Security audit
for WordPress sites
WordPress runs 43% of the web — and is the #1 target. Generic security scanners miss the WordPress-specific issues that actually get exploited. AuditCore pairs 11 WP-specific tests with 47 generic security scanners, full SEO and AI-readiness — all in one report.
Built for WordPress's actual threat model
Generic web vulnerability scanners are blind to most real WordPress attacks. They look for SQL injection in URL parameters and miss the things that actually get production WP sites compromised: exposed wp-config.php backups, user enumeration via the REST API, brute-force amplification through XML-RPC, and outdated plugin versions revealed via asset URL ?ver= parameters.
AuditCore's app-type detector recognizes WordPress on the first crawl pass and switches on a dedicated 11-test WordPress suite. Combined with our regular 47 web scanners, you get coverage for both the generic OWASP Top 10 attacks and the specific patterns that target WP — fingerprinting, plugin enumeration, theme version disclosure, debug log exposure.
And unlike WPScan or other WP-only tools, the report goes well beyond security. SEO audit covers the typical WordPress SEO gaps (slow TTFB, render-blocking plugin assets, duplicate canonical tags from misconfigured Yoast/RankMath). AI-readiness audit checks if your WP site is visible to ChatGPT, Claude and Perplexity — most WordPress sites still aren't.
The problems we see
From hundreds of audits — the pain points that come up over and over.
wp-config.php backups exposed at /wp-config.php.bak
Common after migration or restore. Attackers automate fetching .bak/.old/.swp/.save/~ — a single hit leaks DB password and AUTH keys. Generic scanners don't probe these paths.
User enumeration via /wp-json/wp/v2/users
REST API exposes usernames by default. Combined with default /wp-login.php, this gives attackers half of every credential — they only need passwords.
XML-RPC enabled — DDoS amplifier + brute-force speedup
system.multicall lets attackers test 1000 password combinations per request. Most sites don't need XML-RPC enabled in 2026 (Jetpack uses REST API now).
Outdated plugins detected via asset ?ver=
WordPress appends version strings to plugin/theme assets — easy to fingerprint. Older plugin versions map directly to public CVEs in WPScan's database.
Yoast / RankMath SEO duplicate canonical conflicts
Both plugins set canonical tags. If both are active or one is misconfigured, Google sees conflicting signals — your duplicate-content issues are self-inflicted.
Render-blocking plugin assets in <head>
Common WordPress sites load 30+ render-blocking scripts/styles before first paint. Core Web Vitals tank, Google ranks you lower, AI agents that don't run JS see less of your content.
How AuditCore helps
Every solution below maps to a specific scanner or feature in our pipeline.
11 WordPress-specific tests (WP scanner)
Version detection (4 vectors), user enumeration (3 vectors), XML-RPC, REST API access, wp-config backups, debug log exposure, directory listing, default admin paths, plugin/theme detection. See blog post for the full checklist.
Plugin version fingerprinting + CVE matching
We map detected plugin versions to known CVEs and rate severity. Outdated WooCommerce, Elementor, RankMath — all major sources of historical exploits.
47 generic security scanners on top
OWASP ZAP, Nuclei (8000+ templates incl. WP-specific), Nikto, sqlmap. Catches the non-WP-specific issues like SQLi in custom plugins, weak JWT handling in headless WP.
SEO Auditor — 60+ checks tailored for WP
Detects double-canonical conflicts, render-blocking plugin assets, slow TTFB from PHP plugin overhead, missing schema (since most WP sites still use plain HTML for product/article markup).
AI-Readiness for the WordPress era
Tests whether your WP site is visible to AI agents — most still serve via JS-heavy themes that AI bots can't read. Critical for content-driven WP sites that depend on discovery.
Free Trial covers the homepage
Run the full audit on a single page (your homepage) for free. Then decide if you need Starter ($29 / 25 pages), Growth ($99 / 100 pages), or Business ($299 / 500 pages).
Real scenarios
Scenario 1 — Independent WP developer maintaining 12 client sites
Each client signs off on annual security checks but has different threat models — a real estate agency, two restaurants, a yoga studio, a construction firm. You can't afford WPScan Pro for all 12 ($199/year × 12 = $2,388) AND can't run them all manually.
AuditCore Starter ($29 once per site) gives you 25-page rescans forever. After the initial $29 × 12 = $348 spend, you rescan all 12 monthly for $0. The PDF report has a per-finding fix prompt formatted for Cursor / Claude / Codeium so you can apply fixes 5x faster than reading raw scanner output.
Scenario 2 — WooCommerce store with anti-bot pricing breaking AI shopping
Your store ranks well on Google but you're not appearing in ChatGPT shopping results. You suspect Cloudflare's bot rules are interfering but don't know how to verify. The AI-Readiness Scanner makes 8 separate HTTP requests as GPTBot, ClaudeBot, PerplexityBot, etc., and checks bot-vs-browser price diffs (a unique AuditCore test).
Result: 3 of 8 AI bots get a 403 from your origin (Cloudflare Managed Challenge). Browsers see $89, ClaudeBot sees no price (HTML body is the challenge page). The fix: Cloudflare dashboard > Bots > toggle 'Block AI Bots' off, plus an AI-friendly robots.txt rule. Re-scan confirms the fix in 60 seconds.
Scenario 3 — Agency selling annual security retainer to SMB clients
You package 'WordPress care + security' for $99/month per client. Hard to justify the price tag when clients ask 'what do I get?'. Adding a quarterly AuditCore-branded PDF report makes the value tangible.
The Business tier ($299) lets you white-label the PDF — your logo, your company name. Clients see a professional 30-page audit branded with your name. They renew because the report is the most concrete thing they receive all year. Your cost: $299 × 4 quarters / N clients = pennies per audit.
Starter ($29) for individual WP sites · Business ($299) for agencies
Single WordPress site? Starter at $29 (25 pages, unlimited rescans) covers the standard case. Running 5+ client sites or want white-label PDF reports? Business at $299 gives you the full pentest stack plus rebrandable reports — pay once per client site, rescan forever.
Frequently asked questions
Is this a replacement for WPScan?+
WPScan is the gold standard for WP plugin/theme CVE matching and we build on its database. AuditCore replaces it for most users because we cover the same ground PLUS 47 generic scanners, SEO, AI-readiness, and a one-time pricing model instead of an annual subscription. Power users may still want WPScan for the deepest plugin database — we recommend running both.
Will AuditCore break my WordPress site?+
No. We use safe scan profiles — no destructive payloads, no aggressive brute force. sqlmap runs with --batch and --technique=BEU (no time-based blind that can hang your DB). ZAP active scanner runs in lightweight mode. Nuclei templates are filtered to non-destructive ones. You can rescan during business hours without issues.
What if I'm using WordPress as a headless CMS with Next.js / React frontend?+
Even better — we test both layers. The frontend gets the standard 47-scanner audit; the WordPress backend gets the 11-test WP suite via the REST API endpoint (typically /wp-json). We catch headless-specific issues like over-permissive CORS on /wp-json and exposed user data via /wp-json/wp/v2/users.
Do I need to install a plugin?+
No. AuditCore is fully external — we test what an attacker can see from outside. No plugins, no FTP, no database access required. This is by design — we test the same surface attackers do.
Can I scan WordPress.com hosted sites?+
Yes, but coverage is limited because WordPress.com locks down many endpoints by default — XML-RPC is disabled, REST API is rate-limited, plugins/themes you didn't install can't be enumerated. The audit is faster but less actionable. Self-hosted WP gets the full 11-test suite.
How often should I rescan a WordPress site?+
After every plugin/theme/core update (which is roughly weekly for active sites). With unlimited rescans, you can also schedule monthly or weekly automated scans on the Growth and Business tiers — we email diff alerts when new findings appear.
Do you check if my plugins are pirated / nulled?+
We don't have a 'nulled plugin detector' specifically, but Trivy scans every JS asset for known signatures of malware-injected nulled plugins — a common entry vector. If found, severity is critical.
Is the report something I can give to my client?+
Yes. The PDF is non-technical-readable: severity-ranked findings, clear descriptions, and per-finding fix prompts. The Business tier ($299) lets you white-label with your logo and company name, useful for agencies and freelancers.