Security Score: What it is and how it is calculated

The Security Score estimates how exposed a WordPress site is to known security risks.

A low score does not mean the site has been hacked.
It indicates how vulnerable the site is to being exploited based on its current configuration and known issues.

The score ranges from 0 to 100.
Each site starts at 100, and points are removed based on the checks below.

Score composition (100 points)

Known vulnerabilities: 70 points
PHP & WordPress core: 10 points
Site health & misconfiguration: 10 points
Site Protect (virtual patching): 10 points

1. Known vulnerabilities (70 points)

Known vulnerabilities are publicly documented security issues in plugins, themes, or WordPress core that can be exploited when vulnerable versions are installed. These issues are actively targeted by automated attacks and represent the main entry point for WordPress compromises.

Scoring table

Severity	Score impact
Critical	-25
High	-15
Medium	-8
Low	-4

Points are removed until the vulnerability pillar reaches −70 (maximum impact).

Important note

Vulnerabilities only affect the score when Site Protect is disabled.
When Site Protect is enabled, vulnerabilities are still listed but do not reduce the score.

2. PHP & WordPress core (10 points)

PHP and WordPress core versions define the security baseline of a site. Outdated or unsupported versions no longer receive security fixes, making known vulnerabilities permanently exploitable.

PHP version

Supported and up to date: no penalty
End of life: −5 points

WordPress core

Up to date: no penalty
Outdated: −5 points

Maximum penalty for this section: −10 points.

3. Site health & misconfiguration (10 points)

This section covers configuration issues that can increase exposure or weaken security controls. While these issues are rarely exploited on their own, they can amplify the impact of other vulnerabilities.

Site Health Warning	Score impact
No SSL (HTTPS disabled)	-5
WP_DEBUG enabled	-3
Inactive plugins present	-1
Inactive themes present	-1
Indexation issues	0

Maximum penalty for this section: −10 points.

4. Site Protect (virtual patching) (10 points)

Site Protect blocks known exploit attempts at the server level using virtual patching. This reduces real-world risk by preventing attackers from exploiting known vulnerabilities before updates are applied.

Status	Score impact
Enabled	No penalty
Disabled	−10 points

When Site Protect is enabled, known vulnerabilities do not reduce the security score.

Final score calculation (per site)

Security score = 100
− PHP & WordPress penalty
− site health penalty
− Site Protect penalty
− vulnerability penalty (only when Site Protect is disabled)

Global score

The global score is the average of all site scores in your dashboard.

Help center