Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
WordPress sites
WordPress powers a huge share of the web—and attackers routinely probe weak TLS behavior, sloppy redirects, and missing headers. Without a baseline, it is easy to ship themes and plugins while the public URL still exposes fixable gaps.
Paste the URL visitors load—often your homepage on your apex or www host behind caching. Scorifya checks what unauthenticated browsers can see: HTTPS posture and redirects, security headers, passive SPF/DMARC/MX context for your hostname, cookie-related hints when responses carry Set-Cookie, and hygiene signals. It complements updates and hosting choices; it does not log into your dashboard or scan for malware.
This page is written for people searching for WordPress security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — common gaps after a theme or CDN change
HTTPS works for many visitors, but first hops and browser protections still leak points until headers and redirects line up everywhere.
Strict-Transport-Security missing
Without HSTS, browsers may still allow accidental HTTP before policy is cached—especially first visits and legacy bookmarks.
Content-Security-Policy absent
No CSP means browsers rely on defaults; XSS blast radius stays higher until you stage a policy (often report-only first).
Anti-framing header not detected
Clickjacking protections help when your pages can be embedded elsewhere—especially if you use marketing iframes or partner embeds.
Example B — tighter public edge posture
Redirects and TLS look consistent; headers cover the main browser-side risks even if email DNS still has room to mature.
DMARC policy not at enforcement
SPF may exist while DMARC stays on “none”—fine for rollout, but enforcement locks down spoofed mail using your domain.
Verbose Server banner
Fingerprinting hints rarely flip the score alone but add hygiene noise teams remove during hardening passes.
Force HTTPS consistently
Ensure HTTP answers with a permanent redirect to HTTPS on every hostname visitors use. Scorifya penalizes downgrade-friendly entrypoints.
Add HSTS with a deliberate max-age
Start with a shorter max-age if you are validating coverage, then grow it once every subdomain serves HTTPS cleanly.
Roll out CSP in stages
Begin with Content-Security-Policy-Report-Only, watch reports, then tighten script-src and related directives to match real assets.
Publish DMARC aligned with how you send mail
As you send marketing or transactional mail from your brand domain, SPF, DKIM, and a progressive DMARC policy protect recipients and your reputation.
Re-scan after each edge change
Caching layers, redirect rules, and security headers shift often—use a fresh paste of the same URL to catch regressions early.
For weights and penalties behind each category, see How Scorifya works.
No. Scorifya only requests the public URL you paste and follows redirects. It cannot access authenticated areas or your dashboard.
Yes—the score engine and findings are identical. This page adds WordPress-focused context for people searching specifically for that phrase.
No. This is a configuration and public-signal scorecard, not malware detection. Use maintenance and file-integrity workflows for that job.
CDNs, DNS providers, redirect rules, and header injectors sit outside your CMS. Any of them can change what we observe on the next fetch.
No. We do not attempt exploitation or authenticated crawling. The score reflects publicly visible TLS, headers, DNS/email signals, and hygiene.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.