Overview
Secure your Wordpress site with WP Spike
WP Spike is a one-click WordPress security scanner that runs right in your Chrome toolbar and grades your site 0 to 100 with an A to F hardening score. Point WP Spike at any site you own or are authorized to test. It first confirms the site is running WordPress, then runs 55 read-only checks for the exact misconfigurations attackers probe first, and gives you a plain-English fix for every finding. WHAT WP SPIKE CHECKS: • Information disclosure: readme.html, license.txt, version-leaking generator tags, wp-config-sample.php, full path disclosure, an exposed .git repository or .env file, and a robots.txt that maps your admin paths. • Leaked config and database backups: wp-config.php.bak / .old / .txt and editor swap files (vim .swp, emacs autosave), plus public SQL dumps (wordpress.sql, /backup/, uploads/dump.sql, backup-db, Duplicator and migration leftovers). • User enumeration: the REST users API (and rest_route and mixed-case bypasses), ?author=1 redirects, core and Yoast author sitemaps, RSS dc:creator, oEmbed, and the WordPress.com public API. Every leaked login is listed in a Discovered Usernames panel with how many endpoints exposed it. • Directory listing: browsable uploads, plugins, includes and mu-plugins folders. • Attack surface: XML-RPC, admin-ajax, the Heartbeat API, async-upload, wp-cron, trackbacks, the login page, open registration, and a reachable install.php. • Security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and leaked server or PHP version tokens. • Access control: default "admin" account, wp-admin authentication, and takeover scripts like emergency.php and searchreplacedb2.php. • Search and OSINT dorking: one click opens the same Google dorks, Wayback Machine and WordPress public-API queries an attacker would run against your domain, so you can see and clean up what is publicly indexed. TRACK YOUR PROGRESS Fix an issue, re-scan, and WP Spike shows the point change since your last scan so you can prove your site is hardening over time. PRIVATE BY DESIGN No account and no server install. Scans are read-only requests sent with credentials omitted. WP Spike never submits your login credentials, and your scan history stays on your device. IMPORTANT: Only scan sites you own or have explicit permission to test. Any unauthorized or illegal use is forbidden.
0 out of 5No ratings
Details
- Version3.5
- UpdatedJuly 9, 2026
- Size166KiB
- LanguagesEnglish
- DeveloperWebsite
Email
yfrimer@gmail.com - Non-traderThis developer has not identified itself as a trader. For consumers in the European Union, please note that consumer rights do not apply to contracts between you and this developer.
Privacy
This developer declares that your data is
- Not being sold to third parties, outside of the approved use cases
- Not being used or transferred for purposes that are unrelated to the item's core functionality
- Not being used or transferred to determine creditworthiness or for lending purposes