Frequently Asked Questions

Yes. The surface scan is completely free with no signup required. You can scan any WordPress site instantly. We offer paid deep scans ($1) and expert cleanup ($49) for sites that need more thorough analysis.

The free surface scan checks: known vulnerabilities (CVEs) in your WordPress version, plugins, and themes; security headers and SSL configuration; exposed sensitive files (wp-config.php, .env, debug logs); and suspicious third-party JavaScript.

No. The free surface scan only makes HTTP requests to your site — the same way a web browser would. For the deep scan ($1), we connect via SSH to check files on your server directly.

We score based on the severity of issues found: critical issues subtract 25 points, high issues subtract 10, medium issues subtract 3, and low issues subtract 1. The score maps to grades: A (90+), B (75-89), C (55-74), D (35-54), F (below 35).

If your scan reveals critical issues, we recommend a deep scan ($1) for comprehensive analysis or expert cleanup ($49) where our security engineers manually remove malware and harden your site within 24 hours. First cleanup is free for new customers.

We sync daily with four sources — Wordfence Intelligence, Patchstack, WPScan, and WPVulnerability.net — covering 38,000+ known vulnerabilities across WordPress core, plugins, and themes.

Uptime monitoring checks your site every 5 minutes and sends an email alert the moment it goes down — and again when it recovers. You get a 45-day uptime history with response times. It is completely free for all registered accounts, no extra charge.

Once you add a site and run your first scan, you can set it to rescan automatically — daily, weekly, or monthly. The scan runs in the background and emails you if new issues are found. Scheduled scans are included free with every account.

Every Monday morning we send a summary email covering your site's current health score, any open issues, uptime status over the past week, and your next scheduled scan date. You can disable it at any time from your profile notification settings.

Yes. Every blog post has a newsletter signup form at the bottom. Enter your email to receive our weekly WordPress security tips, vulnerability alerts, and plugin update roundups. No account needed. Unsubscribe any time with a single click.

We only store the URL you submit and the scan results. We do not access your WordPress admin, database, or server files during a surface scan. For deep scans, SSH credentials are encrypted at rest and never stored in plain text. All connections use HTTPS encryption.

The surface scan only makes standard HTTP requests, similar to how a search engine crawls your site. It does not attempt to exploit any vulnerabilities or access restricted areas.