Yes. The surface scan is completely free with no signup required. You can scan any WordPress site instantly. We offer paid deep scans ($1) and expert cleanup ($49) for sites that need more thorough analysis.
The free surface scan checks: known vulnerabilities (CVEs) in your WordPress version, plugins, and themes; security headers and SSL configuration; exposed sensitive files (wp-config.php, .env, debug logs); and suspicious third-party JavaScript.
No. The free surface scan only makes HTTP requests to your site — the same way a web browser would. For the deep scan ($1), we connect via SSH to check files on your server directly.
We score based on the severity of issues found: critical issues subtract 25 points, high issues subtract 10, medium issues subtract 3, and low issues subtract 1. The score maps to grades: A (90+), B (75-89), C (55-74), D (35-54), F (below 35).
If your scan reveals critical issues, we recommend a deep scan ($1) for comprehensive analysis or expert cleanup ($49) where our security engineers manually remove malware and harden your site within 24 hours.
We sync with the Wordfence Intelligence database daily. This covers 36,000+ known vulnerabilities across WordPress core, plugins, and themes.
We only store the URL you submit and the scan results. We do not access your WordPress admin, database, or server files during a surface scan. All connections use HTTPS encryption.
The surface scan only makes standard HTTP requests, similar to how a search engine crawls your site. It does not attempt to exploit any vulnerabilities or access restricted areas.