WordPress Security
SecureCheap integrates with cPanel, Plesk, and direct URL detection to find and continuously monitor every WordPress install you operate.
Detection methods
| Method | How |
|---|---|
| cPanel API | Reads wp-config.php paths from all hosting accounts |
| Plesk API | Reads domain document roots for WP installs |
| HTTP fingerprint | Detects WP generator tag, /wp-login.php, /wp-json/ |
| Manual add | You can add any URL manually |
What we check
Plugin & theme CVEs
We compare your installed plugin and theme versions against the WPScan Vulnerability Database (updated hourly). Findings include:
- Plugin name and vulnerable version
- CVE ID and CVSS score
- Whether the issue is patched in a newer version
- Link to the fix / upgrade path
Core WordPress version
We check if your WP core is:
- Up to date
- EOL (no longer receiving security patches)
- Affected by known core CVEs
Hardening checks
| Check | Risk if failing |
|---|---|
wp-config.php not web-accessible | Critical |
xmlrpc.php exposed | High |
| Directory listing disabled | High |
| File editing disabled in admin | Medium |
| Default admin username changed | Medium |
Login URL not default (/wp-login.php) | Low |
| Limit Login Attempts plugin | Low |
| wp-cron public access | Low |
| PHP error display off | Medium |
Malware detection
We fetch and scan publicly accessible PHP files for:
- Known malware signatures (md5 + content patterns)
- Base64-encoded payloads
eval()+base64_decode()combinations- Hidden iframe injections
- Obfuscated JavaScript
- Remote file inclusion patterns
⚠️
Malware scanning via HTTP can only detect front-end accessible files. For full server-side scanning, install the agent and enable deep scan mode.
WordPress scan report
Each report includes:
- Executive summary — score, critical count, high count
- Plugin table — all plugins, version, status (OK / Vulnerable / Outdated)
- Hardening checklist — pass/fail for each check
- AI remediation steps — plain-language fix instructions
- Export — PDF or CSV