You’ve just run your first scan on FunSentry. The results are in — a circular gauge, some colored counters, a list of expandable categories, and terms like “Critical,” “HSTS,” and “CVSS.”
If you’re not sure what to make of it all, you’re in the right place.
This guide walks through every element of the FunSentry report — what each section means, how the scoring works under the hood, and most importantly, which findings to fix first.
Report Layout Overview
Every FunSentry report has four distinct sections, stacked vertically:
- Header bar — Target URL, scan timestamp, and rescan button
- Score gauge + summary counters — Your overall grade at a glance
- Category cards — Expandable groups of related checks
- Individual check details — The specifics of each finding
Let’s break down each one.
Section 1: The Header Bar
At the very top of the report, you’ll see:
- Target URL — The exact URL that was scanned, displayed as a clickable link that opens in a new tab
- Scan timestamp — When the scan was performed (e.g., “Scanned at: 2/18/2025, 3:45:12 PM”)
- Cached data indicator — If you’re viewing a cached result (scanned within the last 5 minutes), a small amber badge labeled “Cached Data” appears. Hover over it for details
- Rescan button — Takes you back to the homepage to initiate a fresh scan
What Does “Cached Data” Mean?
When the same URL is scanned multiple times within 5 minutes, FunSentry serves the previous result instead of re-scanning. This protects both the target site and FunSentry’s servers. The badge simply tells you that you’re looking at a recent — but not brand-new — result. Wait 5 minutes and scan again for fresh data.
Section 2: The Score Gauge and Summary
This is the most visually prominent part of the report — a large circular SVG gauge on the left, and four summary counters on the right.
The Circular Score Gauge
The gauge displays two values:
- Numeric score (0–100) — Your overall security score
- Letter grade (A through F) — A quick assessment
Both the number and the grade are color-coded:
| Grade | Score | Color | Interpretation |
|---|---|---|---|
| A | 90–100 | Green (#22c55e) | Excellent. Your site follows security best practices |
| B | 70–89 | Blue (#3b82f6) | Good. Minor issues worth addressing |
| C | 50–69 | Yellow (#eab308) | Fair. Several security gaps need attention |
| D | 30–49 | Orange (#f97316) | Poor. Significant vulnerabilities detected |
| F | 0–29 | Red (#ef4444) | Critical. Immediate action required |
The colored arc around the gauge fills proportionally — a score of 75 fills 75% of the circle.
The Four Summary Counters
Next to the gauge, four boxes give you an instant tally:
| Counter | Icon | Color | Meaning |
|---|---|---|---|
| Passed | ✓ Checkmark | Green | Checks your site passed — no action needed |
| Warnings | ⚠ Triangle | Yellow | Non-critical issues that should be reviewed |
| Failed | ✗ X mark | Red | Security problems that need fixing |
| Info | ℹ Circle | Blue | Informational observations — not scored |
A healthy report might show something like “18 Passed, 2 Warnings, 1 Failed, 6 Info.” At a glance, you know one thing needs immediate attention.
Section 3: Category Cards
Below the summary, results are grouped into expandable category cards. FunSentry checks 15 modules organized into these categories:
| Category | What It Covers | Weight |
|---|---|---|
| HTTP Security Headers | HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, server/X-Powered-By leakage | 15% |
| Sensitive Files | wp-config backups, .env, .git/config, debug.log, phpinfo.php, SQL dumps | 15% |
| SSL/TLS Check | HTTPS availability, HTTP→HTTPS redirect, certificate validity, mixed content | 12% |
| WordPress Version Detection | Core version comparison against WordPress.org latest release | 10% |
| WordPress Config Check | Debug mode, user enumeration, login/registration page exposure, wp-cron | 10% |
| Plugins & Themes Detection | Installed versions, WordPress.org API comparison, Wordfence vulnerability database lookup | 10% |
| Google Safe Browsing Check | Whether your domain appears on Google’s blocklist | 10% |
| XML-RPC Detection | Whether xmlrpc.php is enabled and responding to method calls | 8% |
| REST API Exposure | User enumeration endpoint, full API directory exposure | 8% |
| Directory Listing | Whether wp-content, uploads, plugins, themes directories are browsable | 7% |
| Malicious Content Detection | Hidden iframes, suspicious JS patterns, external redirects, hidden text | 5% |
| HTTP Response Analysis | TTFB, compression, cookie security flags | Info only |
| Robots.txt Analysis | Sitemap validation, suspicious URLs, full-site disallow | Info only |
| Server Information | IP, geolocation, hosting provider | Info only |
| External Resources | Third-party scripts and iframes inventory | Info only |
How to Read a Category Card
Each card shows three pieces of information at a glance — before you even click to expand it:
Left side:
- Arrow icon (▶ collapsed, ▼ expanded)
- Category name (e.g., “HTTP Security Headers”)
Right side:
- Category score — A number from 0–100, color-coded using the same scale as the overall grade
- Status tallies — Small icons showing how many checks passed (green ✓), warned (yellow ⚠), or failed (red ✗) within that category
Auto-Expand Behavior
Categories that contain at least one failed or warning item are automatically expanded when the report loads. Categories where everything passed are collapsed by default. This means your attention is immediately drawn to the areas that need it.
Section 4: Individual Check Details
Click on a category card to expand it. Inside, you’ll see a list of individual checks. Each check is a single row with these elements:
The Check Row
From left to right:
- Status icon — Colored icon indicating the result:
- ✓ Green checkmark = Pass
- ⚠ Yellow triangle = Warning
- ✗ Red X = Fail
- ℹ Blue circle = Info
- ⚠ Gray octagon = Error (check couldn’t complete)
- Check name — What was tested (e.g., “Strict-Transport-Security (HSTS)”)
- Detected value — What FunSentry actually found, shown in monospace font (e.g., the header value, the detected version number, or “Not set”)
- Vulnerability badge (if applicable) — A red badge showing the number of known vulnerabilities (e.g., “2 vuln”)
- Severity badge (for non-pass items) — Color-coded label:
| Severity | Color | Typical Examples |
|---|---|---|
| Critical | Red | Exposed wp-config.php backup, expired SSL certificate, known RCE vulnerability |
| High | Orange | XML-RPC enabled, REST API user enumeration, outdated WordPress with known CVEs |
| Medium | Yellow | Missing CSP header, directory listing enabled, debug mode active |
| Low | Blue | Missing Referrer-Policy, plugin version exposed via ?ver= parameter |
| Info | Gray | Login page accessible, wp-cron accessible (normal behavior) |
- Expand arrow — Click to see the full details
The Detail Panel
Click on any check row to expand its detail panel. This panel can contain up to five elements:
- Description — Plain-language explanation of what this check means and why it matters
- CVE and CVSS badges (for vulnerability findings) — If a plugin or theme has known vulnerabilities:
- CVE badge — Clickable link to the official CVE record (e.g., “CVE-2024-1234”). Opens in a new tab
- CVSS badge — The Common Vulnerability Scoring System score (e.g., “CVSS: 7.5”), indicating severity on a 0–10 scale
- Raw value box — A monospace code block showing the exact detected value, useful for developers diagnosing issues
- Recommendation — Specific, actionable steps to fix the issue. This is not generic advice — it’s tailored to the exact finding
- Reference link — An external link (usually to MDN Web Docs, WordPress.org, or a relevant security resource) for further reading
How the Scoring System Works
Understanding the math behind the score helps you know where to focus your efforts.
Step 1: Individual Check Scoring
Each check result contributes a simple value:
| Status | Points |
|---|---|
| Pass | 100 |
| Warning | 50 |
| Fail | 0 |
| Info | Not scored |
| Error | Not scored |
Step 2: Category Score
The category score is the average of all scored items in that category.
Example: A category with 4 checks — 2 Pass, 1 Warning, 1 Fail:
(100 + 100 + 50 + 0) / 4 = 62.5 → rounds to 63That category would score 63 (grade C).
Step 3: Overall Score (Weighted Average)
The overall score is a weighted average of all category scores. Not all categories carry equal weight — categories that represent higher real-world risk contribute more to your final score.
The weight distribution:
| Category | Weight |
|---|---|
| HTTP Security Headers | 15 |
| Sensitive Files | 15 |
| SSL/TLS | 12 |
| WordPress Version | 10 |
| WordPress Config | 10 |
| Plugins & Themes | 10 |
| Safe Browsing | 10 |
| XML-RPC | 8 |
| REST API | 8 |
| Directory Listing | 7 |
| Malicious Content | 5 |
| HTTP Response Analysis | 0 (info-only) |
| Robots.txt | 0 (info-only) |
| Server Information | 0 (info-only) |
| External Resources | 0 (info-only) |
What this means in practice: A failed sensitive file check (weight 15) impacts your score roughly twice as much as a failed directory listing check (weight 7). And info-only categories don’t affect your score at all — they’re purely informational.
Why Info-Only Categories Don’t Count
Four categories carry zero weight: HTTP Response Analysis, Robots.txt Analysis, Server Information, and External Resources. These provide useful context but don’t represent direct security vulnerabilities. For example, a slow TTFB (time to first byte) is a performance issue, not a security one.
How to Prioritize Fixes
When your report shows multiple issues, here’s how to triage them effectively.
Priority 1: Critical Severity (Fix Immediately)
These findings represent active, exploitable risks. Someone could be abusing them right now.
Common critical findings:
- Exposed wp-config.php backup — Your database credentials are publicly readable. Delete the backup file immediately
- Exposed .env file — API keys, secrets, and passwords are publicly accessible
- Expired SSL certificate — Browsers are warning visitors that your site is unsafe
- Known RCE (Remote Code Execution) vulnerability in a plugin — Attackers can execute arbitrary code on your server
Action: Stop everything else and fix these today.
Priority 2: High Severity (Fix This Week)
These are significant security gaps that could be exploited with moderate effort.
Common high findings:
- XML-RPC enabled — Can be used for brute force attacks and DDoS amplification. Learn how to disable it
- REST API user enumeration — Attackers can discover valid usernames
- Outdated WordPress core with known vulnerabilities — Update from Dashboard → Updates
- Directory listing enabled — Exposes your file structure to anyone
Action: Schedule fixes within the current week.
Priority 3: Medium Severity (Fix This Month)
These are security hardening measures. They reduce your attack surface but aren’t immediately exploitable on their own.
Common medium findings:
- Missing Content-Security-Policy (CSP) — Increases XSS risk
- Missing X-Frame-Options — Enables clickjacking attacks
- Missing X-Content-Type-Options — Allows MIME-type sniffing
- Debug mode active — PHP errors may leak internal paths
Action: Add to your monthly maintenance schedule.
Priority 4: Low Severity (Fix When Convenient)
These are best-practice recommendations that improve your overall security posture.
Common low findings:
- Missing Permissions-Policy header — Controls browser feature access
- Missing Referrer-Policy header — Controls referrer information leakage
- Plugin version exposed via ?ver= parameter — Minor information disclosure
Action: Address during your next maintenance window.
Info Items: Read, Don’t Panic
Items marked as Info are observations, not problems. They don’t affect your score.
Examples:
- “Login page accessible at /wp-login.php” — This is normal. Every WordPress site has a login page
- “wp-cron.php accessible” — Standard WordPress behavior
- “Server IP: 123.45.67.89” — Informational for your reference
- “Hosting provider: Cloudflare” — Detected from server information
No action needed — but they provide useful context about your site’s footprint.
Special Report Elements
Vulnerability Badges on Plugins and Themes
When FunSentry detects a plugin or theme with known vulnerabilities, the check row displays additional elements:
- A red vulnerability badge showing the count (e.g., “2 vuln”)
- Inside the detail panel, clickable CVE badges linking to the official CVE database
- A CVSS score badge showing the severity rating
For example, if Contact Form 7 version 5.8.1 has two known vulnerabilities, you’d see:
✗ Plugin: contact-form-7 v5.8.1 → v5.9.8 available [2 vuln] HighExpanding it would show:
- CVE-2024-XXXX (clickable)
- CVSS: 7.5
- Recommendation to update to version 5.9.8
Where does the vulnerability data come from? FunSentry cross-references your detected plugin and theme versions against the Wordfence Intelligence vulnerability database, which contains over 33,000 records. This is the same database used by many professional WordPress security tools.
Version Comparison Details
For WordPress core, plugins, and themes, FunSentry shows the detected version compared to the latest available version from the WordPress.org API:
v5.8.1 → v5.9.8 availableThis comparison is always live — FunSentry queries the WordPress.org API during every scan to ensure it’s comparing against the actual latest release, not a hardcoded value.
Common Report Patterns (and What They Mean)
Pattern: High Score, But With Warnings
Score: 85 (B) — 20 Passed, 4 Warnings, 0 Failed
This is a well-maintained site with some hardening gaps. The warnings are typically missing security headers like CSP, Permissions-Policy, or Referrer-Policy. These are easy to add and would push your score into the A range.
Pattern: Low Score, Mostly Headers
Score: 55 (C) — 12 Passed, 2 Warnings, 8 Failed
If most of your failures are in the “HTTP Security Headers” category, your site isn’t necessarily in danger — but your server isn’t configured with modern security headers. Many shared hosting environments don’t set these by default. A security plugin like “HTTP Headers” or server-level configuration can fix all of them at once.
Pattern: Critical Failures in Sensitive Files
Score: 40 (D) — 15 Passed, 1 Warning, 6 Failed
If you see red in the “Sensitive Files” category — especially wp-config backups, .env files, or .git directories — this is an emergency. These files contain credentials and should never be publicly accessible. Fix these before anything else.
Pattern: Plugin Vulnerabilities Driving the Score Down
Score: 60 (C) — 16 Passed, 3 Warnings, 3 Failed
If your failures are concentrated in “Plugins & Themes Detection” with vulnerability badges, the fix is straightforward: update the affected plugins. Check Dashboard → Updates in WordPress, or use a plugin management tool.
Frequently Asked Questions
Why is my score different from other security scanners?
Each scanner uses different criteria, weights, and detection methods. FunSentry’s weights are designed around real-world impact — exposed database credentials matter far more than a missing low-priority header. Your score on FunSentry, Sucuri SiteCheck, or WPScan may differ, and that’s expected.
Can I get a score of 100?
Yes, but it requires passing every scored check across all weighted categories. Most well-maintained sites score in the 80–95 range. A perfect 100 is achievable with proper header configuration, up-to-date software, and no exposed files.
Why do some categories show “100” but my overall score isn’t 100?
Because the overall score is a weighted average. If your SSL/TLS category scores 100 (weight 12) but your headers category scores 50 (weight 15), the headers drag your average down more because they carry higher weight.
What does it mean when a check shows “Error”?
An error means FunSentry couldn’t complete that specific check — usually due to a timeout or network issue. Error items are displayed with a gray icon and don’t affect your score. They’re treated the same as info items for scoring purposes.
How often should I run a scan?
We recommend at least once a month, and after any significant change to your site (new plugin installs, theme changes, hosting migrations, or WordPress core updates). Plugin vulnerabilities are disclosed regularly, so monthly scans help catch newly discovered issues.
Can I share my report with someone?
Yes. Every report has a unique URL (e.g., www.funsentry.com/report/a1b2c3d4) that you can share with your developer, hosting provider, or security consultant. Note that reports are temporary — they’re stored in server memory and are automatically purged after a short time.
Take Action
Now that you understand every element of your FunSentry report:
- Scan your site if you haven’t already
- Address critical and high items first — use the recommendations in each finding
- Work through medium and low items during your regular maintenance schedule
- Rescan after making changes to verify your fixes worked
- Read our related guides:
- How to Use FunSentry to Scan Your WordPress Website
- What Is XML-RPC and Why You Should Disable It
- wp-config.php Security Settings: 15 Essential Best Practices
A security report is only useful if you act on it. Start with the red items, work your way down, and scan again. Your score will climb.
FunSentry is a free WordPress security scanner. No account required. No data stored. Start your scan →