What it never does
✕ It does not log in to your site
✕ It does not submit any forms
✕ It does not test passwords or brute-force
✕ It does not exploit vulnerabilities
✕ It does not modify any files
✕ It does not run aggressive directory enumeration
What it does
✓ Reads only publicly visible pages and headers (GET/HEAD requests)
✓ Validates the target and refuses private/internal addresses (SSRF-safe)
✓ Caps requests, response size, and time — it stays light on your server
✓ Summarises findings without storing your page content or any secrets
How the snapshot runs
Each step is a lightweight, read-only check. Nothing is written back to your site.
01
Resolve & validate
Checks the URL and refuses private/internal addresses (SSRF-safe) before any request.
02
HTTPS & headers
Reads transport security and response headers — HSTS, CSP, X-Frame-Options and more.
03
Public signals
Detects WordPress, version exposure, and plugin/theme traces already visible in page assets.
04
Exposure checks
Looks at login/XML-RPC reachability and a tiny fixed allowlist of sensitive files.
05
AI summary
Explains the findings in plain language as an External Exposure Score — no content stored.
Run a snapshot now — it’s free and safe
An external snapshot is limited by design. For exact plugin versions, malware, file integrity, and backup health, connect the PowerSEC plugin for a full internal scan.