Understanding Your Results
Reading Your Scan Report
After a scan completes, you'll see a report with all findings organized by severity. Here's how to interpret the results.
Severity Levels
Critical Active malware, backdoors, or serious vulnerabilities that require immediate attention. Your site may already be compromised. Examples:
- Malware found in core files
- Webshell detected in uploads directory
- Unauthorized administrator accounts
- Known exploit scripts
Warning Security weaknesses that could be exploited but aren't actively being used (as far as the scan can determine). Address these soon. Examples:
- Outdated WordPress version with known vulnerabilities
- Modified core files that don't match official checksums
- Weak file permissions
- Missing security headers
Info Recommendations to improve your overall security posture. Not urgent but worth addressing when you have time. Examples:
- Security headers that could be added
- Directory listing enabled
- Debug mode left on in production
- File editor enabled in wp-admin
AI Security Assessment
Deep scan reports include an AI-powered security assessment at the top of your report. This provides:
- A summary of your site's overall security posture
- Prioritized action items based on risk and urgency
- Context on how findings relate to each other
Finding Details
Each finding includes:
- Title: A short description of what was found
- Severity: Critical, high, medium, or low
- File path: The exact location on your server (for deep scans)
- AI explanation: What this finding means in plain language, written by AI to be clear and actionable
- Risk: Why this matters and what could happen if left unaddressed
- Recommendation: Specific steps to fix the issue, tailored to your site
Common Findings
"Modified core file": A WordPress core file doesn't match the official version. This could be a hack or a misguided manual edit. Either way, the file should be restored to the original.
"PHP file in uploads": Executable PHP files found in wp-content/uploads/. Legitimate uploads (images, PDFs) are not PHP files. This almost always indicates a backdoor.
"Obfuscated code detected": Code that has been deliberately scrambled to hide its purpose (base64 encoding, eval statements, variable variable chains). Legitimate plugins rarely need this.
"Unknown admin user": An administrator account that wasn't created by you. Attackers create these to maintain access after the initial compromise.
When the Scanner Reports a WAF Block
Some sites sit behind a Web Application Firewall (Cloudflare, Sucuri, Wordfence Cloud, etc.) that blocks automated requests by default. When that happens, the surface scanner now tells you which WAF is in the way instead of falsely reporting "Not a WordPress site." The message looks like:
Site is behind Cloudflare and blocking automated scans. Add
wpvanguard.comto your WAF allowlist or run a deep scan via SSH for full coverage.
What to do:
- Easiest fix: Allowlist our scanner in your WAF dashboard. For Cloudflare that's a WAF Custom Rule allowing the
WP-Vanguard-ScannerUser-Agent. For Sucuri, add our scanning IPs to the whitelist under Firewall Settings. - No WAF access: Run a deep scan instead. Deep scans connect via SSH and bypass the WAF entirely because they read files directly from your server.
- You don't want to allowlist anything: That's fine too. The WAF is doing its job. Just know that the surface scan can only report partial results in this configuration.
A WAF block is not a security finding against your site. It's the opposite: your WAF is working. We surface it as information so you can decide what level of scan coverage you want.
Next Steps
- All clear: No critical or warning findings. Your site looks clean.
- Warnings only: Review each warning and address what you can. Consider a deep scan if you only ran a surface scan.
- Critical findings: Your site needs attention. You can request a cleanup and our team will handle it.
Shareable Reports
Surface scan results are available at a permanent URL (/scan/report/yourdomain.com) that you can share with anyone. No login required to view.
PDF Reports
Every deep scan report can be downloaded as a PDF. The PDF includes all findings, severity levels, AI explanations, and recommendations in a format you can share with clients, hosting providers, or your team.
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site Free