Free Surface Scanner

Free Surface Scanner

No Account Required

The free surface scanner is available on the WP Vanguard homepage. Enter any WordPress site URL and get results in about 30 seconds. No login, no payment, no strings attached.

What It Checks

The surface scanner examines your site from the outside, just like a visitor or search engine would. It checks:

Known Vulnerabilities (CVEs)

  • Detected plugin, theme, and core versions are matched against 38,000+ known CVEs
  • Vulnerability data sourced from four databases: Wordfence Intelligence, Patchstack, WPScan, and WPVulnerability.net
  • Updated daily to cover the latest disclosures

WordPress Detection

  • Confirms the site is running WordPress
  • Identifies the WordPress version from meta tags and source code
  • Flags outdated versions with known vulnerabilities

Security Headers

  • Content-Security-Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Strict-Transport-Security (HSTS)

SSL/TLS Configuration

  • Valid certificate
  • Proper HTTPS redirect
  • Mixed content issues

Exposed Files

  • Debug log files (debug.log)
  • Database backup files
  • wp-config.php backup copies
  • Directory listing enabled

Blacklist and Reputation

  • Checks your domain against 11 blacklist services:
    • 7 DNS-based blacklists (Spamhaus, SURBL, URIBL, Barracuda, and more)
    • URLhaus and OpenPhish threat feeds
    • Google Safe Browsing
    • VirusTotal
  • Each service shows a per-service pass/fail status in your report

Suspicious Content

  • Hidden iframes or redirects in page source
  • Known malware script patterns
  • SEO spam injections
  • Cryptocurrency mining scripts

What the Results Mean

Each finding is categorized by severity:

  • Critical: Your site is actively compromised or has a high-risk exposure. Take action immediately.
  • Warning: A security weakness that could be exploited. Should be addressed soon.
  • Info: A recommendation to improve your security posture. Not urgent but good practice.

Limitations

The surface scanner only sees what's publicly accessible. It cannot:

  • Examine files on your server
  • Check plugin or theme code for backdoors
  • Detect malware hidden in the database
  • Verify WordPress core file integrity

For that level of analysis, you need a deep server scan which connects via SSH.

Sites Behind a WAF

If your site is protected by a Web Application Firewall (Cloudflare, Sucuri, Wordfence Cloud, etc.) and that WAF blocks automated requests by default, the surface scanner will identify the WAF vendor in the report instead of falsely flagging the site as "Not WordPress." See Understanding Your Results for how to allowlist our scanner or get full coverage via a deep scan.

Shareable Reports

Each surface scan generates a unique URL you can share with clients, colleagues, or your hosting provider. The report page shows all findings in a clean, readable format.

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free