New - Chrome Extension · Free · No account

External Security Scans.
Straight From Your Browser.

Trusti Radar is an external WordPress security scanner that runs from your own browser IP. No plugin to install on the target site. No account. No data sent to our servers. Add a site, verify ownership once, and run a full scan whenever you need one.

Add to Chrome Free See How It Works

Zero data collected

No account required

Works on every WordPress site you own

Trusti Radar dashboard showing multiple client WordPress sites with their security scores

CVE Vulnerability Checks

HTTPS & Headers Audit

30+ Sensitive Path Probes

Severity-Ranked Findings

How It Works

Three Steps From Install to First Scan.

Designed for WordPress professionals who need real answers fast. No API keys, no CLI, no server-side setup.

Add Your Site

Enter the URL of any WordPress site you own or have authorisation to scan. Add as many as you need - your whole client portfolio lives in one dashboard.

Verify Ownership

Upload a small verification file to the server, or add a DNS TXT record. One-time step per site. This confirms you have authorisation before any scan runs.

Run the Scan

One click. Requests go directly from your browser to the target site and a small set of public security databases. Results appear in seconds, sorted by severity.

Trusti Radar scan results showing findings sorted by severity with explanations and recommended fixes

Critical Immediate action required

High Fix as soon as possible

Medium Address in the near term

Low Best-practice improvements

Coverage

One Click. The Full Picture.

Every scan runs more than 50 security checks across ten categories. Every finding includes a plain-language explanation, the technical detail, a recommended fix, and a link to an in-depth guide.

Vulnerabilities in Core, Plugins & Themes

Detects exact versions of WordPress core, PHP, every installed plugin and theme, then cross-checks them against a public CVE database. Each finding links to its NVD entry.

HTTP Security Headers

Verifies Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy - presence and correct configuration.

SSL & HTTPS

Confirms HTTPS, forces redirect, catches mixed content, verifies HSTS max-age, checks certificate transparency logs and the HSTS preload list.

Exposed Files & Sensitive Paths

Probes 30+ known-sensitive locations: wp-config backups, database dumps, .env files, .git and .svn artifacts, debug logs, phpMyAdmin, archive files, AWS credentials and more.

Login & Brute Force Security

Detects username enumeration via author archives and the REST API, checks if login errors or the lost-password form leak account existence, and tests a curated weak-password list.

Secret Key Detection

Scans homepage HTML and linked JavaScript for accidentally exposed credentials: Stripe keys, AWS Access Key IDs, Google API keys, GitHub tokens, Slack, SendGrid, Mailgun and PEM private keys.

WordPress REST API Exposure

Flags unauthenticated access to the users endpoint, exposed draft posts, a fully enumerable media library, and publicly readable WooCommerce product data.

DNS & Email Security

CAA records, DNSSEC signing, SPF configuration, reverse-IP neighbours and blacklist checks against Spamhaus, Barracuda, SORBS and SpamCop.

WordPress-Specific Checks

Default /wp-admin/ exposure, xmlrpc.php availability, direct wp-cron.php triggering, uploads directory listing, and RSS feeds that leak author usernames.

Server & Infrastructure

Dangerous HTTP methods (TRACE, PUT, DELETE, CONNECT), open public registration, robots.txt leaks, cloaking vs. Googlebot, hidden iframes and known malicious script patterns.

Built For

Who Uses Trusti Radar.

Agencies

Manage security posture across every client site from one place. Rescan any site in one click before handovers, retainers, or after a major update.

Freelancers

Run a pre-handover audit on every project. Turn security into a deliverable - a sharp report of what's fixed and what's left.

Developers & DevOps

Verify hardening from the outside, confirm headers are deployed, and catch regressions after shipping changes to production.

Privacy First

Your Data Never Leaves Your Browser.

Trusti Radar is designed around a strict no-collection policy. Your site list, scan results, and settings are stored locally in Chrome and never leave your device. Uninstalling the extension removes all locally stored data.

What we don't do

No data is sent to Trusti Security servers - ever
No analytics, telemetry, or crash reporting
No account, no API key, no sign-up
No data sold or transferred to third parties

Only four external endpoints

Your target site - standard requests to public URLs
wpvulnerability.net - plugin/theme slugs and versions for CVE data
hstspreload.org - domain name to check preload status
crt.sh - domain name to verify SSL certificate validity

Pairs Perfectly With

Trusti Radar + Trusti Security.

Radar audits your site from the outside - the way an attacker sees it. The Trusti Security plugin protects it from the inside - 2FA, brute force blocking, vulnerability scanning, security headers, and 11 more modules. Use them together for the complete picture.

Explore Trusti Security See Pricing

Radar - external audit

Security - live protection

Site covered inside and out

Trusti Radar FAQ

Is Trusti Radar really free?

Yes. Free on the Chrome Web Store, with no account, no API key, and no paid tier. Every security check listed on this page runs on every scan.

Why do I have to verify ownership of a site before scanning it?

Running a security scan against a site you don't own or control may be illegal in your jurisdiction. Ownership verification - uploading a small text file to the server, or adding a DNS TXT record - confirms you have hosting-level access to the site, and is a one-time step per site.

Does it send data to Trusti Security servers?

No. Nothing passes through Trusti Security infrastructure. Your site list, scan results, and settings stay in Chrome's local extension storage on your device. Scan requests go directly from your browser to the target site and four public security data sources: wpvulnerability.net, hstspreload.org, and crt.sh.

How is it different from the Trusti Security WordPress plugin?

The plugin runs inside WordPress and actively protects the site - 2FA, brute force blocking, login masking, scheduled scanning, real-time alerts. Radar runs outside, in your browser, and audits what an attacker would see from the internet. They complement each other: use Radar for audits and reports, and the plugin for continuous protection.

What are the requirements?

Google Chrome, a WordPress site you own or have explicit written permission to scan, and the ability to upload a small verification file to the web server (via FTP, file manager, or SSH) or add a DNS TXT record.

Can I scan client sites?

Yes - that is exactly who Radar is built for. Agencies and freelancers can add every client site to one dashboard, verify ownership once per site, and rerun scans as often as needed. Ownership verification confirms hosting access, but you are still responsible for obtaining proper written authorisation from the site owner.

Scan Your First Site in Under Two Minutes.

Install the extension, verify one site, and run a full external security audit - all before your coffee goes cold.

Add to Chrome - Free

No account · No data collected · Uninstall any time

External Security Scans. Straight From Your Browser.