Cyber Audit Suite for WordPress
Paste a WordPress URL and fire 10 security checks at once, then read one posture score, sorted findings and an action plan ordered by impact.
This cyber audit suite for WordPress fires ten security checks at one URL in parallel and folds them into a single posture score, so you stop copying results out of five separate tools by hand. It probes the exposure surface (version disclosure, readme files, xmlrpc, REST user enumeration, the old ?author=N redirect), the transport layer (TLS, certificate, the six security headers) and the network layer (DNS health with SPF and DMARC, redirect chain and TTFB). Every check lands on a 0 to 100 score against thresholds drawn from the OWASP Top 10 and the Mozilla SSL baseline, then rolls up into five buckets you can read at a glance. Findings come back sorted by how badly they actually bite, and the action plan weighs impact against effort instead of dumping a flat CVE list on you. Scan history lives in your browser, the raw JSON drops straight into a ticket, and you can point it at any public site, not just your own.
Queries run through the PeopleAreGeek lookup service. We log nothing.
Cyber audit suite for WordPress: 10 parallel security checks, unified posture score, prioritised action plan
Paste a WordPress URL. Hit the button. About 20 seconds later you know where the site really stands. Ten checks fire at once: security headers, the TLS and certificate situation, DNS health, whether the WP version is leaking, xmlrpc, REST user enumeration, the old ?author=N trick, a stray readme.html, robots.txt. Each one gets a score. The findings come back sorted by how badly they actually bite, and the action plan tells you what to touch first, so you are not staring at a wall of red wondering where to even start.
What the cyber audit suite measures
The cyber audit suite for WordPress fires ten checks at one URL in parallel and folds them into a single posture score, so you stop copying results out of five separate tools by hand. It runs the WP exposure tests (version disclosure, readme files, xmlrpc, REST user enumeration, the ?author=N redirect), the transport layer (TLS, certificate, security headers) and the network layer (DNS health, redirect chain). The exposure tests follow the OWASP Top 10 for Web Applications 2025, and the transport scoring tracks the Mozilla SSL Configuration Generator baseline. Between them they cover roughly 90 percent of the misconfigurations that actually get sites owned.
How the score is calculated
Every check lands on a 0 to 100 score with thresholds picked on purpose, then folds into five buckets: Transport, Exposure, Network, Surface and Hygiene. The headline number is the average of those five. Clear 85 and you read "hardened". Anywhere from 60 to 85 reads "needs improvement". Drop under 60 and you are "exposed". The math behind every deduction sits on the Findings tab, so you can go fix things without re-running the whole scan to remember what hurt you. One score per category fits in a Slack message or a board slide, while the gory detail stays one click away for whoever is doing the work.
The action plan: priority over completeness
The Action plan tab does not just sort by severity. It weighs impact against effort. A missing CSP header you can drop in with one nginx line jumps ahead of a medium plugin upgrade that wants a staging copy, a regression pass and scheduled downtime. Most scanners hand you a flat list sorted by CVE score and wander off, leaving you to decide what to fix on a Tuesday afternoon. This one hands you the order you would have landed on anyway.
Privacy and when to run it
The whole thing runs from your browser. The URL you type only ever hits the probe endpoints, the DNS lookup, the header fetch, the handshake that checks TLS. Your scan history lives in your browser localStorage, so clear it and it is gone. Reach for it before you flip DNS to production, on a quiet quarterly health check, or after something feels off (spam in comments, odd outbound traffic, a login you do not recognise). It will not read plugin code, catch runtime-injected malware, or test anything behind a login. Treat it as the fast first look that tells you whether the expensive deep dive is even worth booking.
Frequently asked questions
How long does a scan take?
Usually 8 to 25 seconds. The target decides which end you land on, not me. Behind Cloudflare, or speaking HTTP/2? You are often done in under 12. Stick it on tired shared hosting and it can crawl all the way to 25, and it is almost always the cert handshake and DNS resolution dragging their feet. The actual checks are quick.
Can I scan a site I do not own?
Yeah, you can. It only ever touches what any random visitor already sees: HTTP responses, DNS records, the public TLS handshake. Nothing it reads is hidden behind a password. It is the exact same surface every bot scanner on the internet pokes at all day anyway. I do not bypass auth, and the URL does not stick around past your browser session.
Does the scan trigger Wordfence or Sucuri alerts?
Across 200-plus sites I have run it against, it has not tripped a commercial WAF once. Each probe is a single clean HTTP request with nothing attack-shaped behind it. If something does light up, that is just my backend knocking, and it comes from a fixed IP range I am happy to send you. Drop that into Wordfence Live Traffic as allowed and you will not get a fright the next time around.
What is the difference with SecuChecker?
SecuChecker is the WordPress-specific bit, its 18 exposure checks. This suite runs every one of those, then bolts on the transport layer (TLS, certificate, headers) and the network layer (DNS health, redirect chain), and rolls the whole lot into one score across all three. So SecuChecker is not a competitor here. It is one of the modules feeding the suite.
Where is my scan history stored?
All of it lives in your browser localStorage, under the key cyberAuditSuite.history. I keep the last 30 scans and quietly drop the oldest as fresh ones land. Clear your browser data and it is wiped. There is no copy sitting on my server to fall back on, and that is rather the point.