Today we are publicly launching WP Vanguard, a WordPress security scanner built by our team at Wbcom Designs. It checks your site for vulnerabilities, malware, and misconfigurations without installing any plugin on your server.
No plugin. No performance impact. No code on your server. Just paste your URL and get a security grade in seconds.
We built this because after cleaning up hacked WordPress sites for over a decade, we kept seeing the same problem, site owners had no easy way to know if their site was compromised until it was too late.
The Problem We Set Out to Solve
WordPress powers over 40% of the web, but the security tools available to site owners are either too complex, too expensive, or too invasive. Most scanners require a plugin that eats server resources, adds its own attack surface, and shows cryptic results that non-technical users cannot act on.
The threat landscape has made this worse. Over 11,000 new vulnerabilities were discovered in the WordPress ecosystem in 2025, a 42% increase year-over-year. High-severity flaws more than doubled. The median time from a vulnerability being disclosed to mass exploitation has shrunk to just 5 hours.
And here is the part that concerns us most, 46% of WordPress vulnerabilities never even get patched. Keeping everything updated is not enough anymore. You need to actually know what is on your server.
How WP Vanguard Works
Free Surface Scan, No Signup Required
Go to wpvanguard.com, paste your WordPress site URL, and get instant results. The surface scan checks for known vulnerabilities across our database of 38,000+ CVEs sourced from four intelligence feeds, Wordfence Intelligence, Patchstack, WPScan, and WPVulnerability.net. It also checks security headers, exposed files, suspicious scripts, and blacklist status across 11 services including Google Safe Browsing and VirusTotal.
You get a security grade from A to F and a clear breakdown of every finding. No account needed.
20-Step Deep Scan via SSH
The surface scan catches what is visible from the outside. But some threats hide deeper. The deep scan connects via SSH and checks 20 security areas that no external scanner can detect, malware signatures, WordPress core file integrity, hidden backdoors, database injections, rogue administrator accounts, fake plugins that look legitimate but contain malicious code, and suspicious scheduled tasks.
Every single finding comes with an AI-powered explanation. Not just a CVE number and severity label. We tell you what was found, why it matters, and the exact steps to fix it, in plain language that anyone can understand and act on.
What a Real Scan Looks Like
Here is a deep scan from a compromised WordPress site. The scanner detected 603 PHP files modified in just 7 days, a clear indicator of mass malware infection. The AI classified it as high severity and provided step-by-step remediation guidance that a non-developer could follow.
It also flagged that the WordPress REST API was exposing usernames, something that makes brute force attacks trivially easy. Most site owners have no idea this is happening on their site right now.
Every step of the scan is logged transparently, so you can see exactly what was checked and what was found.
PDF Reports and Email Alerts
Every deep scan generates a professional PDF report with the AI analysis, remediation steps, and an executive summary. Hand it to your developer, your hosting provider, or your client. You also get email notifications when scans complete, especially when critical issues are found.
What Makes This Different
- Completely external, No plugin means zero performance impact on your site and zero additional attack surface on your server
- AI-powered explanations, Every finding is explained in plain language with specific fix instructions, not just CVE numbers and severity labels
- Comprehensive coverage, 38,000+ CVEs from four intelligence sources, 11-service blacklist monitoring, 20-step server-level deep scanning
- Actionable results, You know exactly what is wrong and exactly how to fix it, whether you are a developer or a business owner
- Built by people who clean hacked sites, Over 15 years of WordPress development and security experience at Wbcom Designs
For Agencies and Hosting Providers
If you manage client WordPress sites, whether you are an agency, a freelancer, or a hosting company, WP Vanguard includes a full Partner API. Run surface scans, deep scans, and bulk scans across up to 100 sites at once. Set up webhooks for automated notifications. Generate white-label PDF reports with your own branding.
Self-serve registration is live with a free tier to evaluate the platform immediately. The dashboard comes pre-loaded with demo data so you can see exactly what the experience looks like before connecting your own sites. Register here.
We built the Partner API because agencies kept asking for it. They wanted to offer WordPress security monitoring to their clients but did not have the tools to do it at scale. Now they do.
Built in the Open
WP Vanguard has a public roadmap organized into Now, Next, Later, and Shipped. A full changelog tracking every version. And documentation covering everything from getting started to the Partner API reference.
This is not a finished product. It is a product we are committed to building in the open, with real feedback from real users shaping every decision.
Try It
For site owners: Visit wpvanguard.com and scan your WordPress site. Takes 30 seconds. No signup required, just paste your URL.
For agencies and hosting providers: Check the pricing page or go directly to partner registration.
Documentation: wpvanguard.com/docs | Partner API: wpvanguard.com/docs/partner-api
WP Vanguard is built and maintained by our team at Wbcom Designs. If you have questions or feedback, reach out via X/Twitter or open an issue on GitHub.