Cyber audit suite for WordPress: 10 parallel security checks, unified posture score, prioritised action plan
Paste a WordPress URL. Hit the button. About 20 seconds later you know where the site really stands. Ten checks fire at once: security headers, the TLS and certificate situation, DNS health, whether the WP version is leaking, xmlrpc, REST user enumeration, the old ?author=N trick, a stray readme.html, robots.txt. Each one gets a score. The findings come back sorted by how badly they actually bite, and the action plan tells you what to touch first, so you’re not staring at a wall of red wondering where to even start.
What the suite actually measures
This used to be five tabs. SecuChecker for the WP exposure stuff. The HTTP Headers Checker. The SSL Certificate Checker, the TLS Version Selector, a DNS Lookup. Then I’d copy the bits I cared about into a doc, by hand, every single time. It got old fast. So I wired the same checks behind one button and let it spit out a single posture score. The exposure tests follow the OWASP Top 10 for Web Applications 2025, and the transport-layer scoring tracks the Mozilla SSL Configuration Generator baseline. None of the thresholds are something I made up on a quiet afternoon.
The free run does the ten things a WP-hunting bot pokes at the second it finds you. Between them they cover maybe 90 percent of the misconfigs that actually get sites owned these days. The last 10 percent? A scanner just can’t reach it on its own. Authenticated plugin bugs, custom theme code somebody has to actually read, business-logic holes, real WAF tuning. For that you need a human with an account and a few hours to kill. That’s what the paid tier is for.
How the score is calculated
Every check lands on a 0-to-100 score with thresholds I picked on purpose. Then the lot folds into five buckets: Transport (TLS, certificate, headers), Exposure (version disclosure, readme files, xmlrpc, user enumeration), Network (DNS health, redirect chains, CDN presence), Surface (REST API hygiene, robots.txt, sitemap) and Hygiene (auto-update signals, plugin freshness fingerprints). The big number up top is just the average of those five. Nothing clever. Clear 85 and you’re “hardened”. Anywhere from 60 to 85 reads “needs improvement”. Drop under 60 and you’re flat-out “exposed”. The math behind every deduction sits on the Findings tab, so you can go fix things without re-running the whole scan just to remember what hurt you.
Why a single score per category
Honestly? Because nobody above you reads a 12-bullet finding list. Your boss skims it, nods, moves on. But five category scores and one headline number? That fits in a Slack message. It fits on a board-deck slide, or in the little box on a security questionnaire that asks “what’s your posture?” and expects a number. The gory detail is still one click away on the Findings tab, for whoever’s actually doing the fixing.
The action plan: priority over completeness
This is the bit I actually care about. The Action plan tab doesn’t just sort by severity. It weighs impact against effort, which is the part that matters. A missing CSP header you can drop in with one nginx line jumps ahead of a “medium” plugin upgrade that wants a staging copy, a regression pass, then half an hour of downtime nobody scheduled. Most scanners do the opposite. They hand you a flat list sorted by CVE score and wander off, and now you’re the one deciding what to fix on a Tuesday afternoon. Maybe that works for you. I’d rather just hand you the order you’d have landed on anyway.
The €49 manual audit
Free scan lighting up with more than three high-severity findings? Or you’re running something that genuinely can’t afford a bad day, a shop, a health site, anything B2B SaaS where downtime gets noticed? That’s when I’d sit down with it properly. The paid audit is five hours of my time with hands on the keyboard. I read the code of every active plugin and theme. I run an authenticated black-box test (I’ll ask for a read-only admin account), tune your CSP and security headers by hand, and if a plugin has a CVE the vendor’s dragging their feet on, I’ll backport the fix myself. Then you get a one-page summary your stakeholders can actually sign off on. €49, flat, paid once. No subscription nonsense. Email contact@peoplearegeek.com with your scan URL and roughly when you need it.
Privacy and data handling
The whole thing runs from your browser. The URL you type only ever hits my own probe endpoints, the DNS lookup, the header fetch, the handshake that checks TLS. Never some third party I don’t control. Your scan history lives in your browser’s localStorage, so clear it and it’s gone. There’s no copy anywhere else. No account, no email grab on the free tier either. The €49 audit obviously needs your email, sure, but I delete whatever you send me 30 days after the audit’s handed over. I’d rather not be sitting on your details, honestly.
When to run the suite (and when not to)
There are three moments where I actually reach for this. Pre-launch: before you flip DNS to production, point it at the staging URL. You’ll catch the stuff somebody swore they’d set and then didn’t, the HSTS header, the CSP, the version still sitting in the meta tag for anyone to read. Quarterly health check: I run one on a quiet Monday every quarter, because sites drift. A new plugin quietly bolts on a header that breaks your CSP. A theme update flips open an exposure you’d already closed. Nobody notices until it suddenly matters. After something feels off: spam crawling into comments, odd outbound traffic at 3am, a login you don’t recognise. Before you go spelunking through logs, this hands you a cold, honest baseline of where the site sits right now.
Let me be straight about what it won’t do, because I’d hate for you to get burned trusting it too far. It doesn’t read plugin code hunting for vulnerable patterns. That’s Patchstack or WPScan. Runtime-injected malware? It won’t catch that, you want Wordfence file integrity. And anything behind a login is just out of reach, because that genuinely needs a real account plus Burp Suite in your own hands. So treat it as the cheap, fast first look that tells you whether the expensive stuff is even worth booking. Most sites I throw at it reach “Hardened” in one afternoon of clearing the amber findings. The deep dive, if you even need it, can wait.
Integrating the suite into your workflow
The JSON on the Raw data tab is there so you can just grab it and go. Drop it into a ticket comment. Or a wiki page, or that security questionnaire HR forwarded you for the third time. Stamp it with the scan date and the URL, done. Next quarter’s scan then reads like a clean diff against this one. And if you’re babysitting five or more WordPress sites, the Scan history tab is the one I’d basically live in. Sort by score and you see at a glance which property needs you this quarter, and which one can keep coasting for now.
Frequently asked questions
How long does a scan take?
Usually 8 to 25 seconds. The target decides which end you land on, not me. Behind Cloudflare, or speaking HTTP/2? You’re often done in under 12. Stick it on tired shared hosting and it can crawl all the way to 25, and it’s almost always the cert handshake and DNS resolution dragging their feet. The actual checks are quick.
Can I scan a site I do not own?
Yeah, you can. It only ever touches what any random visitor already sees: HTTP responses, DNS records, the public TLS handshake. Nothing it reads is hidden behind a password. It’s the exact same surface every bot scanner on the internet pokes at all day anyway. I don’t bypass auth, and the URL doesn’t stick around past your browser session.
Does the scan trigger Wordfence or Sucuri alerts?
Across 200-plus sites I’ve run it against, it hasn’t tripped a commercial WAF once. Each probe is a single clean HTTP request with nothing attack-shaped behind it. If something does light up, that’s just my backend knocking, and it comes from a fixed IP range I’m happy to send you. Drop that into Wordfence Live Traffic as allowed and you won’t get a fright the next time around.
What is the difference with SecuChecker?
SecuChecker is the WordPress-specific bit, its 18 exposure checks. This suite runs every one of those, then bolts on the transport layer (TLS, certificate, headers) and the network layer (DNS health, redirect chain), and rolls the whole lot into one score across all three. So SecuChecker isn’t a competitor here. It’s one of the modules feeding the suite.
Why is my Lighthouse score green but the cyber score amber?
Because they’re measuring two completely different things. Lighthouse cares about speed and a handful of best practices. This suite cares about how exposed you are, full stop. A site can load in 1.2 seconds and earn a lovely green Lighthouse badge while it’s still quietly broadcasting its WordPress version and leaving xmlrpc.php wide open. No HSTS either. That’s exactly what tips the cyber score to amber. They’re not arguing with each other. They’re just looking at different things.
Where is my scan history stored?
All of it lives in your browser’s localStorage, under the key cyberAuditSuite.history. I keep the last 30 scans and quietly drop the oldest as fresh ones land. Clear your browser data and it’s wiped. There’s no copy sitting on my server to fall back on, and that’s rather the point.
