Every security service your
website needs, in one platform

Plugin & Theme CVE Detection

Every installed plugin and theme is matched against 20,000+ known CVEs in real time. You are alerted the moment a vulnerability is published for software you are running.

WordPress Core Version Checks

Detect outdated WordPress core versions and receive immediate notification when security patches are available. Running an unpatched core is the single most common cause of WordPress compromise.

Admin Interface Exposure

Identify exposed wp-admin, wp-login.php, and xmlrpc.php endpoints. Exposed admin interfaces are the primary entry point for brute-force and credential-stuffing attacks.

User Enumeration Detection

Detect whether your site leaks WordPress usernames through the REST API or author archive pages — a critical first step in targeted brute-force attacks.

Configuration Security Checks

Audit wp-config.php exposure, debug mode status, directory listing, and other common WordPress misconfigurations that attackers actively probe for.

Brute-Force & Login Monitoring

Track failed login attempts, lockout events, and suspicious authentication patterns via the Security Agent plugin — in real time, not in a daily digest.

OWASP Top 10 Coverage

Systematic testing against all 10 OWASP 2021 vulnerability categories: injection, broken authentication, sensitive data exposure, XXE, broken access control, security misconfiguration, XSS, insecure deserialization, known vulnerabilities, and insufficient logging.

SQL Injection Testing

Detect SQL injection vulnerabilities in forms, URL parameters, and API endpoints. SQL injection remains the most exploited web vulnerability and can lead to complete database compromise.

Cross-Site Scripting (XSS)

Identify reflected, stored, and DOM-based XSS vulnerabilities that allow attackers to inject malicious scripts into pages viewed by other users.

Authentication & Session Testing

Test for weak password policies, insecure session management, missing account lockout, and authentication bypass vulnerabilities.

Open Port & Service Enumeration

Discover open ports and running services that expand your attack surface. Identify unnecessary exposed services that should be firewalled.

Sensitive Data Exposure

Detect exposed API keys, credentials, backup files, configuration files, and sensitive data in HTTP responses and error messages.

CVE & CVSS Severity Scoring

Every vulnerability is mapped to its CVE identifier and scored using the CVSS v3.1 framework — giving you an objective, industry-standard severity rating for every finding.

CWE Classification

Findings are classified using the Common Weakness Enumeration (CWE) taxonomy, making it easy to identify systemic patterns in your codebase or configuration.

OWASP Framework Mapping

All findings are mapped to the OWASP Top 10 and OWASP Testing Guide categories, providing context for each vulnerability within the broader threat landscape.

Prioritised Remediation Guidance

Every finding includes a plain-English explanation of the vulnerability, its potential impact, and step-by-step remediation instructions — no security expertise required.

Compliance-Ready Reporting

Generate reports mapped to GDPR Article 32, PCI-DSS Requirement 6, HIPAA Security Rule, and ISO 27001 controls — ready for auditors and regulators.

Historical Trend Tracking

Track your security posture over time. See how your vulnerability count and severity distribution changes with each scan — and demonstrate continuous improvement.

Certificate Chain Validation

Verify the full certificate chain from your server certificate to the trusted root CA. Detect self-signed certificates, expired certificates, and hostname mismatches.

Cipher Suite & Protocol Grading

Identify weak cipher suites (RC4, DES, 3DES), deprecated protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1), and missing support for modern secure protocols.

HSTS Enforcement

Check for HTTP Strict Transport Security (HSTS) headers and validate max-age, includeSubDomains, and preload directives to prevent protocol downgrade attacks.

Security Header Audit

Detect missing Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers — each with specific remediation guidance.

Certificate Expiry Monitoring

Receive email alerts 30, 14, and 7 days before your SSL certificate expires. An expired certificate breaks your site for all visitors and destroys user trust.

Mixed Content Detection

Identify pages that load insecure HTTP resources over HTTPS connections — a common misconfiguration that triggers browser security warnings and weakens encryption.

5-Minute Global Uptime Checks

Monitoring runs every 5 minutes from multiple geographic locations. Regional outages and CDN issues are detected and distinguished from full site outages.

Instant Email & Webhook Alerts

Receive email notifications the moment your site goes down — before your customers notice. Webhook support enables integration with Slack, PagerDuty, and other tools.

Defacement & Content Change Detection

Detect unexpected changes to your homepage and key pages. Attackers who compromise a site often deface it or inject malicious content — change monitoring catches this immediately.

New Vulnerability Alerts

When a new CVE is published for software you are running, you are notified immediately — not in a weekly digest. Early notification is the difference between patching and being breached.

SSL Certificate Expiry Alerts

Automated reminders at 30, 14, and 7 days before certificate expiry. Never lose a site to an expired certificate again.

Historical Uptime Reporting

View uptime history, incident timelines, and average response times. Demonstrate SLA compliance to clients and stakeholders with exportable uptime reports.

Real-Time Event Streaming

Security-relevant events are streamed to your dashboard as they happen — not batched into a daily report. High-priority events (failed logins, plugin changes, user creation) are sent immediately.

Failed Login & Brute-Force Tracking

Every failed login attempt is logged with username, IP address, timestamp, and geolocation. Identify brute-force attacks in progress and block attackers before they succeed.

Plugin & Theme Change Alerts

Receive instant alerts when a plugin or theme is installed, activated, deactivated, updated, or deleted. Unauthorised plugin changes are a primary indicator of compromise.

File Integrity Monitoring

Detect unexpected changes to WordPress core files, plugin files, and theme files. File modifications are a key indicator of malware injection or backdoor installation.

User & Role Change Monitoring

Log every user creation, deletion, role change, and email change. Attackers who gain access often create hidden admin accounts — the Security Agent catches this immediately.

Tamper-Proof Off-Site Storage

All events are stored on Pentesterr's infrastructure — not on your WordPress database. Even if your site is fully compromised, your audit trail remains intact and unmodified.

Malware Signature Scanning

Scan for known malware signatures, injected JavaScript, hidden iframes, and malicious redirects that attackers commonly use to weaponise compromised websites.

Google Safe Browsing Check

Cross-reference your domain against Google Safe Browsing — the blocklist that triggers Chrome's "Dangerous Site" warning and can devastate your organic search traffic.

30+ Blocklist Monitoring

Monitor your domain against Spamhaus, SURBL, MX Toolbox, and 30+ other global blocklists. Blocklisting affects email deliverability as well as web traffic.

SEO Spam Detection

Detect hidden keyword injection and spam link insertion — a common technique used by attackers to monetise compromised websites while staying under the radar.

Malicious Redirect Detection

Identify server-side and client-side redirects that send visitors to phishing pages, malware distribution sites, or adult content — without the site owner's knowledge.

Reputation Monitoring

Continuous monitoring of your domain's reputation across security databases. Receive instant alerts if your site is flagged, so you can act before the damage compounds.

Executive Summary

A one-page overview of your security posture, overall risk rating, critical findings count, and top remediation priorities — designed for non-technical stakeholders.

Technical Findings Detail

Full technical documentation of every vulnerability: description, affected component, CVE reference, CVSS score, proof of concept, and step-by-step remediation instructions.

Compliance Framework Mapping

Findings are mapped to GDPR Article 32, PCI-DSS Requirement 6, HIPAA Security Rule, and ISO 27001 Annex A controls — ready for regulatory submissions and audits.

Severity Distribution Charts

Visual breakdown of findings by severity (Critical, High, Medium, Low, Informational) with trend comparison against previous scans.

Remediation Roadmap

Prioritised list of remediation actions ordered by severity and ease of fix — so your team always knows what to tackle first for maximum risk reduction.

White-Label Ready

Agencies can generate reports under their own branding. Deliver professional security audit reports to clients without revealing the underlying tooling.