Free WordPress Security Scanner — Audit Your Entire Site in Minutes

ShieldScope runs a deep, read-only security audit across your whole WordPress site and hands you a clear report grouped by severity — without ever slowing your site down.

100% free · Read-only · No account required

You Don't Know Where Your Site Stands — Until Something Breaks

Most WordPress security tools force a choice: install a heavy always-on suite, or send your site’s data to someone else’s servers just to get a checkup. ShieldScope scans inside your own dashboard and gives you a plain answer.

There's no simple way to just check.

You either commit to a full firewall suite or do nothing — there's no lightweight option to see where you stand right now.

Nothing runs where your site already lives.

Many scanners send your site off to external servers to be checked. ShieldScope's 16 checks run inside your own WordPress dashboard — nothing leaves your server except optional, targeted lookups (core-file checksums, and WPScan if you add a key).

Reports read like a CVE feed, not a to-do list.

Vulnerability data is written for security engineers. You need to know what's urgent and what to do about it, in language anyone can follow.

Use ShieldScope as:

A security audit for existing sites

Run a scan any time and get a clear, plain-language read on where your site stands right now.

A pre-launch checklist for new sites

Verify the basics are covered — weak passwords, exposed files, missing headers, outdated core — before you go live.

16 Security Checks. One Scan.

Every findings grouped by severity, in simple language.

Core Health

Outdated WP, debug flags, insecure setup.

Core File Integrity

Checks core files vs official checksums

User Accounts

Default admin, weak or empty passwords, exposed logins.

Files & Folders

Risky permissions, exposed configs, leftover backups.

Plugins

Pending updates, inactive or abandoned plugins.

Themes

Pending updates, extra inactive theme, active theme.

Malicious Code

Malware signatures, hidden backdoors in plugin/theme code.

SSL & HTTPS

Cert expiry, weak encryption, mixed content, HSTS.

Security Headers

Clickjacking, MIME sniffing, referrer & version leaks.

Database Settings

Open registration, URL mismatches, rogue admins.

Injection (SQLi/XSS)

SQL injection, XSS and other code-level attack patterns.

Access Control

Login & brute-force protection, 2FA, endpoint permissions.

Server Config

EOL PHP, exposed .env files, debug logs, info leaks.

SSRF

Code that lets attackers force unauthorised server requests.

Outdated Components

EOL database, WP & software with no security patches.

Vulnerability DB

WPScan lookups (optional) + built-in exploited-plugin list.

How it Works

From install to actionable report in three steps.

1

Install & Activate

Find ShieldScope in your WP admin, click Activate.

2

Start Scan

Runs at 20% CPU, auto-pauses on tab switch.

3

Read Your Report

Findings by severity, each with a fix in simple language.

Findings You Can Actually Act On

Every issue is ranked by severity so you fix what matters first.

Critical
Immediate risk — active exploits or exposed access.
High
Serious weaknesses that should be fixed quickly.
Medium
Hardening gaps worth addressing on your schedule.
Low
Minor improvements to tighten your setup.
Info
Good-to-know notes — no action required.

Security Auditing Without the Weight

ShieldScope isn’t trying to replace your firewall. It’s the fast, read-only audit you run before launch, after changes, or whenever you want a clear picture of where your site stands.

Never slows your site down.

A built-in speed limiter keeps ShieldScope under 20% of your server's capacity, pausing between each step so visitors never notice a scan is running.

Pauses when you look away.

Switch browser tabs and the scan pauses automatically, then resumes exactly where it left off when you return — no stalled scans, no runaway load.

100% read-only, always.

ShieldScope scans, reports, and recommends. It never modifies a file, changes a setting, or touches a user account. Nothing it does can break your site.

Simple, actionable fixes, not jargon.

Every finding comes with a clear description and a specific action to take — written in simple language, not security-engineer jargon.

Severity-ranked so you fix what matters.

Findings are grouped Critical through Info, so you spend your time on real risks first instead of wading through noise.

Your data stays on your server.

Scanning runs locally. The only external calls happen during an active scan — the official WordPress.org checksum API, and WPScan only if you choose to add a key.

Free, with no account required.

Install, activate, scan. No signup, no email wall, no upsell gate blocking the core audit.

“Think of it as a pre-flight checklist for your WordPress site — lightweight enough to run often, thorough enough to trust.”

See It in Action

A quick look at scanning, reporting, and configuring ShieldScope.

Scan dashboard — Start, pause, or resume a scan with a live progress bar and real-time status updates.
Security report — Findings grouped by severity (Critical through Info) with a clear description and a specific action to take for every issue.
Settings page — Adjust scan speed, file size limits, tab-pause behaviour, and optionally add a WPScan API key.

Your Site's Data Never Leaves Your Server

All scanning runs locally, on your own WordPress install. ShieldScope only contacts external services while a scan is actively running, and only two: the official WordPress.org checksum API, to verify your core files, and, if you choose to add a key, WPScan, for live vulnerability lookups. No site content, URLs, or personal data is ever sent, stored externally, or shared with anyone.

Full details on exactly what’s sent and when are in the FAQ below.

Frequently Asked Questions

No. Built-in speed limiter, stays under 20% server capacity, pauses between each piece of work. Adjustable in Settings.

Runs through your browser, so it pauses automatically when you switch away and resumes when you return. Can be turned off in Settings.

No. Completely read-only. Only writes its own scan results and progress.

ShieldScope → Last Report in your WP admin, grouped by severity.

Enables live vulnerability lookups (25/day free tier, cached). Without it, still checks against a built-in exploited-plugins list.

Only during a scan, only two calls: WordPress.org checksum API (version + language code) and, if you add a key, wpscan.com (plugin/theme names + versions).

Typically 5–20 minutes depending on site size. Progress saves if you leave and come back.

A Pro Add-On Is Coming

We’re building a Pro add-on for ShieldScope — scheduled scans, exportable reports, and deeper integrations, installed right alongside the free plugin you already have. Get notified the day it’s ready.

Shieldscope Email Capture

Scan Your WordPress Site in Minutes

Free, read-only, no account required.