Understand what your scan found

Your server is broadcasting which version of PHP it runs. Learn how to hide it in a few steps.

Read guide →

Server Version in HTTP Headers

INFO

Your web server is announcing its software and version number. Learn how to suppress it.

Read guide →

WordPress Version in Page Source

Your WordPress version is visible in every page's HTML. Learn how to remove it with one line of code.

Read guide →

Sensitive Files Publicly Accessible

WordPress ships with files that reveal your site version. Learn how to block public access in minutes.

Read guide →

XML-RPC Enabled

XML-RPC lets attackers run thousands of login attempts at once. Learn how to disable it in two steps.

Read guide →

Login Page Exposed

INFO

Your WordPress login page is publicly accessible. Learn how to protect it from brute-force attacks.

Read guide →

User Enumeration

WordPress is exposing your admin usernames via its REST API. Block it with one code snippet.

Read guide →

Directory Listing Enabled

Anyone can browse your WordPress uploads folder. One line in .htaccess closes this immediately.

Read guide →

Missing HTTP Security Headers

Your server isn't sending the HTTP headers that tell browsers how to protect your visitors. Learn which headers to add and how.

Read guide →

HTTP to HTTPS Redirect Missing

Visitors who type your address without 'https://' load the site over plain HTTP. Learn how to force every visitor onto the encrypted version.

Read guide →

Cookies Missing Security Flags

Cookies without Secure, HttpOnly, or SameSite flags can be stolen over plain HTTP, read by JavaScript, or used in CSRF attacks. Learn how to set them correctly.

Read guide →

Vulnerable Plugins Detected

CRITICAL

One or more WordPress plugins has known security vulnerabilities. Learn how to find and update them.

Read guide →

WordPress Security Checklist

A complete checklist of all 11 security checks — with links to each fix guide. Work through it to see where your site stands.

View checklist

Diagnosis & help

Is My WordPress Site Hacked?

How to tell if your WordPress site has been hacked — the warning signs, what to check, and exactly what to do next. No technical knowledge required.

Read →

My WordPress Site Was Flagged by Google — What Now?

Your WordPress site is showing a Google malware warning or security flag. Here's what it means, how to check if it's real, and exactly how to get it removed.

Read →

How Often Should You Scan Your WordPress Site?

The honest answer to how often you should run a WordPress security scan — and why the timing matters more than most site owners realise.

Read →

WordPress Security Myths: What Actually Matters

The most common WordPress security myths, debunked. What actually protects your site — and what's just noise that gives you false confidence.

Read →

Why Does My WordPress Site Keep Getting Hacked?

Cleaned up your WordPress site and got hit again? You missed something. The five places backdoors hide, the forensic checklist, and when to rebuild.

Read →

How to Harden WordPress: The Complete Checklist

An end-to-end checklist for hardening WordPress — what an automated scan catches, what it misses, what your host needs to handle. Built for site owners.

Read →

How to Detect a WordPress Backdoor

Find WordPress backdoors yourself — what they look like, where they hide, and the file + database checks that uncover them, with honest time estimates.

Read →

How to Find WordPress Malware After You've Cleaned It Up

Cleaned up a hacked WordPress site but worried something survived? The verification checklist — what to check, where sleepers hide, when to call it clean.

Read →

How to Detect WordPress Database Malware