What Is the External Attack Surface Scanner?
The External Attack Surface Scanner is a free tool that examines any public website the same way an attacker would — from the outside, without credentials, using only what is visible on the open internet. It runs a series of read-only checks across five security categories and returns a scored report with plain-English explanations of every finding.
The goal is to help website owners, developers, and hosting clients identify exposures before a bad actor does. A clean result gives you confidence. A failing result gives you a prioritized action list.
What the Scanner Checks
WordPress Hardening
If the site runs WordPress, the scanner probes for common misconfigurations that attackers routinely target. This includes exposed administrative files such as xmlrpc.php (used in brute-force amplification attacks), publicly readable debug logs, backup copies of wp-config.php containing database credentials, exposed .env files, accessible .git directories, and directory listing on wp-content and wp-includes folders. It also checks whether WordPress usernames can be harvested via the author redirect or the REST API users endpoint.
SSL / TLS Strength
The scanner retrieves your SSL certificate and reports the issuer, validity dates, and days remaining before expiry. It checks whether the certificate covers the correct hostname and tests whether outdated protocols — TLS 1.0 and TLS 1.1 — are still accepted by your server. Both were deprecated in 2020 and should not be enabled on any modern hosting stack. It also verifies that plain HTTP traffic redirects to HTTPS rather than being served without encryption.
cPanel and WHM Port Exposure
cPanel and WHM run on non-standard ports that should never be publicly reachable on client-facing hosting accounts. The scanner checks ports 2082 and 2083 (cPanel), 2086 and 2087 (WHM), and 2095 and 2096 (Webmail). WHM in particular — if reachable from the public internet without IP restriction — represents a critical exposure because it controls the entire server, not just a single account.
Security Headers
HTTP response headers are instructions your web server sends to browsers. Several of them exist specifically to prevent common attack types. The scanner checks for Strict-Transport-Security (HSTS), which enforces HTTPS connections; X-Frame-Options, which prevents clickjacking; X-Content-Type-Options, which stops MIME-type sniffing attacks; Referrer-Policy, which controls what referrer information is shared; Permissions-Policy, which restricts access to browser features like camera and microphone; and Content-Security-Policy (CSP), the strongest available defense against cross-site scripting (XSS). Missing headers are flagged with the exact directive needed to add them.
Information Disclosure
Attackers gather information before they attack. The scanner looks for server responses that reveal more than they should — including the X-Powered-By header advertising your PHP version, verbose Server headers exposing software version numbers, WordPress or plugin version numbers embedded in asset URLs, PHP error messages visible in the page source, absolute server file paths leaked by misconfigured plugins, email addresses in the HTML source that can be harvested by spam bots, phpMyAdmin accessible at common paths, and publicly downloadable backup files with common naming patterns.
How Scoring Works
Every scan produces a letter grade from A to F based on a score out of 100. Points are deducted based on the severity of each finding:
- Critical — 25 points (exposed credentials, accessible .git or .env files, public database backups)
- Error — 15 points (expired or expiring SSL, open WHM ports, PHP errors visible to visitors)
- Warning — 5 points (outdated TLS versions, missing HSTS, username enumeration)
- Informational — 1 point (minor disclosure items, non-critical header gaps)
A score of 90 or above earns an A. Scores below 35 receive an F. The grade reflects the overall attack surface, not perfection — an A does not mean the site is unhackable, and an F does not mean it has been compromised.
What This Tool Does Not Do
It is important to understand what this scanner cannot and does not attempt to do.
It does not scan files on the server. Malware detection requires access to the server filesystem. This tool operates entirely from the outside and cannot see files that are not publicly accessible via HTTP.
It does not attempt logins or exploit vulnerabilities. All checks are passive and read-only. The scanner fetches URLs and reads responses — it never submits login forms, attempts passwords, injects code, or modifies anything on your server.
It does not check internal cPanel settings. Things like file permissions, cPanel account configurations, Exim mail settings, and firewall rules are internal to the server and not visible from the outside.
It does not scan email accounts. Email account security — passwords, forwarding rules, compromised credentials — requires authenticated access to the mail server and is outside the scope of this tool.
It is not a penetration test. A real penetration test is performed by a qualified security professional with permission to actively attempt to compromise the target. This tool identifies exposures; it does not attempt to exploit them.
Results are a point-in-time snapshot. The scan reflects the state of your site at the moment it runs. Changes to your server, caching layers, or CDN configuration may affect results.
Who Should Use This Tool
This tool is designed for website owners who want a quick external security overview, WordPress administrators who want to verify their hardening checklist, web developers handing off a site to a client, and hosting clients who want to understand what is visible from the public internet. It is also useful for agencies conducting light pre-engagement reconnaissance on a client site before a more thorough review.
If your scan returns critical findings, LightningMine offers managed WordPress hosting and security hardening services. Contact us to discuss your site.
Frequently Asked Questions
Is this scanner safe to run on my website?
Yes. All checks are completely passive and read-only. The scanner fetches pages and reads responses exactly as a browser or search engine crawler would. It does not attempt logins, submit forms, inject code, or make any changes to your server. Running it will not affect your site’s operation or trigger security alerts on well-configured firewalls.
Do I need to own the website to scan it?
You should only scan websites you own or have explicit permission to test. While all checks are passive, scanning third-party websites without authorization may be prohibited by their terms of service or applicable law. This tool is intended for use on your own sites or sites you manage professionally.
Why does the scan take 15–30 seconds?
The scanner runs all checks server-side, probing multiple URLs and ports sequentially. Port checks in particular require waiting for connection timeouts on ports that are not open, which adds a few seconds per port tested. The spinner text updates as each category completes so you can follow the progress.
My site scored a B but I thought it was secure. What does that mean?
A B grade means the scanner found some warnings or informational notes but no critical or high-severity issues. Common B-grade findings include missing optional security headers like Content-Security-Policy, minor information disclosure via asset version strings, or TLS 1.1 still being enabled alongside TLS 1.2 and 1.3. None of these are emergencies, but addressing them brings you closer to an A.
xmlrpc.php was flagged but I use Jetpack — can I leave it enabled?
Jetpack historically relied on XML-RPC but modern versions support the WordPress REST API instead. If you are on a recent version of Jetpack, you can safely block xmlrpc.php. If you are unsure, add the following to your .htaccess and test Jetpack functionality before committing to the change: <Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
The scanner says my cPanel port is open — should I be worried?
It depends on whether this is your server or a shared hosting account you rent. If you manage the server (VPS or dedicated), cPanel and WHM ports should be firewalled and only accessible via VPN or allowlisted IPs. If you are on a shared host, the cPanel port being open is normal — the host manages that server and cPanel is how you access your account. WHM being open on a shared host, however, is worth querying with your hosting provider.
My debug.log was flagged as publicly accessible. How do I fix it?
Add the following rule to your .htaccess file to block direct access: <Files debug.log> Order Deny,Allow Deny from all </Files> Then set WP_DEBUG and WP_DEBUG_LOG to false in wp-config.php once you have finished debugging. The file itself can then be deleted from wp-content/.
Can I scan non-WordPress sites?
Yes. The SSL/TLS, cPanel port, security header, and information disclosure checks run against any website regardless of platform. Only the WordPress hardening section is WordPress-specific — if WordPress is not detected, those checks are skipped and noted in the results.
The scanner found my email address in the page source. Is that a problem?
Email addresses visible in HTML source are routinely harvested by spam bots that crawl the web. Whether it is a significant concern depends on how the address is used and how much spam you are already receiving. The recommended fix is to replace raw email addresses in your content with a contact form, or use JavaScript-based email obfuscation so the address is not present in the raw HTML.
I got an A on my own site. Does that mean I am completely secure?
An A grade means no significant external attack surface exposures were detected. It does not mean the site is immune to all threats. Security is layered — this tool covers the external perimeter.