Vulnerability Assessment

Detects PHP 7.4 and earlier, plus any current version with a known CVE — your top patching priority.

Compares your core version against published security releases. Flags anything that no longer receives fixes.

Finds outdated jQuery shipped by your theme — the source of many DOM-XSS issues.

Detects database versions (MySQL ≤ 5.7, MariaDB ≤ 10.3) that no longer receive security patches.

Confirms that database credentials are not world-readable on the server.

Detects .htaccess files that an attacker could rewrite to redirect or backdoor the site.

Flags tables named backup, tmp, old — common signs of a forgotten or malicious dump.

Warns if an account with username “admin” still exists — half the brute-force battle won.

Highlights when more than five users hold full admin rights — a sign of privilege sprawl.

Tests whether ?author=1 or the REST API will hand over your usernames to anyone.

Confirms debug output is off in production — error messages are gold for attackers.

Disables editing PHP files from inside the dashboard, where one stolen cookie = full code execution.

Detects the default “wp_” prefix, which makes generic SQL-injection payloads effective.

Verifies that all 8 secrets in wp-config.php are present and sufficiently random.

Confirms admin sessions are always served over HTTPS — never plain HTTP.

Detects XML-RPC, the legacy interface that today is mostly used for amplified brute-force.

Deactivated code is still on disk — and still exploitable. We flag them for deletion.

Lists every plugin behind its latest release, with link to the changelog.

Same idea for themes — including the parent theme behind your child theme.

Warns when more than three unused themes are installed — every one of them is attack surface.