Tool guide

WordPress Site Check

A safe, read-only health and exposure check for WordPress sites — homepage health, SSL, and common WordPress security signals.

Try the tool

What it does

The WordPress Site Check combines a homepage health check, an SSL check, and a set of WordPress-specific public probes into one report. It confirms whether the site is running WordPress, then looks at safe, publicly visible things that often indicate a security or configuration problem: an exposed version number, a reachable XML-RPC endpoint, a readable readme file, missing security headers, and directory listing.

It is deliberately gentle and read-only — it never logs in, never submits forms, and only makes a small number of normal GET requests, exactly like a visitor would.

How to use it

  1. Enter your WordPress site's address and press Check.
  2. Confirm WordPress was detected, then read the overall verdict.
  3. Review the WordPress signals — treat the security indicators (version exposed, XML-RPC reachable, readme exposed) as a hardening to-do list.

What the results mean

Result What it means
Healthy WordPress detected, the homepage and SSL are fine, and no notable exposure signals were found.
Warning Working, but with things worth hardening — exposed version, reachable XML-RPC, missing security headers, or an SSL expiry coming up.
Critical A serious problem — server/backend error, blank page, maintenance mode, or an invalid SSL certificate.
WordPress not detected The page was checked but no WordPress signals were found. The site may not run WordPress, or it's well hidden behind a cache/CDN.

Errors & warnings explained

Message What it means
Server/backend error, blank page, maintenance Same critical signals as the Homepage Health Checker — the site is failing to render correctly.
SSL invalid / SSL expiring The certificate is invalid (critical) or due to expire soon (warning). See the SSL Expiry Checker guide.
WordPress version exposed Your WordPress version is visible in the HTML or headers, which helps attackers target known vulnerabilities. Hide it.
XML-RPC reachable /xmlrpc.php is accessible — a common target for brute-force and amplification attacks. Disable it if you don't need it.
Readme exposed /readme.html is readable and reveals the WordPress version. Remove or block it.
Missing security headers One or more recommended headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) is absent.
Directory listing enabled A WordPress directory shows its file list instead of blocking access — it can leak structure and files.
Missing title / meta description / H1 A core on-page SEO element is absent.

Good to know

  • Free, no login, no stored URLs. Read-only — no logins, no form submissions, GET requests only.
  • Rate limited to about 3 checks per minute per network (a little tighter, as it makes a few extra requests).
  • It only sees what's publicly visible from outside. The Site Agent plugin (for members) reports problems from inside WordPress that an outside check can't see.

Related guides

Want this watched for you, around the clock?

These tools are one-off checks. A Monitrova account monitors your sites continuously and emails you the moment something breaks.

Try the tool Start monitoring free