The WordPress Security Scanner checks any WordPress website for common security issues and gives you a clear report of what it finds.
What this tool checks
The scanner looks at several areas of your WordPress website:
- Exposed login page — Whether your WordPress login page is accessible at the standard address, which makes it easier for automated attacks to find.
- XML-RPC — Whether the XML-RPC file is accessible. This is an older feature that is commonly exploited by attackers to attempt brute-force logins.
- Directory listing — Whether your server reveals the contents of folders when someone visits them directly. This can expose file names and structure to anyone.
- Security headers — Whether your website sends the recommended security headers that protect visitors from common web attacks.
- WordPress version — Whether your WordPress version number is visible in your page source. Revealing this information helps attackers know which vulnerabilities to try.
- User enumeration — Whether it is possible to discover WordPress usernames through the author archive pages.
How to use it
- Go to web60.ie/tools/security-scanner.
- Enter the address of any WordPress website.
- Click Scan Site.
- Wait for the scan to complete. This usually takes 10 to 30 seconds.
- Review the results. Each check is shown with a pass or fail status.
Understanding the results
Each finding is displayed as a card showing what was checked and whether it passed or needs attention.
- Green (pass) — This area looks good. No action needed.
- Red (fail) — Something was found that could be improved.
Common findings and what they mean
| Finding | What it means | What to do |
|---|---|---|
| Login page exposed | Your wp-login.php page is at the default URL | Consider renaming your login URL or adding extra protection |
| XML-RPC enabled | The XML-RPC file is publicly accessible | Block access to xmlrpc.php if you do not need it |
| Directory listing enabled | Folder contents are visible to visitors | Disable directory listing in your server configuration |
| Missing security headers | Your site does not send recommended security headers | Add security headers via your server configuration or a plugin |
| WordPress version visible | Your version number is shown in the page source | Remove the version number using a plugin or a small code change |
| User enumeration possible | WordPress usernames can be discovered | Block author archive scanning in your server configuration |
How Web60 handles security
Web60 sites have all of these protections enabled automatically. XML-RPC is blocked, security headers are configured, directory listing is disabled, and the WordPress version is hidden — all without you needing to do anything.
If you would like to fix these issues on a self-hosted WordPress site, our .htaccess generator can create the rules for you automatically.
Need help?
If your scan results are concerning or you are not sure what to do next, visit our support page.
Frequently asked questions
Does the scanner access anything private on my website?
No. The scanner only checks publicly visible information — the same things any visitor or search engine can see. It never logs in, uploads files, or modifies anything.
The scanner found issues. Is my website in danger?
Not necessarily. The scanner flags things that could be improved, but many sites operate safely with some of these findings. Think of them as recommendations rather than emergencies. If you are concerned, contact your hosting provider.
Can I scan a website I do not own?
Yes. The scanner only looks at publicly available information, so scanning any website is similar to visiting it in your browser.
Last updated: 25 March 2026