Free Surface Scanner
No Account Required
The free surface scanner is available on the WP Vanguard homepage. Enter any WordPress site URL and get results in about 30 seconds. No login, no payment, no strings attached.
What It Checks
The surface scanner examines your site from the outside, just like a visitor or search engine would. It checks:
Known Vulnerabilities (CVEs)
- Detected plugin, theme, and core versions are matched against 38,000+ known CVEs
- Vulnerability data sourced from four databases: Wordfence Intelligence, Patchstack, WPScan, and WPVulnerability.net
- Updated daily to cover the latest disclosures
WordPress Detection
- Confirms the site is running WordPress
- Identifies the WordPress version from meta tags and source code
- Flags outdated versions with known vulnerabilities
Security Headers
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- Strict-Transport-Security (HSTS)
SSL/TLS Configuration
- Valid certificate
- Proper HTTPS redirect
- Mixed content issues
Exposed Files
- Debug log files (debug.log)
- Database backup files
- wp-config.php backup copies
- Directory listing enabled
Blacklist and Reputation
- Checks your domain against 11 blacklist services:
- 7 DNS-based blacklists (Spamhaus, SURBL, URIBL, Barracuda, and more)
- URLhaus and OpenPhish threat feeds
- Google Safe Browsing
- VirusTotal
- Each service shows a per-service pass/fail status in your report
Suspicious Content
- Hidden iframes or redirects in page source
- Known malware script patterns
- SEO spam injections
- Cryptocurrency mining scripts
What the Results Mean
Each finding is categorized by severity:
- Critical: Your site is actively compromised or has a high-risk exposure. Take action immediately.
- Warning: A security weakness that could be exploited. Should be addressed soon.
- Info: A recommendation to improve your security posture. Not urgent but good practice.
Limitations
The surface scanner only sees what's publicly accessible. It cannot:
- Examine files on your server
- Check plugin or theme code for backdoors
- Detect malware hidden in the database
- Verify WordPress core file integrity
For that level of analysis, you need a deep server scan which connects via SSH.
Sites Behind a WAF
If your site is protected by a Web Application Firewall (Cloudflare, Sucuri, Wordfence Cloud, etc.) and that WAF blocks automated requests by default, the surface scanner will identify the WAF vendor in the report instead of falsely flagging the site as "Not WordPress." See Understanding Your Results for how to allowlist our scanner or get full coverage via a deep scan.
Shareable Reports
Each surface scan generates a unique URL you can share with clients, colleagues, or your hosting provider. The report page shows all findings in a clean, readable format.
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site Free