BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.
New — built for WordPress owners

Find out what's wrong with your WordPress site.
In 60 seconds.

Paste your URL. We'll check 30+ things attackers look for first — leaked database backups, exposed config files, brute-force-friendly login pages, slow pages, accessibility complaints waiting to happen. Plain-English report you can act on yourself or hand to your developer.

Free preview — top 3 issues plus your Health Score. No signup, no install.

What we look for

Leaked database credentials

Why it matters: If your `wp-config.php.bak` or `.git` folder is publicly readable, any visitor can read your database password and download your entire site.

What we check: wp-config.php.bak, wp-config.php.swp, .git/HEAD, .env, debug.log, error_log, SQL backups in /uploads/.

WordPress version exposure

Why it matters: Attackers match your WordPress version against known CVEs. Hiding the version cuts targeted attacks dramatically.

What we check: readme.html, meta generator tag, RSS feed <generator>, license.txt, CSS/JS ver= query strings.

XML-RPC weapon turret

Why it matters: 99% of sites don't use xmlrpc.php — but if it's enabled, attackers use it as a DDoS reflector against other sites, or to brute-force your password 1000x faster.

What we check: Whether /xmlrpc.php is reachable, whether pingback.ping is enabled (the DDoS hook).

Brute-force-friendly admin

Why it matters: If /wp-admin and /wp-login.php have no rate limit, attackers try millions of credentials per day. A weak admin password is now a question of when, not if.

What we check: Whether the login page is reachable from the open internet, whether there's a WAF in front, whether usernames are enumerable.

Security headers missing

Why it matters: Modern browsers protect against XSS and clickjacking — but only if your site asks them to. Most WordPress sites don't.

What we check: Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, Permissions-Policy.

Accessibility / ADA compliance

Why it matters: WCAG complaints can become $5K-$100K legal exposure. Every month brings new ADA-compliance lawsuits against e-commerce sites.

What we check: Missing alt text, contrast ratios, keyboard navigability, heading hierarchy, ARIA landmarks.

Performance / Core Web Vitals

Why it matters: Google ranks slow sites lower. A page that loads in 5 seconds instead of 2 measurably loses traffic and ad revenue.

What we check: Largest Contentful Paint, Cumulative Layout Shift, Time to First Byte, render-blocking assets.

Broken links + dead images

Why it matters: Broken images crater conversion rates. Broken outbound links damage SEO authority.

What we check: Every link (anchor href) and image source on your homepage and 10 deepest-linked pages.

Honest pricing

Pay per scan, not per month. Most owners run a scan after every plugin update or once a quarter — that's how the pricing was designed.

Free Preview

$0

no signup

  • Top 3 most urgent issues
  • Plain-language summary
  • Best for: deciding whether to dig deeper

Health Check

$19

one-shot

  • Full scan — all 30+ checks
  • Plain-language report you can share
  • Step-by-step fix instructions
  • Best for: post-plugin-update, quarterly checkups

Continuous

$19

per month

  • Weekly scan on schedule
  • Email alerts on new CVEs affecting your stack
  • Side-by-side diff when something changes
  • Best for: production sites with real revenue

Per-scan payment via Stripe. One-time payment, no subscription.

What we DON'T do

Three things we tell you up front — because nothing kills trust faster than discovering hidden limitations after you've paid.

Ready when you are.

Scan my WordPress site

Built on the GateTest engine — the same 94-module QA gate developers use on their codebases.