Trusti Radar

External security scanner for WordPress sites from your own browser IP.

Trusti Radar is a security scanner built for WordPress professionals. Whether you manage your own site or a portfolio of client websites, Trusti Radar gives you a clear, actionable picture of your WordPress security posture — directly from your browser, with no plugins to install on the target site and no data sent to any external server except the site being scanned. Built for freelancers, agencies, and developers who need real answers fast. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ HOW IT WORKS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Add a site by entering its URL. Trusti Radar will ask you to verify that you own or have authorization to scan it by uploading a small text file to the server or verify DNS TXT record (a one-time step per site). Once verified, you can run a full security scan at any time with a single click. The scanner runs entirely from your browser. Requests go directly to the target site and a small number of public security databases. Nothing passes through Trusti Security servers. Your site list, scan results, and settings are stored locally in Chrome and never leave your device. Every finding comes with a plain-language explanation, technical detail, a recommended fix, and a link to a dedicated guide covering the issue in depth. Results are sorted by severity: Critical, High, Medium, Low, and Informational. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ WHAT TRUSTI RADAR CHECKS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ◆ VULNERABILITIES IN CORE, PHP, PLUGINS AND THEMES Trusti Radar detects the exact versions of WordPress core, PHP, all installed plugins, and all installed themes, then queries a public CVE database to check for known security vulnerabilities. Each finding includes the CVE identifier and a direct link to the NVD entry so you can assess severity and find patching guidance. ◆ HTTP SECURITY HEADERS Checks for the presence and correct configuration of all major security headers: • Content-Security-Policy — prevents XSS attacks and controls which external resources the browser may load • Strict-Transport-Security (HSTS) — forces browsers to use HTTPS, preventing SSL stripping • X-Frame-Options — prevents clickjacking via iframe embedding • X-Content-Type-Options — prevents MIME-sniffing attacks • Referrer-Policy — controls how much referrer data is shared with third parties • Permissions-Policy — restricts browser feature access (camera, microphone, geolocation, etc.) ◆ SSL AND HTTPS • Confirms the site is served over HTTPS • Checks that HTTP redirects to HTTPS • Detects mixed content (HTTP resources on HTTPS pages) • Verifies HSTS is present with a sufficient max-age value • Queries certificate transparency logs (crt.sh) to confirm a valid certificate exists • Checks whether the domain has been submitted to the HSTS preload list ◆ EXPOSED FILES AND SENSITIVE PATHS One of the most thorough checks in the scanner. Trusti Radar probes over 30 known sensitive locations, including: • WordPress config backups like: wp-config.php.bak, wp-config.php~, wp-config.old, wp-config.txt, wp-config.php.swp, wp-config.php.save • Database dumps: database.sql, dump.sql, db.sql, backup.sql • Environment files: .env, .env.local, .env.production • Source control artifacts: .git/HEAD, .svn/entries, .hg/hgrc • Dependency files: composer.json, composer.lock, package.json, package-lock.json, yarn.lock • Debug and log files: debug.log, error_log, phpinfo.php • Database tools: phpMyAdmin, Adminer, /pma/, /myadmin/ etc • Archive files: backup.zip, site.zip,... • WordPress files: readme.html, license.txt, wp-config-sample.php • AWS credentials file, .DS_Store, Apache server-status and server-info pages • JavaScript source maps, upgrade directory listing ◆ LOGIN AND BRUTE FORCE SECURITY • Detects username enumeration via author archive redirects • Detects username enumeration via the WordPress REST API users endpoint • Detects whether the lost-password form reveals if a username or email exists • Detects whether login error messages confirm a username is valid • Tests a curated list of commonly used weak passwords against the login endpoint • Checks whether the site filters requests by user-agent ◆ SECRET KEY DETECTION Scans the homepage HTML and linked JavaScript files for accidentally exposed credentials: • Stripe live and test secret keys • AWS Access Key IDs • Google API keys • GitHub personal access tokens and OAuth tokens • Slack tokens • SendGrid and Mailgun API keys • PEM private key blocks ◆ WORDPRESS REST API EXPOSURE • Checks whether the REST API lists registered users without authentication • Checks whether unpublished draft posts are accessible without authentication • Detects whether the media library is fully enumerable (exposing private files) • Checks whether WooCommerce product data is publicly accessible ◆ DNS AND EMAIL SECURITY • CAA Records — checks whether the domain restricts which Certificate Authorities can issue SSL certificates for it • DNSSEC — checks whether DNS responses are cryptographically signed • SPF Record — checks whether the domain can be used for email spoofing • Reverse IP — detects how many other sites share the same server IP • Spam Blacklists — checks the server IP against Spamhaus, Barracuda, SORBS, and SpamCop ◆ WORDPRESS-SPECIFIC CHECKS • Admin URL exposure — checks whether /wp-admin/ is accessible at the default path • XML-RPC exposure — detects whether xmlrpc.php is accessible (frequently abused for brute force and DDoS) • WP-Cron exposure — checks whether wp-cron.php can be triggered directly from the web • Directory listing — checks whether the uploads folder allows public file browsing • RSS feed — flags feeds that expose author usernames ◆ SERVER AND INFRASTRUCTURE • Dangerous HTTP methods — detects TRACE, PUT, DELETE, and CONNECT if advertised • Open registration — detects whether public user registration is enabled • robots.txt — flags entries that advertise sensitive paths to search engines • Cloaking detection — compares HTML served to regular visitors versus Googlebot • Hidden iframes — detects iframes on the homepage that may indicate compromise • Malicious scripts — detects known malware patterns and suspicious third-party JavaScript ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ PRIVACY AND DATA PRACTICES ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Trusti Radar is designed around a strict no-collection policy: • No data is sent to Trusti Security servers — ever • All scan results, site lists, and settings stay in Chrome's local extension storage on your device • The extension contains no analytics, telemetry, or crash reporting code • Uninstalling the extension removes all locally stored data During a scan, the extension makes direct requests from your browser to four external services only: 1. The target site itself — standard HTTP requests to publicly accessible URLs 2. wpvulnerability.net — queried with plugin/theme slugs and version numbers for CVE data 3. hstspreload.org — queried with the domain name to check preload list status 4. crt.sh — queried with the domain name to verify SSL certificate validity ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ REQUIREMENTS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ • Google Chrome • A WordPress site you own or have explicit permission to scan • Ability to upload a small text file to the web server for one-time ownership verification (via FTP, file manager, or SSH) No account required. No API key. No server-side setup. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ AUTHORIZED USE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Trusti Radar is intended for use on websites you own or have explicit written permission to scan. The ownership verification step confirms hosting access but does not replace the need to obtain proper authorization from site owners. Users are solely responsible for ensuring they have the legal right to perform security testing on any site they add. Unauthorized scanning of third-party websites may be illegal in your jurisdiction.