What this scan does
We fetch the URL you provide and inspect signals visible
from the public internet — response headers, the homepage
HTML, cookie attributes, whether XML-RPC and the REST API
are reachable. The grade summarises 16 checks across four
categories.
The checks mirror the same posture checklist the installed
plugin uses. You get the public half here; installing the
plugin adds the rest (brute-force defence, two-factor
enrolment, integrity verification, scheduled scans).
What it doesn't do
This scan does not log into the site, does not crawl pages
beyond the homepage and two well-known WordPress probes,
and does not change anything. It is read-only by design.
It is not a malware scan. If you suspect the site is
already compromised, install the plugin — it inspects file
contents, restores tampered core, plugin, and theme files
to canonical upstream content, and removes injections
without touching legitimate functionality.
Your privacy
We don't retain the URL you submit beyond what is needed
to return the grade. We don't sell or share user data.
Logs record an anonymised peer IP and the target host for
abuse review only. Read the
privacy policy for the full
policy.