60Web60

Free WordPress Security Scanner

Check your WordPress site for common security issues — read-only, no login required.

This scanner performs read-only checks on publicly accessible data only. Do not scan sites you do not own.

← Back to all tools

WordPress Security: What You Need to Know

WordPress powers over 40% of all websites, which makes it a prime target for automated attacks. Most WordPress security issues stem from a handful of common misconfigurations that are easy to fix once you know what to look for. Our scanner checks the eight most critical ones.

Understanding Each Security Check

SSL Certificate

Encrypts all traffic between visitors and your site. Without SSL, login credentials and form data are transmitted in plain text. Google Chrome displays a “Not Secure” warning for sites without SSL.

HTTPS Enforcement

Having SSL installed is not enough — your site must redirect all HTTP requests to HTTPS. Without this, visitors can still access the insecure version, and search engines may index both versions as duplicate content.

Login Page Protection

The default WordPress login URL (/wp-login.php) is targeted by brute-force bots within minutes of a new site going live. Renaming or restricting access to the login page dramatically reduces automated attacks.

XML-RPC

XML-RPC is a legacy remote access protocol. While it enables some mobile apps and integrations, it is frequently exploited for brute-force amplification attacks and DDoS. Most modern WordPress setups should disable it entirely.

Version Exposure

WordPress adds a generator meta tag revealing its exact version. Attackers use this to target known vulnerabilities for that specific version. Removing this tag is a simple hardening step that denies attackers easy reconnaissance.

Security Headers

HTTP security headers (X-Frame-Options, X-Content-Type-Options, Content-Security-Policy) instruct browsers to enforce security policies. They protect against clickjacking, MIME-type sniffing, and cross-site scripting (XSS) attacks.

How to Fix Common WordPress Security Issues

Most WordPress security hardening can be done through your .htaccess file or a security plugin. For Web60-hosted WordPress sites, all eight checks are handled automatically — login URLs are protected, XML-RPC is blocked, security headers are set, and SSL is auto-renewed.

If you are self-hosting, start with the critical issues (red severity) first: SSL, HTTPS enforcement, and login protection. These three alone block the vast majority of automated attacks.