🚀 SecureCheap is live — Start free →
Security
WordPress Security

WordPress Security

SecureCheap integrates with cPanel, Plesk, and direct URL detection to find and continuously monitor every WordPress install you operate.

Detection methods

MethodHow
cPanel APIReads wp-config.php paths from all hosting accounts
Plesk APIReads domain document roots for WP installs
HTTP fingerprintDetects WP generator tag, /wp-login.php, /wp-json/
Manual addYou can add any URL manually

What we check

Plugin & theme CVEs

We compare your installed plugin and theme versions against the WPScan Vulnerability Database (updated hourly). Findings include:

  • Plugin name and vulnerable version
  • CVE ID and CVSS score
  • Whether the issue is patched in a newer version
  • Link to the fix / upgrade path

Core WordPress version

We check if your WP core is:

  • Up to date
  • EOL (no longer receiving security patches)
  • Affected by known core CVEs

Hardening checks

CheckRisk if failing
wp-config.php not web-accessibleCritical
xmlrpc.php exposedHigh
Directory listing disabledHigh
File editing disabled in adminMedium
Default admin username changedMedium
Login URL not default (/wp-login.php)Low
Limit Login Attempts pluginLow
wp-cron public accessLow
PHP error display offMedium

Malware detection

We fetch and scan publicly accessible PHP files for:

  • Known malware signatures (md5 + content patterns)
  • Base64-encoded payloads
  • eval() + base64_decode() combinations
  • Hidden iframe injections
  • Obfuscated JavaScript
  • Remote file inclusion patterns
⚠️

Malware scanning via HTTP can only detect front-end accessible files. For full server-side scanning, install the agent and enable deep scan mode.

WordPress scan report

Each report includes:

  1. Executive summary — score, critical count, high count
  2. Plugin table — all plugins, version, status (OK / Vulnerable / Outdated)
  3. Hardening checklist — pass/fail for each check
  4. AI remediation steps — plain-language fix instructions
  5. Export — PDF or CSV