Vulnerability Assessment
Published: 2025.09.01
Updated: 2026.03.20
As of v1.5.29
Vulnerability Assessment
Vulnerability Assessment comprehensively checks a WordPress site's configuration and versions, detecting known security risks and providing a security score.
Why Vulnerability Assessment Matters
WordPress sites consist of three layers: core, plugins, and themes. Security vulnerabilities patched through version updates are discovered daily across all three.
- 30–50 WordPress core vulnerabilities are reported per year
- Dozens of popular plugin vulnerabilities are discovered monthly
- Sites running outdated versions are targets of automated attacks
Vulnerability Assessment provides a unified view of
missed major updates, dangerous settings, and unnecessary files.
Diagnostic Categories (7 Categories, 20 Items)
1. WordPress Core (3 items)
| Check Item | CWE Reference | Description |
|---|
| Core Version | CWE-1104 | Version comparison with latest release |
| Database Table Prefix | CWE-200 | Use of default wp_ prefix |
| Debug Mode | CWE-209 | WP_DEBUG enabled state |
2. Authentication & Login (4 items)
| Check Item | CWE Reference | Description |
|---|
| Default Admin Username | CWE-798 | Existence of an "admin" account |
| Weak Password Policy | CWE-521 | Password strength settings |
| User Enumeration | CWE-200 | Whether Author ID enumeration is possible |
| Login Attempt Limiting | CWE-307 | Whether brute-force protection is enabled |
3. File System (3 items)
| Check Item | CWE Reference | Description |
|---|
| File Permissions | CWE-732 | Permissions on wp-config.php and other files |
| Directory Listing | CWE-548 | Whether directory listing is enabled |
| Unnecessary Files | CWE-538 | Presence of readme.html, license.txt, etc. |
4. Database (2 items)
| Check Item | CWE Reference | Description |
|---|
| Database Connection Encryption | CWE-319 | MySQL SSL/TLS connection settings |
| Database User Privileges | CWE-250 | Excessive privilege assignment |
5. Communication Security (3 items)
| Check Item | CWE Reference | Description |
|---|
| SSL/TLS Certificate | CWE-295 | Certificate validity and expiration |
| HTTPS Enforcement | CWE-319 | Non-HTTPS access |
| Mixed Content | CWE-319 | HTTP resources within HTTPS pages |
6. Plugins & Themes (3 items)
| Check Item | CWE Reference | Description |
|---|
| Plugin Versions | CWE-1104 | Versions with known vulnerabilities |
| Theme Versions | CWE-1104 | Theme update status |
| Inactive Plugins | CWE-1104 | Plugins that are disabled but still present |
7. PHP Environment (2 items)
| Check Item | CWE Reference | Description |
|---|
| PHP Version | CWE-1104 | Use of end-of-life PHP versions |
| Dangerous PHP Functions | CWE-78 | Whether exec/system, etc. are enabled |
Score Calculation
Scores are calculated by deducting from a perfect 100 points. Each item is weighted according to its risk level.
| Risk Level | Deduction | Color |
|---|
| Critical | -15 to -20 points | 🔴 Red |
| High | -8 to -12 points | 🟠 Orange |
| Medium | -4 to -6 points | 🟡 Yellow |
| Low | -1 to -3 points | 🟢 Green |
Running the Assessment
- Navigate to SentinelSecurity → Vulnerability Assessment
- Click the Run Assessment button
- Results for each category are displayed in accordion format
Each check item displays:
- Status Icon: ✅ Safe / ⚠️ Warning / ❌ Critical
- Summary: Description of the detected state
- Impact: Potential damage if this risk is exploited
- Remediation: Specific steps to fix the issue
Priority-Based Remediation
You do not need to fix everything at once. Address issues in the following priority order:
- 🔴 Critical: Fix immediately (core updates, disable debug mode)
- 🟠 High: Within one week (plugin updates, password changes)
- 🟡 Medium: Within one month (change table prefix, remove unnecessary files)
- 🟢 Low: At next scheduled maintenance
Regular Assessment Recommendations
We recommend re-running the assessment at the following times:
- After WordPress core updates
- After adding or updating plugins and themes
- After server environment changes
- Monthly routine checks