Cloudflare-Native · Infrastructure-First · No Plugin Required

Operational security standards
for WordPress infrastructure

WPSecuritas is not a plugin. It analyzes your WordPress installation from the outside — auditing your Cloudflare edge configuration, email authentication stack, and WordPress exposure surface exactly the way an attacker would. No agent. No footprint inside WordPress.

Free external scan · No account required · No installation

Security should live
outside WordPress.

Traditional WordPress security tools install plugins that sit inside your installation — adding weight, consuming resources, and creating new attack surface to defend. They cannot see your Cloudflare configuration. They do not understand your email authentication posture. They live inside the perimeter they are supposed to protect.

WPSecuritas operates entirely at the infrastructure level. We connect to nothing inside your WordPress installation. Our scanner is externally observable by design — if we can see a misconfiguration, so can an attacker.

The plugin model

  • Lives inside WordPress
  • Adds attack surface
  • Can't audit Cloudflare
  • Ignores email authentication
  • Fear-based marketing
  • Requires ongoing maintenance

WPSecuritas

  • No footprint in WordPress
  • Reduces attack surface
  • Cloudflare-native analysis
  • Full email auth stack
  • Operational standards
  • Nothing to install or update

Analysis Coverage

Three pillars of operational security

01

Edge & Cloudflare

Your Cloudflare configuration is your first line of defense. Most security audits never reach this layer. We verify the proxy is active, HSTS is properly configured, security headers are set, and your Content Security Policy is present and not undermined by unsafe directives.

  • Cloudflare proxy and WAF status
  • HSTS with includeSubDomains and preload
  • Referrer-Policy, X-Frame-Options, X-Content-Type-Options
  • Permissions-Policy, COOP, CORP
  • Content-Security-Policy analysis
  • TLS reachability
02

WordPress Exposure

WordPress exposes attack surface through predictable paths and default behaviors that most installations never address. We audit your external surface exactly as an attacker would — without credentials, without access, from the open internet.

  • XML-RPC endpoint (brute-force and amplification vector)
  • User enumeration via author archive
  • REST API user list exposure
  • WordPress version disclosure
  • Login page protection status
  • readme.html availability
03

Email Security

Differentiator

No mainstream WordPress security tool properly covers this. Domain spoofing is a genuine threat that most WordPress professionals have never addressed because it sits outside the CMS layer entirely. We analyze your complete email authentication stack — the same standards enterprise security teams audit as a matter of course.

  • SPF record validity and permissiveness
  • DMARC policy and enforcement level
  • MTA-STS for encrypted mail transport
  • DNSSEC delegation signing

For Professionals

Built for agencies and
WordPress professionals

WPSecuritas exists because the people who build and maintain WordPress professionally — agencies, developers, infrastructure-focused consultants — need tools that match their understanding of the stack. Not fear marketing designed for site owners who don't know what a WAF is.

The intersection of WordPress, Cloudflare, email authentication, and infrastructure is a niche that most security vendors do not occupy. That intersection is what WPSecuritas was built to own.

External and non-invasive

Scans require only a domain name. No credentials, no plugin, no server access. Safe to run against client sites without touching their installation.

Cloudflare-native by design

Built on Cloudflare Workers, D1, and Queues. Not a server-based tool adapted for the edge — designed for it from the ground up.

Standards-based scoring

Findings are graded against operational security standards, not arbitrary severity theater. Each recommendation is specific, actionable, and prioritized.

Shareable reports

Every scan generates a shareable report URL. Use it to demonstrate value to clients, document remediation progress, or audit a site before onboarding.

Service Tiers

Start free. Scale when you're ready.

Free

Available Now

Full external security analysis with no account required. The right starting point for any WordPress professional.

  • Public domain scans
  • Full findings and pass report
  • Edge, WordPress, and email analysis
  • Shareable report URL
  • Severity-graded recommendations
Run a free scan

Pro

Coming Soon

Continuous monitoring and deeper Cloudflare integration for professionals managing sites that cannot afford to slip.

  • Everything in Free
  • Scheduled rescans and monitoring
  • Alert notifications on regression
  • Full scan history and comparison
  • PDF report export with executive summary
  • Connected Cloudflare mode — zone audit and config scoring
  • Automated hardening recommendations
Get in touch

Agency

Coming Soon

Multi-site management, branded reporting, and compliance exports for agencies running WordPress at scale.

  • Everything in Pro
  • Multi-site dashboard
  • Branded client-facing reports
  • Compliance export formats
  • Shared team access
  • Client portal sharing
  • Volume scanning priority
Get in touch

Platform Roadmap

What's being built

Continuous monitoring and alerting

Scheduled rescans run automatically against your registered domains. Regressions — a newly exposed endpoint, a lapsed DMARC policy, a header removed during a server migration — surface as alerts before your clients notice them.

PDF report export

Professionally formatted PDF reports with an executive summary, categorized findings, and remediation guidance. Designed to be handed directly to a client or included in a security deliverable without further editing.

Connected Cloudflare mode

Authenticate with a read-only Cloudflare API token and unlock zone-level analysis — WAF rule coverage, bot management configuration, page rule conflicts, and SSL/TLS settings that are invisible to an external scan. The audit goes deeper when you give it permission to look.

Automated remediation and hardening templates

One-click deployment of Cloudflare WAF rule packs, Transform Rules for security headers, and configuration templates validated against WPSecuritas standards. Fix the finding without leaving the platform.

Multi-site agency dashboard

A unified view across all client sites under management — aggregate scores, open findings by severity, scan history, and regression alerts. Built for the agency workflow where one person is responsible for the security posture of dozens of installations.

Branded client reports and compliance exports

White-labeled reports under your agency's branding, and structured compliance exports for clients operating under data protection or contractual security requirements. Demonstrate due diligence with documentation your clients can actually read.

Get in Touch

Interested in Pro or Agency access?

WPSecuritas Pro and Agency are in active development. If you manage WordPress professionally and want early access, want to discuss a specific use case, or have questions about how WPSecuritas fits your workflow — reach out directly.

We work with agencies and professionals. No sales funnel. No automated sequence. A direct conversation.

hello@wpsecuritas.com

Inquiries about Pro access, agency partnerships, and early access requests are all welcome.

Run your first analysis

Free external scan. No account required. Results in under 30 seconds.