AuditCoreAuditCore
WordPress security · 11 critical checks

WordPress is
43% of the web.
It's also the #1 target.

Generic security scanners miss WP-specific issues. We test 11 vectors used in real attacks — user enumeration, XML-RPC abuse, exposed wp-config backups, vulnerable plugins. Get your free WP security report in under 3 minutes.

No DNS setup · Email results · Includes plugin/theme detection

Real example from our scanner

What a typical WordPress site looks like

$ AuditCore WordPress Scanner — bloomswing.eu
✓ App type detected: ecommerce (95%) — WordPress + WooCommerce
[Findings]
✗ HIGH Username enumeration possible — 1 user(s) leaked
✗ HIGH XML-RPC enabled (brute-force + DDoS vector)
○ LOW WordPress version 3.7.1 exposed (from 2013!)
○ LOW 6 plugins exposed in source
○ LOW Theme 'oneproduct' exposed
○ LOW readme.html confirms WordPress fingerprint
○ LOW /wp-admin at default path
○ LOW REST API broadly accessible
→ 8 issues found in 6 seconds. Generic scanners miss these.

11 critical WordPress checks

Outdated WordPress core

HIGH

Detects WP version via 4 vectors (meta generator, /readme.html, ?ver= in assets, /feed/) and matches against known CVE list. WordPress < 6.0 has dozens of unpatched issues.

Username enumeration (3 vectors)

HIGH

Tests ?author=N redirects, /wp-json/wp/v2/users REST API, and /wp-login.php error oracle. Most scanners check 1 vector — we check all 3 for accuracy.

XML-RPC enabled

HIGH

xmlrpc.php = brute-force amplification (1000+ password attempts per HTTP request via system.multicall) + DDoS pingback vector. Often unused in modern stacks.

wp-config.php backup files

CRITICAL

Tests for .bak, .old, .swp, .save, ~. If found, attackers get DB password in plaintext. Game over in 30 seconds. CRITICAL severity.

Debug log exposed

HIGH

/wp-content/debug.log often left enabled in production with PHP errors, stack traces, possibly DB queries with sensitive data.

Plugins & themes detection

Recon

Extracts installed plugins/themes from page source URLs. Includes version detection via ?ver= patterns. Used to match against CVE database.

Default admin paths

MEDIUM

/wp-admin and /wp-login.php at default locations are discoverable by every bot. No rate-limit by default = trivial brute-force.

Directory listing in wp-content

MEDIUM

If Options Indexes is enabled, attackers see all files in /wp-content/uploads/, /plugins/, /includes/. We check all 3.

WordPress Security Checklist 2026

The 11-point checklist every production WP site should pass. Use it as a self-audit or run our automated scan.

1.WordPress core auto-updates enabledMust
2.wp-config.php has no backup files (.bak, .old, .swp)Critical
3.XML-RPC disabled (or whitelisted)Must
4.Default /wp-admin path moved or 2FA-protectedMust
5.Login error message uniform ("Invalid login.")Should
6./wp-json/wp/v2/users requires authMust
7.?author=N enumeration blocked in .htaccessShould
8.Directory listing disabled (Options -Indexes)Must
9.Debug log not exposed (WP_DEBUG_LOG=false in prod)Must
10.All plugins auto-updatedCritical
11.readme.html removed from productionShould

Audit your WordPress site now

Free trial scans your homepage. Starter ($29) audits up to 25 pages with full WP-specific checks.