ZenovayTools

WordPress Security Checker

Check any WordPress site for common security issues: exposed files, outdated version signals, login page exposure, XML-RPC, and user enumeration.

How to Use WordPress Security Checker

  1. 1Enter your WordPress site URL.
  2. 2Our scanner checks for common WordPress security misconfigurations and exposed endpoints.
  3. 3Review each finding with its severity level and recommended fix.
  4. 4Apply the recommended hardening steps to reduce your attack surface.
Zenovay

Track your website performance

Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.

Try Zenovay Analytics — Free

Related Tools

Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.

Frequently Asked Questions

What does this WordPress security checker test?
It checks for 12 common WordPress security issues: exposed version information, accessible readme.html and license.txt, XML-RPC endpoint, login page protection, REST API user enumeration, wp-cron exposure, install script access, wp-config backups, HTTPS, and security headers.
Is it safe to scan my own WordPress site?
Yes. This tool only makes standard HTTP requests to publicly accessible pages — the same requests any web browser or search engine crawler would make. No authentication, brute force attempts, or exploit payloads are used.
Why is XML-RPC a security risk?
XML-RPC is a legacy remote procedure call API in WordPress. It allows up to 500 login attempts per single XML-RPC request (multicall), enabling brute force attacks to bypass rate limiting. It's also used in DDoS pingback amplification attacks. Disable it unless you specifically need it.
What is user enumeration and why is it a risk?
The WordPress REST API at /wp-json/wp/v2/users exposes usernames publicly. Attackers can retrieve all admin usernames and use them in targeted brute force or credential stuffing attacks. Blocking this endpoint removes one attack vector.
How do I hide my WordPress version?
Add `remove_action("wp_head", "wp_generator");` to your theme's functions.php. Also delete readme.html and license.txt from your WordPress root directory. Use a security plugin like Wordfence, iThemes Security, or Solid Security for automated hardening.
Why is my login page flagged as an issue?
The wp-login.php page needs to exist for admin access but is a common target for brute force attacks. The recommendation is to add rate limiting (most security plugins do this), enable two-factor authentication, or use IP allowlisting for wp-admin access.
Does this tool check for vulnerable plugins or themes?
No. Plugin and theme vulnerability checking requires authenticated access to your WordPress admin dashboard or wp-cli. Use WPScan, Patchstack, or Wordfence for plugin vulnerability scanning. This tool focuses on publicly visible security misconfigurations.