Loading…
Loading…
WordPress sites
WordPress is an application you host, so security depends on your web server configuration, CDN, and the plugins and themes you install. A default WordPress setup does not send HSTS, CSP, or most browser security headers; those live at the Apache or nginx layer, or at a CDN in front. Without a live check, it's easy to ship a theme update while the public URL still misses the headers browsers enforce.
Paste the URL visitors load, often your homepage on your apex or www host behind caching. Scorifya checks HTTPS posture and redirects, security headers (HSTS, CSP, X-Frame-Options, and more), passive SPF/DMARC/MX signals for your hostname, and cookie hints when responses carry Set-Cookie. It does not log into your dashboard or scan for malware. Results in under 30 seconds.
This page is written for people searching for WordPress security check, same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like. Paste your URL above for a live score on your site.
Example A, common gaps after a theme or CDN change
HTTPS works for many visitors, but first hops and browser protections still leak points until headers and redirects line up everywhere.
Strict-Transport-Security missing
Without HSTS, browsers may still allow accidental HTTP before policy is cached, especially first visits and legacy bookmarks.
Content-Security-Policy absent
No CSP means browsers rely on defaults; XSS blast radius stays higher until you stage a policy (often report-only first).
Anti-framing header not detected
Clickjacking protections help when your pages can be embedded elsewhere, especially if you use marketing iframes or partner embeds.
Example B, tighter public edge posture
Redirects and TLS look consistent; headers cover the main browser-side risks even if email DNS still has room to mature.
DMARC policy not at enforcement
SPF may exist while DMARC stays on 'none', fine for rollout, but enforcement locks down spoofed mail using your domain.
Verbose Server banner
Fingerprinting hints rarely flip the score alone but add hygiene noise teams remove during hardening passes.
Set HSTS at your web server or CDN layer
WordPress itself does not send Strict-Transport-Security. Add the header in your Apache .htaccess, nginx server block, or at a CDN like Cloudflare. Start with a shorter max-age while validating coverage, then grow it once every subdomain serves HTTPS cleanly.
Roll out CSP in stages alongside your plugins
WordPress sites load scripts from themes, plugins, and admin embeds. Start with Content-Security-Policy-Report-Only, watch reports to catalog real script sources, then tighten script-src and related directives to match what's actually needed.
Force HTTPS consistently across apex and www
Ensure HTTP answers with a permanent redirect to HTTPS on every hostname visitors use. Scorifya penalizes downgrade-friendly entrypoints. Check both apex and www.
Publish DMARC aligned with how you send mail
As you send marketing or transactional mail from your brand domain, SPF, DKIM, and a progressive DMARC policy protect recipients and your reputation. Many WordPress sites omit DMARC even while actively sending newsletters.
Re-scan after each edge change
Caching layers, CDN rules, and plugin-injected headers shift often. Use a fresh paste of the same URL to catch regressions early, especially after plugin updates.
For weights and penalties behind each category, see How Scorifya works.
WordPress core is actively maintained and patched, but the overall security of a WordPress site depends heavily on the hosting configuration, plugins, themes, and web server setup. WordPress itself does not set HSTS, CSP, X-Frame-Options, or most browser security headers. Those must be added at the Apache/nginx layer or at a CDN in front. A WordPress site can be made highly secure, but it requires configuration beyond what a default install provides.
Not natively. WordPress core does not send a Strict-Transport-Security header. To add HSTS, you need to configure it at your web server (Apache .htaccess or nginx server block) or through a CDN like Cloudflare. Some security plugins can inject it via PHP headers, but the web server layer is more reliable.
Yes, but it requires care. WordPress loads scripts from many sources, core, themes, plugins, and embeds. The most reliable approach is to set CSP at your web server or CDN layer. Start with report-only mode to inventory all script sources before enforcing. Plugins that try to auto-generate CSP often miss sources or break third-party embeds.
The most common findings are: missing HSTS header, no Content-Security-Policy, absent X-Frame-Options, incomplete SPF/DMARC records when the domain sends email, verbose Server/X-Powered-By banners exposing PHP or software versions, and missing Referrer-Policy. These are web server and DNS gaps, not core WordPress vulnerabilities. They're fixable without changing your WordPress installation.
No. Scorifya only requests the public URL you paste and follows redirects. It cannot access authenticated areas or your dashboard.
No. This is a configuration and public-signal scorecard, not malware detection. Use maintenance and file-integrity workflows for that job.
CDNs, DNS providers, redirect rules, and header injectors sit outside your CMS. Any of them can change what we observe on the next fetch.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly, without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.