Misconfiguration & Vulnerability Scanner
Run a first-pass public scan for common website hardening gaps like missing security headers, exposed WordPress XML-RPC and obvious file-leak mistakes before they turn into cleanup or incident work.
This tool is meant for quick public checks on a live domain where you want to spot obvious misconfigurations without logging into the server or CMS.
It does not replace a real audit or authenticated review, but it surfaces common issues that often show up in inherited WordPress and VPS setups.
Run the scan
Enter a public domain. The scanner checks homepage headers and a small set of common public exposure paths.
What this check does
- Checks the homepage for common hardening headers like HSTS and Content Security Policy.
- Looks for public WordPress XML-RPC and REST API exposure.
- Checks a short list of obvious file-leak mistakes such as public `.git` or `.env` files.
- Uses public requests only and does not authenticate into the target system.
Important limits
- It only checks a small public set of obvious exposures and missing headers.
- It does not authenticate into the CMS, server or hosting panel.
- A visible `/wp-json` endpoint is not automatically a breach; context still matters.
- For real incident handling or full hardening work, a proper audit is still the right next step.
Need the webhook path fixed properly?
If this public scan is already surfacing weak headers or exposed files, the safer path is to review the server, deployment setup and CMS hardening properly before the next incident turns a small oversight into downtime or cleanup work.