Every Free WordPress Security Tool Inside WP Vanguard
By WP Vanguard Team
Most WordPress security tools charge a monthly subscription before you can do anything useful. WP Vanguard takes a different approach: the tools you need to stay informed about your site's security and health are free. You pay only when you need something that costs us real compute -- a deep SSH scan or a malware cleanup.
This post walks through every free feature in WP Vanguard, what it does, and how it helps you catch problems before they become emergencies. Whether you run a single blog or manage a hundred client sites, every feature described here is included with every account at no cost.
Surface Vulnerability Scanner
The scanner is where most people start with WP Vanguard. Enter any WordPress URL at wpvanguard.com and get a security report in under two minutes. No login required. No plugin to install. No server access needed.
The surface scan checks your site from the outside -- the same perspective an attacker would have -- and reports on:
- Outdated WordPress core, plugins, and themes matched against 38,000+ CVEs from Wordfence Intelligence, Patchstack, WPScan, and the National Vulnerability Database
- Security misconfigurations like exposed debug logs, directory listing, XML-RPC enabled, wp-config backups accessible
- Suspicious scripts and injections including crypto miners, SEO spam, and malicious redirects
- SSL and security headers covering HSTS, Content Security Policy, X-Frame-Options, and certificate validity
- Blacklist status checked against Google Safe Browsing and other blocklists
Every finding comes with a severity rating and a clear explanation of what it means and what to do about it. The report is shareable, downloadable, and stored in your account if you are logged in.
Why This Matters
WordPress powers over 40% of the web. That makes it the most targeted CMS on the planet. Outdated plugins with known CVEs are the single most common entry point for attackers. A surface scan tells you in seconds whether your site has any publicly known vulnerabilities -- the same ones automated scanners and botnets are already probing for.
Running a scan after every plugin update, theme change, or WordPress core update is the simplest habit that catches the most common security problems.
Uptime Monitoring
Your site going down is the most urgent problem you can have. Every minute offline is lost visitors, lost revenue, and lost trust. The problem is that most site owners find out their site is down the same way their visitors do -- they try to visit it and get an error.
WP Vanguard checks your site every 5 minutes, 24 hours a day, 7 days a week. When your site fails a check, you get an email within minutes. When it comes back up, you get a recovery notification with the total downtime duration.
Your dashboard shows:
- 45-day uptime history as a colour-coded bar chart (green for up, red for down)
- Availability percentages for the last 24 hours, 7 days, and 30 days
- Average response time across all checks
- Recent check log with timestamps and response codes
Why This Matters
Server crashes, failed plugin updates, hosting provider outages, and misconfigured deployments all cause downtime. Without monitoring, you find out when a customer emails you or when you happen to check the site yourself. Five-minute checks mean you know within minutes, not hours. That is the difference between a quick fix and an all-day outage you did not notice until the afternoon.
SSL Certificate Expiry Monitoring
When an SSL certificate expires, every visitor sees a browser warning: "Your connection is not private." Chrome, Firefox, and Safari all show it. Most visitors leave immediately. The traffic impact is instant and severe.
SSL certificates expire on a fixed schedule -- every 90 days for Let's Encrypt, annually for most paid certificates. Auto-renewal can fail silently. Hosting provider renewal emails get buried in spam. The result is that SSL expiry is one of the most common causes of preventable site downtime.
WP Vanguard checks your SSL certificate daily and alerts you at three points:
- 30 days before expiry -- first warning, plenty of time
- 14 days before expiry -- second warning, time to act
- 7 days before expiry -- urgent alert
Why This Matters
A 30-day warning gives you weeks of lead time for something that takes 10 minutes to fix. Without monitoring, you find out when the certificate has already expired and visitors are already seeing warnings. The goal is that you never reach that point.
Domain Name Expiry Monitoring
An expired domain is worse than an expired SSL certificate. When a domain expires, your site goes completely offline. If you do not renew quickly, the domain enters a redemption period and eventually becomes available for anyone to register. Domain squatters actively watch for expiring domains with established traffic and backlinks. Losing a domain you have built over years is painful and sometimes impossible to reverse.
Domain renewals happen once a year, making them easy to forget. Auto-renewal relies on a payment method staying current. Registrar notification emails end up in spam.
WP Vanguard performs a daily WHOIS lookup for each of your sites and alerts you:
- 30 days before expiry -- first warning
- 14 days before expiry -- urgent alert
Why This Matters
You do not think about your domain 364 days of the year. On the one day that matters, an automated alert is the difference between a routine renewal and a domain recovery nightmare.
Google Blacklist Monitoring
When Google Safe Browsing flags your site, Chrome, Firefox, and Safari all show a full-screen red warning to every visitor. Search traffic drops 50% to 90% within 24 hours. The ranking damage persists even after cleanup and delisting.
Getting blacklisted usually means your site is already compromised -- infected with malware that redirects visitors, injects spam, or serves phishing pages. The malware is often designed to hide from logged-in administrators, so you might not notice it at all until Google flags you.
WP Vanguard checks your site against Google Safe Browsing weekly. If your site is flagged, you get an immediate alert with next steps:
- Run a deep scan to identify the infection
- Request a cleanup to remove the malware
- Submit a review request to Google after cleanup
You can also run an on-demand check any time by clicking "Check now" on the blacklist card in your dashboard.
Why This Matters
The average time between a site getting compromised and the owner finding out is weeks. Blacklist monitoring shortens that to days at most. Catching it early means less SEO damage, fewer affected visitors, and a faster path back to clean.
Performance Score Tracking
Site speed is a Google ranking factor. PageSpeed Insights gives you the same score Google uses as part of its ranking signals. A site scoring 85 today might drop to 60 after a few plugin updates and a new widget -- and you might not notice until search rankings start slipping.
Every Monday, WP Vanguard fetches a PageSpeed Insights mobile score for each of your sites. Mobile matters most because Google uses mobile-first indexing.
Score ranges follow Google's thresholds:
- 90-100: Good (green)
- 50-89: Needs improvement (orange)
- 0-49: Poor (red)
You can also trigger an on-demand check after making performance changes -- new caching, image optimization, theme switch -- to see the immediate impact.
Why This Matters
Performance tracking is not a diagnostic tool. It is an early warning system. A sudden score drop tells you something changed. Without tracking, performance degradation is invisible until you lose rankings.
Vulnerability Alerts
When a new CVE is published for a plugin version installed on one of your sites, WP Vanguard sends you an email immediately -- not when you run your next scan, but when the vulnerability is disclosed.
This works because the surface scan detects your installed plugin and theme versions. WP Vanguard's vulnerability database syncs daily with Wordfence Intelligence, Patchstack, WPScan, and the NVD. When a new CVE matches a version running on your site, the alert fires automatically.
Why This Matters
The window between public vulnerability disclosure and mass exploitation is shrinking. For critical unauthenticated vulnerabilities, automated exploitation can begin within hours. Getting an alert the day a CVE drops instead of whenever you happen to run your next scan gives you the head start you need to update before attackers arrive.
Weekly Digest Email
Every Monday morning, WP Vanguard sends a single summary email covering all your sites:
- Sites with open security issues from their last scan
- Uptime incidents in the past week
- SSL or domain certificates approaching expiry
- Blacklist status changes
- Performance score changes
One email, every site, once a week.
Why This Matters
Individual alerts are essential for urgent problems. But the weekly digest gives you the big picture. It is the email you scan over coffee on Monday morning to confirm everything is running cleanly -- or to catch the one site that needs attention before the week gets busy.
Scheduled Scanning
Set any site to scan automatically on a weekly or monthly schedule. The scan runs at the scheduled time, results are stored in your dashboard, and you get an email if new issues are found.
This is useful for sites where you want continuous security coverage without remembering to manually trigger scans. Set the schedule once and it runs indefinitely.
Why This Matters
Security is not a one-time check. Plugins get updated, new vulnerabilities are disclosed, configurations change. Scheduled scanning ensures your sites are checked regularly without relying on you to remember.
Health Score
Every scan produces a health score from 0 to 100 based on the findings. The score weighs critical issues heavily, high issues moderately, and medium issues lightly. A score of 100 means no issues were found. Lower scores indicate problems that need attention, with the most severe findings pulling the score down the fastest.
The health score appears on your dashboard next to every site, giving you an instant visual indicator of which sites are healthy and which need work.
Why This Matters
When you manage multiple sites, you need a way to triage. The health score tells you at a glance which site to look at first. A site at 95 probably just needs a plugin update. A site at 40 needs immediate investigation.
PDF Reports with AI Explanations
After a deep scan, WP Vanguard generates a downloadable PDF report. Each finding includes an AI-generated explanation of what the issue means, why it matters, and specific steps to fix it -- written in plain language, not security jargon.
The PDF is designed to be shared with clients, stakeholders, or anyone who needs to understand the security status of a site without interpreting raw scan output.
Why This Matters
Security findings are useless if the person responsible for the site does not understand them. AI-generated explanations bridge the gap between technical scan output and actionable information. For agencies, the PDF report is the deliverable you hand to a client.
For Agencies and Developers
Everything above scales to portfolios. When you manage 20, 50, or 200 WordPress sites, the value of WP Vanguard shifts from "I know my site is secure" to "I can see the security status of every site I manage in one place."
Dashboard view. Every site card shows health score, uptime percentage, SSL status, and performance score side by side. You can scan your entire portfolio in a single view and immediately see which sites have problems. Red stands out. Green means clear.
Email alerts at scale. When a client's site goes down at 2am, you get the email. When an SSL certificate is 7 days from expiry, you know before the client does. Proactive resolution instead of reactive firefighting.
Weekly digest for portfolio management. One email summarizing the status of every site. The Monday morning check that tells you what needs attention this week.
Partner API. For agencies and hosting providers who want to integrate scanning and monitoring into their own workflows, the Partner API supports surface scans, deep scans, bulk scanning, and webhook notifications via REST endpoints. Build monitoring dashboards, automate client reporting, or trigger scans from your deployment pipeline.
What Is Free vs. What Costs Money
The line is simple: monitoring and scanning are free. Intensive per-site work costs money.
| Feature | Cost |
|---|---|
| Surface vulnerability scan | Free |
| Uptime monitoring (every 5 min) | Free |
| SSL certificate expiry alerts | Free |
| Domain name expiry alerts | Free |
| Google blacklist monitoring | Free |
| Performance score tracking | Free |
| Vulnerability alerts | Free |
| Weekly digest email | Free |
| Scheduled scanning | Free |
| Health score dashboard | Free |
| Deep SSH scan (20 checks) | $1 per scan |
| Malware cleanup + hardening | $49 per site (first cleanup free) |
| PDF report with AI explanations | Included with deep scan |
No subscriptions. No monthly fees. No feature gates on the free tier. Pay only when you need deep scanning or cleanup.
Getting Started
If you already have a WP Vanguard account, every feature described here is already active. Check your dashboard to see monitoring data, health scores, and alerts.
If you have not tried WP Vanguard yet, start with a free scan. Enter your URL at wpvanguard.com and get results in under two minutes. Create an account to add your site and monitoring starts automatically -- no configuration, no plugin install.
Every feature works without installing anything on your WordPress site. Uptime, SSL, domain, blacklist, and performance checks all run externally from our servers. Deep scans and cleanups are the only features that require SSH access.
Scan your site free | View pricing | Partner API for agencies | Documentation
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.