Cloudflare-Native · Infrastructure-First · No Plugin Required

Operational security standards
for WordPress infrastructure

WPSecuritas is not a plugin. It analyzes your WordPress installation from the outside — auditing your Cloudflare edge configuration, email authentication stack, and WordPress exposure surface exactly the way an attacker would. No agent. No footprint inside WordPress.

Free external scan · No account required · No installation

Security should live
outside WordPress.

Traditional WordPress security tools install plugins that sit inside your installation — adding weight, consuming resources, and creating new attack surface to defend. They cannot see your Cloudflare configuration. They do not understand your email authentication posture. They live inside the perimeter they are supposed to protect.

WPSecuritas operates entirely at the infrastructure level. We connect to nothing inside your WordPress installation. Our scanner is externally observable by design — if we can see a misconfiguration, so can an attacker.

The plugin model

  • Lives inside WordPress
  • Adds attack surface
  • Can't audit Cloudflare
  • Ignores email authentication
  • Fear-based marketing
  • Requires ongoing maintenance

WPSecuritas

  • No footprint in WordPress
  • Reduces attack surface
  • Cloudflare-native analysis
  • Full email auth stack
  • Operational standards
  • Nothing to install or update

Analysis Coverage

Three pillars of operational security

01

Edge & Cloudflare

Your Cloudflare configuration is your first line of defense. Most security audits never reach this layer. We verify the proxy is active, HSTS is properly configured, security headers are set and correct, and your Content Security Policy is present and not undermined by unsafe directives.

  • Cloudflare proxy and WAF status
  • HSTS with includeSubDomains and preload
  • Referrer-Policy, X-Frame-Options, X-Content-Type-Options
  • Permissions-Policy, COOP, CORP
  • Content-Security-Policy analysis
  • TLS reachability
02

WordPress Exposure

WordPress exposes attack surface through predictable paths and default behaviors that most installations never address. We audit your external surface exactly as an attacker would — without credentials, without access, from the open internet.

  • XML-RPC endpoint (brute-force and amplification vector)
  • User enumeration via author archive
  • REST API user list exposure
  • WordPress version disclosure
  • Login page protection status
  • readme.html availability
03

Email Security

Differentiator

No mainstream WordPress security tool properly covers this. Domain spoofing is a genuine threat that most WordPress professionals have never addressed because it sits outside the CMS layer entirely. We analyze your complete email authentication stack — the same standards enterprise security teams audit as a matter of course.

  • SPF record validity and permissiveness
  • DMARC policy and enforcement level
  • MTA-STS for encrypted mail transport
  • DNSSEC delegation signing

For Professionals

Built for agencies and
WordPress professionals

WPSecuritas exists because the people who build and maintain WordPress professionally — agencies, developers, infrastructure-focused consultants — need tools that match their understanding of the stack. Not fear marketing designed for site owners who don't know what a WAF is.

The intersection of WordPress, Cloudflare, email authentication, and infrastructure is a niche that most security vendors do not occupy. That intersection is what WPSecuritas was built to own.

External and non-invasive

Scans require only a domain name. No credentials, no plugin, no server access. Safe to run against client sites without touching their installation.

Cloudflare-native by design

Built on Cloudflare Workers, D1, and Queues. Not a server-based tool adapted for the edge — designed for it from the ground up.

Standards-based scoring

Findings are graded against operational security standards, not arbitrary severity theater. Each recommendation is specific, actionable, and prioritized.

Shareable reports

Every scan generates a shareable report URL. Use it to demonstrate value to clients, document remediation progress, or audit a site before onboarding.

Run your first analysis

Free external scan. No account required. Results in under 30 seconds.