36-Point External Audit · No Plugin Required

Catch WordPress vulnerabilities
before attackers do

A 36-point external audit for WordPress sites — no plugin, no login, no server access. Get your results in seconds.

No plugin to installRead-only & non-invasiveResults in seconds

Important: Domain verification is required to view full results, protect website owners, and prevent unauthorized security scans.

36

Security Checks

4

Scan Categories

<3s

Average Scan

24/7

Uptime Monitoring

How It Works

From a URL to a fix list in three steps

A complete external audit with nothing to install — no plugin, no credentials, no waiting.

1

Paste a URL

Drop in any WordPress site. Nothing to install, no login, and no server access — ever.

2

We audit it

36 checks run in parallel across core, infrastructure, DNS, and reputation. Findings stream in live.

3

Get your grade

A clear security score, every issue ranked by severity, and step-by-step fixes you can act on today.

Lightning Fast

Full 36-scanner analysis completes in seconds using parallel HTTP checks.

Fully External

No plugins, agents, or credentials needed. Scan any WordPress site you can reach.

Actionable Results

Every finding includes severity rating, detailed explanation, and step-by-step fix.

See It In Action

Everything you need in one security dashboard

Run a scan and get a clear security score, findings grouped by severity, and continuous monitoring for every site you manage.

WPSentry scan report with a security score, severity breakdown, and detailed findings

By the numbers

External security scanning at scale

12.1M+

Sites Scanned

1.4M+

Vulnerabilities Found

99.9%

Uptime Tracked

50K+

CVEs Checked

What We Check

36 checks. Four angles. Zero install.

Every audit covers WordPress core, infrastructure, DNS security, and reputation — entirely from the outside, without ever touching your server.

WordPress Security

21 checks

WordPress Version & CVEs

Detects exposed WP version and matches against known CVE databases

XML-RPC Endpoint

Checks if xmlrpc.php is accessible for brute-force attacks

User Enumeration (REST)

Tests if the REST API exposes user data publicly

Author Enumeration

Checks if author archives reveal usernames

Directory Listing

Scans for open directory indexes on sensitive paths

Debug Log Exposure

Checks if debug.log is publicly accessible

Readme Exposure

Detects if readme.html reveals WordPress version info

Plugin Detection

Identifies installed plugins and known vulnerabilities

Sensitive Files

Scans for .git repos, backup archives, SQL dumps, and config files

Login & Admin Hardening

Login exposure, rate limiting, CAPTCHA, 2FA, and open registration

Upload PHP Execution

Detects if the uploads directory allows PHP code execution

REST API Exposure

Checks settings, media, comments, and _embed metadata leaks

WP-Cron Exposure

Detects publicly accessible wp-cron.php for DoS risk

Database Prefix

Checks if default wp_ table prefix is exposed in API responses

Upload Malware Scan

Probes for common web shells and backdoors in uploads

File Editor Exposure

Detects if the plugin/theme file editor is accessible without DISALLOW_FILE_EDIT

Source Map Exposure

Checks for publicly accessible .map files that reveal unminified source code

.htaccess Exposure

Detects if .htaccess configuration is publicly readable

License.txt Exposure

Checks if license.txt confirms WordPress installation

wp-config-sample.php Exposure

Detects if the sample config file is publicly accessible

CMS Fingerprint

Identifies WordPress deployment type: Classic, Bedrock, Headless, or Multisite

Infrastructure & Headers

12 checks

Security Headers

Validates CSP, X-Frame-Options, HSTS, and more

SSL/TLS Analysis

Validates certificate, protocol version, and expiry date

CSP Analysis

Deep analysis of Content Security Policy for unsafe directives

Robots.txt Analysis

Analyzes robots.txt for sensitive path disclosures

PHP Version

Detects exposed PHP version via server headers

Cookie Security

Checks Secure, HttpOnly, and SameSite cookie flags

WAF Detection

Identifies Web Application Firewall protection

Security.txt

Checks for RFC 9116 security.txt for responsible disclosure

Email Exposure

Detects public email addresses and mailto links in page source

PCI-DSS Compliance

Verifies HTTPS, TLS 1.2+, payment tokenization, secure cookies, and CSP on checkout pages

Mixed Content

Detects HTTP resources loaded on HTTPS pages that break security

Cookie Consent & GDPR

Checks for tracking cookies set without consent and missing cookie banners

DNS & Domain

2 checks

DNS & Domain Security

SPF, DKIM, DMARC, DNSSEC, and domain expiry

Theme Detection

Active theme, version, and child theme usage

Reputation & Blocklists

1 check

Blocklist & Malware

Google Safe Browsing and DNS-based blocklist checks

More Than a Scanner

Audit once, or watch every site continuously

Scheduled monitoring, score-drop alerts, client-ready PDF reports, a REST API, and team access — the parts a one-off scan can't give you.

Real-Time Streaming

Live results as each scanner completes via SSE-powered progress updates.

Uptime Monitoring

24/7 site monitoring with response time tracking and instant downtime alerts.

Bulk Scanning

Scan up to 20 sites at once. Perfect for agencies managing multiple sites.

PDF & JSON Reports

Professional security reports in PDF or JSON format with scores and recommendations for clients.

Side-by-Side Compare

Compare two sites head-to-head with score diffs and unique issues.

Scan History

Track security changes over time with per-domain score trend charts.

REST API

Integrate scans into your workflow. Create and manage API keys with tracking.

Share & Email

Share results via unique links or email reports to clients and teams.

Vulnerability DB

Cross-references plugins against known CVE databases for real-time alerts.

One-Click Fix Guides

Copy-paste code snippets for Nginx, Apache, .htaccess, and wp-config.php. Not vague advice — real fixes.

Plugin Risk Score

Rates each plugin by popularity, freshness, CVEs, rating, and compatibility — one composite risk metric.

Security Changelog

Timeline showing exactly what changed between scans — new issues, resolved findings, plugin updates.

PCI-DSS Compliance

Automatic ecommerce detection with 8 PCI-DSS checks — HTTPS, TLS, tokenization, CSP, and more.

Agency Workspace

Team collaboration with roles, shared scans, and a multi-site portfolio dashboard for agencies.

Scheduled Scans

Automated daily, weekly, or monthly rescans with email alerts when security scores drop.

Your Security Hub

A Personal Dashboard for Every User

Create a free account and get your own security dashboard. Track scans, monitor sites, and unlock more features as you grow.

Simple flat pricing · Cancel anytime · No fees per site

Free
$0
  • 5 scans per day
  • All 36 security checks
  • 3 monitored sites
  • 7-day scan history
Get Started Free
Pro
$9/mo
  • Everything in Free, plus:
  • 50 scans per day
  • 25 monitored sites
  • 90-day scan history
  • Bulk scanning (up to 5 sites)
  • 5 scheduled scans
  • Security monitoring (defacement, blocklist, SSL change)
  • Site comparison
  • PDF & JSON export
  • Shareable report links
  • 10 email reports/day
  • API access (100 calls/day)
Upgrade to Pro
Enterprise
$24/mo
  • Everything in Pro, plus:
  • Unlimited scans per day
  • Unlimited monitored sites
  • Unlimited scan history
  • Bulk scanning (up to 20 sites)
  • Unlimited scheduled scans
  • Unlimited email reports
  • API access (1,000 calls/day)
  • 10 team members
  • Portfolio dashboard
Upgrade to Enterprise
Agency
$49/mo
  • Everything in Enterprise, plus:
  • Bulk scanning (up to 50 sites)
  • API access (5,000 calls/day)
  • 25 team members
  • White-label client reports
Upgrade to Agency

Every plan includes comprehensive security analysis with detailed findings, severity ratings, and actionable remediation steps.

Comparison

See How We Stack Up

FeatureWPSentryWPScan
No installation required
Real-time streaming results
36 security scanners
Bulk scanning (20 sites)
Side-by-side comparison
Uptime monitoring & alerts
DNS & email auth checks
CSP analysis
Blocklist & malware checks
WP core CVE matching
PDF & JSON reports
Email reports
REST API access
Scan history & trends
Plugin vulnerability check
SSL/TLS analysis
WAF detection
Cookie security audit
Plugin risk scoring
Security score changelog
PCI-DSS compliance checks
Agency team workspace
White-label client reports
Scheduled recurring scans
Free tier available
Mixed content detection
GDPR / cookie consent audit
CMS deployment fingerprinting
Abandoned plugin detection

Sucuri and Wordfence also offer active protection features (WAF, brute force blocking, malware cleanup) that require server side plugin installation. WPSentry focuses on external security auditing, with no installation needed.

Testimonials

Trusted by Security Teams Worldwide

Join thousands of developers and security professionals who rely on our scanner to keep their WordPress sites safe.

M
Marcus Reid
CTO

We switched from manual audits to automated scans. Catches misconfigurations we'd miss every time.

Founder note

Why I built WPSentry

M

Every WordPress security tool I tried started the same way. Install our plugin, on the very site I was trying to protect. More code, more attack surface, one more thing that could break.

And even then, they buried the one thing I actually wanted to know. How safe is this site, really? Instead I got alarmist scores and upgrade popups.

I wanted an honest answer from the outside, the way an attacker sees a site. A real score, findings in plain words, and the exact fix. Nothing to install. No fear selling. That is WPSentry.

Martin

Founder, WPSentry

Grade your WordPress site now

Free to start, no credit card. Run your first external audit in seconds and see exactly where your site stands — and what to fix first.

View Plans