Free WordPress
Security Scanner
Detect plugin CVEs, exposed xmlrpc.php, user enumeration, version disclosure and 18 more WordPress-specific vulnerabilities in 30 seconds.
Free for up to 3 scans per month. No credit card required.
What we check
Six WordPress-specific vulnerability classes, mapped 1:1 to the passive checks DygDog runs against your site.
WordPress core CVEs
Detected version is checked against the WPScan vulnerability database. Every published CVE for that release is surfaced with CVSS score, fixed_in version, and remediation guidance.
Plugin & theme vulnerabilities
Plugins and themes are enumerated passively from /wp-content/ asset URLs, their versions extracted from readme.txt / style.css, and each cross-checked against WPScan for known CVEs.
xmlrpc.php exposure
Probes /xmlrpc.php — a notorious credential-stuffing amplifier (system.multicall bundles up to 1,000 auth attempts per HTTP request) and pingback DDoS vector.
User enumeration
Tests the /wp-json/wp/v2/users REST endpoint and the /?author=1 redirect trick that leaks valid login usernames to anonymous attackers.
Version disclosure
Detects the WordPress version via meta generator tags, /readme.html, and asset ?ver= query strings — all of which fingerprint the install for targeted CVE attacks.
File exposure
Probes a 28-path panel of credential and config files — .env variants, wp-config.php backups, debug.log, .git metadata, and more — that misconfigured servers commonly leak.
43% of all websites run WordPress.
11,334 new vulnerabilities were discovered
in the WordPress ecosystem in 2025.
Earn your security badge
Every completed scan generates an embeddable security score badge. Drop it on your README, status page, or footer. Here's what ours looks like:
Show the world you take security seriously
Embed your DygDog score on your README, status page, or marketing site. One-click copy in the snippet format you need.
[](https://dyg.dog)<a href="https://dyg.dog"><img src="https://dyg.dog/api/badge/dyg.dog" alt="DygDog Security Score" /></a>Badge updates automatically after each scan. Clicking it takes visitors to your latest security report.
Frequently asked questions
- Is this scanner safe to run on my WordPress site?
- Yes — DygDog is 100% passive. It sends GET and HEAD requests to publicly reachable URLs only. It never POSTs payloads, never attempts authentication, never modifies state, and never tries to exploit anything it finds. The network footprint is identical to a search engine crawler. You can run it on production without risk of triggering security plugins, rate limits, or false-positive intrusion alerts.
- Do I need to install a plugin?
- No. DygDog scans your site externally over HTTPS — exactly the way an attacker on the public internet would see it. There is no plugin to install, no FTP credentials to share, no admin access required, and no agent to deploy. Enter your domain and the scan completes in about 30 seconds.
- What's the difference between DygDog and Wordfence?
- Wordfence is a server-side plugin focused on real-time firewall rules and malware scanning from inside your WordPress install. DygDog is an external attack-surface scanner — we see what an unauthenticated attacker sees from the public internet: leaked .env files, exposed xmlrpc.php, vulnerable plugin versions discoverable via asset URLs, and user enumeration via the REST API. The two are complementary: Wordfence locks the doors; DygDog tells you which windows you forgot to close.
Scan your WordPress site
in under 30 seconds
No plugin install. No FTP credentials. No admin access. Enter your domain and get a comprehensive WordPress security report immediately.