Free · no sign-up

Check a WordPress site

An outdated WordPress and abandoned plugins are the top cause of client-site hacks. Pingvera fingerprints the site from the outside in one click — core version, plugins, signs of defacement — plus availability, SSL and domain expiry. No sign-up.

We check availability, SSL and domain expiry. Results are cached for 10 minutes.

What's visible from the outside

Without logging into the admin panel, the check fingerprints the site: the WordPress core version (often exposed via meta tags, static asset paths or the REST API), plugins and themes by characteristic files and headers, and signs of defacement — unexpected content, a redirect to a foreign domain, or forbidden material on the page.

Why an outside view isn't enough

An external fingerprint is what a random visitor or an automated scanner sees. It won't show a broken WP-Cron (scheduled tasks — publishing, updates — silently stop running), plugin versions that are vulnerable but not yet exploited, modified core files — a clear sign of compromise that looks identical to normal operation from the outside — or a bloated autoloaded options table quietly slowing down every page load. For visibility from the inside, Pingvera has a WordPress plugin that reports these problems directly from the server.

Why an outdated WordPress is the #1 cause of hacked client sites

Most WordPress compromises aren't zero-days — they're known, already-patched vulnerabilities in a core version or plugin nobody updated. The moment a fix ships, the vulnerability itself becomes public, and automated bots start scanning the whole web for sites still running the unpatched version within days. A site left one or two versions behind isn't waiting for a determined attacker; it's waiting for a scanner to find it, which usually takes less time than the gap between two scheduled maintenance visits.

Plugins are the bigger risk in practice: there are far more of them than there are core versions, many are abandoned by their authors and never patched at all, and a single outdated plugin can expose the whole site even when core and every other plugin are current.

FAQ

Can you check a site that isn't publicly reachable?

No — the external check only works for sites reachable from the public internet, the same way a regular visitor or search bot would reach it. For sites behind a VPN or in a closed network, only monitoring from the inside via the plugin can help.

The check shows an up-to-date core version — is the site safe?

Not necessarily: an up-to-date core doesn't protect against vulnerable plugins, weak passwords, or a backdoor left from an earlier breach. The external check only covers the outer layer — version, theme/plugin fingerprint, obvious defacement. A full picture, including core files and WP-Cron, requires monitoring from the inside.

Does the check need admin access or a login?

No — the free check only looks at what a public visitor sees: HTTP responses, page markup, exposed asset paths. It needs no credentials and no access to the server. Seeing what's inside — cron, the plugin vulnerability database, core file integrity — is exactly what the WordPress plugin adds.

Do I need to sign up?

No. A one-off check is free and requires no sign-up. Sign-up is only needed if you want continuous monitoring with an alert before your customer notices a problem.

How often can I check?

The result for each site is cached for 10 minutes so we don't add extra load to the site being checked. For continuous monitoring with checks every minute, put the site under ongoing monitoring in Pingvera.

← Home · Blog · Privacy Policy · https://pingvera.com