Cyber audit suite for WordPress: 10 parallel security checks, unified posture score, prioritised action plan
Enter a WordPress URL and get a complete cyber audit in 20 seconds: HTTP security headers, TLS/SSL configuration, certificate expiry, DNS health, WordPress version disclosure, xmlrpc exposure, REST API user enumeration, ?author=N leak, public readme files, robots.txt hygiene. Each check is scored, the findings are grouped by severity, and the action plan tells you exactly what to fix first.
What the suite actually measures
The Cyber Audit Suite consolidates the work normally spread across five separate tools: SecuChecker (WP exposure audit), HTTP Headers Checker, SSL Certificate Checker, TLS Version Selector and DNS Lookup. Running the same checks from a single button gives you a unified posture score and removes the friction of stitching results together by hand. The methodology follows the OWASP Top 10 for Web Applications 2025 and the Mozilla SSL Configuration Generator baseline for the transport layer.
The free tier covers the ten checks that any WP-targeting bot will probe on first contact. Combined, they catch about 90 percent of the misconfigurations that lead to a compromise in 2026. The remaining 10 percent (authenticated plugin vulnerabilities, custom theme code review, business-logic flaws, advanced WAF tuning) require a manual deep-dive audit by an engineer — which is what the optional paid tier provides.
How the score is calculated
Each check produces a category-level score from 0 to 100 with explicit thresholds. The global posture is the arithmetic mean of the five categories: Transport (TLS, certificate, headers), Exposure (version disclosure, readme files, xmlrpc, user enumeration), Network (DNS health, redirect chains, CDN presence), Surface (REST API hygiene, robots.txt, sitemap), Hygiene (auto-update signals, plugin freshness fingerprints). A score above 85 puts the site in the “hardened” bracket; 60-85 is “needs improvement”; below 60 is “exposed”. The detailed findings tab explains each deduction so you can act on it without re-running the audit.
Why a single score per category
Stakeholder communication. A 12-bullet finding list scrolls past most non-technical readers. Five category scores plus one global number is what makes it into a Slack post, a board deck slide, or a security questionnaire reply. The detailed breakdown remains one click away on the Findings tab.
The action plan: priority over completeness
The Action plan tab orders the findings by impact-divided-by-effort, not by severity alone. A “critical” CSP header missing that takes one nginx line to add ranks above a “medium” plugin upgrade that requires staging, regression test and 30 minutes of downtime. This priority ordering is the practical opposite of most automated scanners, which dump everything as a flat list sorted by CVE score and leave you to plan.
The €49 manual audit
For sites where the free scan flags more than three high-severity findings, or for sites in regulated industries (e-commerce, healthcare, B2B SaaS), the paid manual audit adds five hours of focused engineering time from a security specialist: code review of every active plugin and theme, authenticated black-box test (we ask for a read-only admin account), custom CSP and security header tuning, plugin CVE backporting if vendor patches lag, and a one-page summary signed off for your stakeholders. €49 fixed, one-time, no subscription. Email contact@peoplearegeek.com with the URL of your scan and a target date.
Privacy and data handling
The Cyber Audit Suite runs entirely from your browser: the URL you enter is sent only to our backend probe endpoints (DNS lookup, header fetch, TLS handshake), never to a third-party service. Scan history is stored in your browser’s localStorage; clearing it removes every record. No account, no email collection on the free tier. The €49 manual audit obviously involves email contact, but the contact details we receive are deleted 30 days after the audit is delivered.
When to run the suite (and when not to)
The suite is built for three concrete moments in a WordPress site’s lifecycle. Pre-launch: before flipping DNS to production, run the suite against the staging URL to catch the configuration items that nobody remembered to set (HSTS, CSP, version meta removal). Quarterly health check: schedule a Monday-morning scan every quarter to detect drift — a new plugin can quietly add a header that breaks CSP, a theme update can re-enable an exposure you previously fixed. After any incident: when something looks off (spam in comments, weird outbound traffic, unfamiliar admin login), the suite gives you a fast objective baseline of the current posture before you dive into log analysis.
The suite is not a replacement for a few things. It does not scan plugin code for vulnerable patterns (use Patchstack or WPScan), it does not detect runtime malware injections (use Wordfence file integrity), and it does not test authenticated workflows (you need a real account and Burp Suite for that). Think of the suite as the cheap fast first pass that tells you whether the deeper investments are even worth scheduling — most sites get to “Hardened” within an afternoon of fixing the suite’s amber findings, and the deeper investigation can wait.
Integrating the suite into your workflow
The JSON output (Raw data tab) is designed to drop into a ticket comment, a wiki page, or a security questionnaire reply. Copy the JSON, paste into your tracker, attach the date of the scan, and tag it with the URL. Subsequent quarterly scans show up as a clear diff. For teams running 5+ WordPress properties, the Scan history tab gives you a one-glance comparison across sites — sort by score to know which property needs attention first this quarter, which can wait.
Frequently asked questions
How long does a scan take?
Between 8 and 25 seconds, depending on the target site’s response time. Sites behind Cloudflare or with HTTP/2 typically finish in under 12 seconds. Sites on slow shared hosting can take up to 25 seconds, mostly for the certificate handshake and DNS resolution.
Can I scan a site I do not own?
Yes — the scan is non-intrusive and only uses publicly visible information that any visitor can access (HTTP responses, DNS records, TLS handshake). The same data is what every bot scanner sees. We do not bypass any authentication and we do not store the scanned URL beyond your browser session.
Does the scan trigger Wordfence or Sucuri alerts?
In our testing across 200+ sites, the scan does not trigger commercial WAFs because each probe issues a single legitimate HTTP request without any attack signature. If you do see an alert, the IP belongs to our backend (a fixed range we can share on request). Whitelist it in Wordfence Live Traffic to prevent confusion.
What is the difference with SecuChecker?
SecuChecker runs the 18 WordPress-specific exposure checks. The Cyber Audit Suite includes all of those plus the transport layer (TLS, certificate, headers) and the network layer (DNS health, redirect chain), and consolidates the scoring across the three layers. Think of SecuChecker as one of the modules feeding into the Suite.
Why is my Lighthouse score green but the cyber score amber?
Lighthouse measures performance and basic best practices. The Cyber Audit Suite measures security posture, which is a different axis. A site can load in 1.2 seconds (Lighthouse green) while exposing the WordPress version, having an open xmlrpc.php and lacking HSTS (Cyber amber). The two scores complement each other.
Where is my scan history stored?
In your browser’s localStorage under the key cyberAuditSuite.history. The last 30 scans are kept, oldest are dropped. Clearing your browser data removes all history. We do not store anything on the server.
