How to Use FunSentry to Scan Your WordPress Site — Free Security Scanner

modified time: February 19, 2026

On This Page

What FunSentry Scans (and What It Doesn’t)

Before we dive in, it’s important to understand FunSentry’s approach.

What It Does

FunSentry performs passive security scanning — it only accesses publicly available information. Think of it as checking all the doors and windows of your house from the outside, without ever entering.

Specifically, it checks 15 security modules across these categories:

Category	What’s Checked
HTTP Security Headers	HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, server information leakage
WordPress Core Version	Whether your WordPress version is current, compared against the latest release from WordPress.org
XML-RPC	Whether the XML-RPC endpoint is enabled and accepting method calls
REST API Exposure	Whether the user enumeration endpoint is publicly accessible
Directory Listing	Whether sensitive directories (wp-content, uploads, plugins, themes) are browsable
Sensitive Files	Whether files like wp-config backups, .env, .git/config, debug.log, or phpinfo.php are exposed
SSL/TLS	HTTPS availability, HTTP-to-HTTPS redirect, certificate validity, and mixed content
WordPress Configuration	Debug mode detection, user enumeration, login page exposure, registration page status
Plugins & Themes	Detected plugins and themes with version comparison against WordPress.org, plus known vulnerability lookup via the Wordfence Intelligence database
Malicious Content	Hidden iframes, suspicious JavaScript patterns, external redirects, hidden text
Safe Browsing	Whether your domain appears on Google’s Safe Browsing blocklist
Server Information	IP address, geolocation, and hosting provider identification
External Resources	Inventory of third-party scripts and iframes loaded on your site
HTTP Response Analysis	Time to first byte (TTFB), compression status, cookie security flags
Robots.txt Analysis	Sitemap validation, suspicious external URLs, full-site disallow rules

What It Doesn’t Do

FunSentry is not a penetration testing tool. It will not:

Attempt to log in to your site
Upload any files
Exploit any vulnerabilities
Modify anything on your server
Access private or authenticated content

This makes it completely safe to run on any WordPress site — including production sites — without risk.

Step 1: Enter Your URL

Go to www.funsentry.com and you’ll see a clean, centered input field.

Enter the full URL of the WordPress site you want to scan. For example:

https://www.example.com

A few things to know:

Protocol is optional — If you type example.com, FunSentry automatically adds https://
Trailing slashes don’t matter — example.com/ and example.com are treated identically
Query strings are removed — example.com/?ref=123 becomes example.com
One scan at a time — You can scan one URL per request

Then click the green “Start Scan” button.

What If I See a Redirect Warning?

If the URL you entered redirects to a different domain (for example, example.com redirects to www.example.com), FunSentry will display a notice showing:

example.com
↓ 301/302
www.example.com

This is FunSentry telling you that the final destination is a different URL. Simply click the suggested URL or copy-paste it to scan the actual site.

Rate Limits

To protect both FunSentry’s servers and the sites being scanned, there are fair-use limits:

3 scans per minute per IP address
1 scan per 5 minutes for the same URL

If you’ve recently scanned a URL, FunSentry will serve the cached result instead — which is instant.

Step 2: Watch the Real-Time Progress

Once the scan starts, you’ll see a live progress tracker directly below the input field. This shows:

The target URL being scanned
A progress bar showing overall completion percentage
A module-by-module checklist — each module lights up with a checkmark as it completes

All 15 modules run simultaneously, so the entire scan typically completes in 15–30 seconds. The progress updates in real-time via Server-Sent Events (SSE), so there’s no need to refresh.

Once all modules finish, you’ll be automatically redirected to the full report page.

Step 3: Read Your Scan Report

This is where the real value is. The report page has four key sections.

3.1 — Security Score and Grade

At the top of the report, you’ll see a large circular gauge displaying your overall security score (0–100) and a letter grade (A through F).

Grade	Score Range	What It Means
A	90–100	Excellent — your site follows security best practices
B	70–89	Good — minor issues that should be addressed
C	50–69	Fair — several security gaps need attention
D	30–49	Poor — significant vulnerabilities detected
F	0–29	Critical — immediate action required

The score is calculated using a weighted formula — not all checks are equal. For example, exposed sensitive files (like wp-config.php backups) carry more weight than a missing Referrer-Policy header.

3.2 — Summary Counters

Next to the score gauge, you’ll see four counters:

Passed (green) — Checks that your site passed successfully
Warnings (yellow) — Non-critical issues worth reviewing
Failed (red) — Security problems that need fixing
Info (blue) — Informational findings (not factored into the score)

This gives you an instant snapshot: “12 passed, 3 warnings, 5 failed, 4 info.”

3.3 — Category Breakdown

Below the summary, results are grouped into expandable category cards. Each card shows:

Category name — e.g., “HTTP Security Headers”
Category score — Individual score for that category
Pass/fail count — Quick tally for that category

Click a category to expand it and see each individual check.

3.4 — Individual Check Details

Within each category, every check shows:

Status icon — Green checkmark (pass), yellow triangle (warning), red X (failed), or blue “i” (info)
Check name — What was tested
Detected value — What FunSentry found (e.g., the actual header value, the detected plugin version)
Severity badge — Critical, High, Medium, Low, or Info

Click on any individual check to expand its detail panel, which includes:

Description — What this check means and why it matters
Recommendation — Specific steps to fix the issue
Reference link — Link to relevant documentation (e.g., MDN Web Docs for security headers)

Understanding Specific Findings

Let’s walk through the most common findings and what to do about them.

Missing Security Headers

If you see failed checks under “HTTP Security Headers,” it means your server isn’t sending certain protective HTTP headers. The most common missing headers:

Strict-Transport-Security (HSTS) — Forces browsers to use HTTPS. Fix: Add the header in your server configuration or via a security plugin.
Content-Security-Policy (CSP) — Prevents XSS attacks. Fix: Start with a report-only policy and gradually tighten it.
X-Frame-Options — Prevents clickjacking. Fix: Set to SAMEORIGIN or DENY.

Outdated WordPress Version

If WordPress core is outdated, FunSentry compares your detected version against the latest release from WordPress.org’s API — it’s never based on hardcoded values.

Fix: Update WordPress immediately from Dashboard → Updates.

Exposed XML-RPC

If the XML-RPC endpoint responds to method calls, it can be abused for brute force and DDoS amplification attacks.

Fix: Disable it via .htaccess, a security plugin, or a code snippet. See our XML-RPC deep dive for detailed instructions.

Plugin or Theme Vulnerabilities

This is one of FunSentry’s most powerful features. When it detects a plugin or theme on your site, it:

Identifies the installed version from HTML source code and readme.txt files
Queries the WordPress.org API for the latest available version
Checks the Wordfence Intelligence vulnerability database (33,000+ records) for any known CVEs affecting your version

If a vulnerability is found, the report shows:

The vulnerability title
CVSS severity score
The version range affected
The patched version to update to

Fix: Update the affected plugin or theme immediately. If no patch is available, consider deactivating it and finding an alternative.

Sensitive File Exposure

FunSentry checks for files that should never be publicly accessible:

wp-config.php.bak or wp-config.php~ — Database credentials in plain text
.env — Environment variables (API keys, secrets)
.git/config — Source code repository information
debug.log — PHP error logs with internal paths and stack traces

If any of these show up as “failed,” treat it as an emergency. These files can give an attacker direct access to your database or hosting account.

Fix: Delete or restrict access to these files immediately. See our wp-config.php security guide for hardening recommendations.

What Happens to Your Scan Data?

Transparency matters. Here’s how FunSentry handles scan data:

No account required — You don’t need to sign up or log in
Results are cached for 5 minutes — If someone else scans the same URL within that window, the cached result is served. After 5 minutes, the data is deleted from memory
No database storage — Scan results are held in server memory only. There is no persistent database
Scan jobs are cleaned up after 10 minutes — All data associated with a scan is automatically purged
Reports are not indexed — The /report/[id] pages have noindex meta tags, so Google won’t index your scan results

Tips for Getting the Most Out of FunSentry

Scan Regularly

WordPress, plugins, and themes receive updates frequently. A site that scores an “A” today might drop to a “C” next month if a critical plugin vulnerability is disclosed. We recommend scanning at least once a month.

Scan After Every Major Change

Installed a new plugin? Switched themes? Migrated hosts? Run a scan to catch any new exposures.

Share the Report URL

Every scan generates a unique report URL like www.funsentry.com/report/a1b2c3d4. You can share this link with your developer, hosting provider, or security consultant to discuss specific findings. Note that the report is only available for a limited time while the scan data is in memory.

Don’t Panic About Info Items

Items marked as “Info” (blue) are purely informational — they don’t affect your security score. For example, “Login page accessible” is info-level because having a login page is normal. It’s only flagged so you’re aware of it.

Focus on Critical and High Severity First

If your report has multiple failed checks, prioritize by severity:

Critical — Fix immediately (e.g., exposed wp-config.php backup, expired SSL certificate)
High — Fix this week (e.g., XML-RPC enabled, outdated WordPress version with known vulnerabilities)
Medium — Fix this month (e.g., missing CSP header, directory listing enabled)
Low — Fix when convenient (e.g., missing Permissions-Policy header)

Frequently Asked Questions

Is FunSentry safe to use on my live site?

Yes. FunSentry only reads publicly available information. It never attempts logins, file uploads, or any kind of exploitation. It’s equivalent to someone visiting your site with a browser.

Will my hosting provider flag the scan as an attack?

Unlikely. FunSentry sends a small number of standard HTTP requests (fewer than 50) with a clearly identified User-Agent (FunSentry-Scanner/1.0). It’s far less aggressive than a typical search engine crawler.

Can I scan a site I don’t own?

Technically, yes — FunSentry only accesses public information. However, we ask that you only scan sites you own or have permission to test. This is stated in our terms of use.

Why does my score differ from other security scanners?

Every scanner uses different criteria, weights, and detection methods. FunSentry’s scoring emphasizes real-world impact — a publicly exposed database credential file counts far more than a missing low-priority header.

The scan shows “cached result.” What does that mean?

If the same URL was scanned within the last 5 minutes, FunSentry shows the cached result instead of running a new scan. This protects both the target site and FunSentry’s servers. Wait a few minutes and scan again for fresh results.

My site isn’t WordPress. Can I still use FunSentry?

FunSentry is designed specifically for WordPress. The SSL/TLS, HTTP headers, and some general checks will still work, but WordPress-specific modules (version detection, plugin scanning, XML-RPC) won’t return meaningful results for non-WordPress sites.

What’s Next?

Now that you know how to use FunSentry, take action:

Scan your site now — it takes 30 seconds
Fix critical and high issues first — use the recommendations in your report
Bookmark FunSentry — come back monthly for a security checkup
Read our other guides:

Your WordPress site’s security is an ongoing process, not a one-time task. FunSentry is here to make that process easier, faster, and free.

FunSentry is a free, open-source WordPress security scanner. No account required. No data stored. Start your first scan →

Free Security Scan

Check your WordPress site's security posture — it only takes 30 seconds.

Scan My Site Now