missing HSTS preload. The result is a posture score from 0 to 100, a per-finding severity, and a prioritised fix list you can hand to your developer or hosting provider. The scan runs from the PeopleAreGeek server so CORS does not block the probes; nothing is logged.

Probes are non-intrusive: HEAD or GET requests, no login attempts, no fuzzing. The full scan takes 8-20 seconds depending on the target.

What SecuChecker scans on a WordPress site

Most WordPress incidents in 2026 still come from a small set of easy-to-fix gaps: a missing Content Security Policy, an HSTS header that is not advertised, a default xmlrpc.php endpoint that lets attackers brute-force credentials, a public readme.html that announces the exact WordPress version, a wide-open wp-includes directory listing that exposes plugin and core code, or a public REST endpoint at /wp-json/wp/v2/users that enumerates author logins. SecuChecker probes all of those signals in a single pass and returns a posture score so you can prioritise the fixes that actually move the needle on attack surface.

The scan touches eighteen indicators when run in full depth and twelve in quick mode. The HTTP layer reads response headers and parses HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, the server software and the cache configuration. The TLS layer checks certificate validity, days to expiry and the subject alternative names. The WordPress layer looks at the generator meta tag, the readme file, the directory listings, the REST API users endpoint and the XML-RPC endpoint. Each check returns a pass / warn / fail verdict with the exact line that triggered the decision, the severity (high, medium, low, info) and a one-line remediation. The whole flow is non-intrusive: no login attempts, no fuzzing, no automated exploitation, only public read probes that any anonymous user could do manually.

How the WordPress security checker works

  1. Validate the URL and resolve the hostname for TLS probing.
  2. Fetch the homepage through the PeopleAreGeek server and read all response headers.
  3. Parse security headers and score each one according to the OWASP secure-headers best practice 2026.
  4. Probe the TLS endpoint on port 443, read the certificate metadata (issuer, validity, SAN) and compute days remaining.
  5. Probe WordPress-specific paths: /readme.html, /wp-login.php, /xmlrpc.php, /wp-includes/, /wp-content/uploads/, /?author=1, /wp-json/wp/v2/users. Capture HTTP status, length, key headers.
  6. Read the home HTML for the generator meta tag (often discloses the exact WordPress version) and for visible plugin signatures.
  7. Score and rank findings by severity and produce a single posture score from 0 to 100.

Common use cases for SecuChecker

  • Pre-launch hardening. Before a new WordPress site goes public, run the scan to catch missing headers and exposed default files.
  • Monthly security review. Re-scan after every WordPress core update, plugin install or hosting migration. Configuration drift is the source of half the regressions.
  • Vendor due diligence. Auditing a freelance developer or a WordPress agency? Scan their portfolio sites to verify the security claims in the proposal.
  • Compliance evidence. Many lightweight compliance frameworks (GDPR security, ISO baseline) ask for documented security checks. The downloadable report fits that bill for the WordPress part of the stack.
  • Incident triage. After a suspected compromise, the scan tells you whether the easy attack vectors are still open. Closing them is often the first containment step.
  • Lead magnet for agencies. WordPress freelance and small agencies use the public scan as a conversation starter before pitching a full security audit or a managed-hosting plan.

Limitations and ethical scanning notes

SecuChecker is a non-intrusive black-box scanner. It does not log in, does not POST forms, does not attempt to find SQL injection or remote code execution, and does not perform any action that could be interpreted as an attack. It reads public endpoints and compares the responses with a checklist of well-known WordPress posture indicators. A clean SecuChecker report is a great starting point but not a substitute for a full audit: vulnerabilities inside plugin code, weak passwords, role escalation paths and runtime malware are out of scope. For a deeper assessment, including authenticated plugin review and code-level findings, a full WordPress security audit with PDF report is available for €49 (see the upsell card in the Summary tab).

Scan only sites you own or have permission to scan. Running automated probes against third-party sites can be interpreted as a hostile act by some hosting providers. SecuChecker rate-limits its probes per session to stay below any reasonable detection threshold, but the responsibility for ethical use remains with you. The PeopleAreGeek server is the originating IP for every probe and is logged by major CDNs accordingly.

Frequently asked questions

What does the posture score mean?

It is a weighted sum out of 100 where each control carries 5-15 points. A score of 85 or above indicates a hardened baseline; 60-85 means several controls are missing but no critical exposure; below 60 means the site has several high-severity gaps that an opportunistic attacker can detect from outside.

Is the scan safe to run on a production site?

Yes. The probes are HEAD or GET requests on public URLs at a sane rate. There is no POST, no form submission, no brute force and no fuzzing. Most WAFs do not flag the traffic at all because it is identical to a regular search-engine crawl.

Why does the scan flag my exposed WordPress version?

A visible version number narrows down the relevant CVE list for an attacker. The fix is to remove the generator meta tag through a plugin or a small theme tweak, and to delete or restrict the readme.html file at the document root.

Should I disable xmlrpc.php?

If you do not use the Jetpack mobile app, the WordPress mobile apps, or remote publishing, yes. xmlrpc.php is the historical login endpoint exploited for brute-force and pingback amplification. Block it at the web server level or via a security plugin.

Why is HSTS recommended?

HSTS tells the browser to refuse plain HTTP for the domain for a set duration. It defends against downgrade attacks and stolen-cookie attacks on insecure networks. Add it with a long max-age, the includeSubDomains directive, and the preload flag once you are confident the site will stay HTTPS.

Does a clean scan mean my site is secure?

No. A clean scan means the easy gaps are closed. Plugin vulnerabilities, weak passwords, social-engineering paths and supply-chain attacks are out of scope. For a deeper assessment, an authenticated audit is the right next step.

Related tools and resources

HTTP Headers Checker SSL Certificate Checker CSP Header Builder Password Strength Checker Email Auth Posture AI Crawler Blocker Redirect Checker
ShareTweetPin
People Are Geek

People Are Geek

I'm Stephane, a network and systems engineer with over 15 years of hands-on experience on production infrastructure, virtualization (ESXi, Proxmox), networking, and self-hosting. Earlier in my career I built and ran a Linux resource site that became a well-known reference for sysadmins. Today I focus on cybersecurity, and I also work as a technical trainer, teaching networking and security to people who do it for a living. Everything on People Are Geek comes from real-world practice, not theory. I build every tool on this site myself, and I write about what I've actually deployed, broken, and fixed. If it's here, I've used it.

People Are Geek

Copyright © 2017 JNews.

Navigate Site

  • About PeopleAreGeek
  • All Tools and Articles
  • Contact
  • Cookie Policy
  • Hyper-V Hub: Tools, Error Fixes and Lab Guides
  • Linux Hub: Cross-Distro Reference, Articles, Tools
  • Page de test Codex
  • Privacy Policy
  • Sample Page
  • Terms of Service
  • VMware vSphere & ESXi Hub: Tools, Error Fixes and Guides

Follow Us

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Online Tools
  • Network Tools
  • Developer Tools
  • Security Tools

Copyright © 2017 JNews.