Home / API docs / WordPress Security Posture API
Security

WordPress Security Posture API

GET /api/wp/assess $0.05 per call USDC on Base · x402

WordPress security posture check — a PASSIVE hygiene assessment from public signals: detects WordPress, flags version disclosure (generator tag, readme.html), xmlrpc.php exposure, REST/author user enumeration, uploads directory listing, default login exposure, missing security headers, and HTTPS. Returns a 0-100 posture score with prioritized remediation. Flags security *practice*, not exploitable vulnerabilities — no version-to-CVE matching, no intrusion. For site owners and authorized auditors. ?url=

Parameters

NameInDescription
urlqueryrequiredWordPress site URL to assess (homepage)

Example request

curl "https://api.webbersites.com/api/wp/assess?url=https%3A%2F%2Fexample.com"
# first call returns 402 + payment requirements; an x402 client pays and retries automatically

Example response

{
    "url": "https://example.com",
    "is_wordpress": true,
    "posture_score": 71,
    "grade": "C",
    "finding_counts": {
        "medium": 2,
        "low": 3
    },
    "findings": [
        {
            "severity": "medium",
            "area": "xmlrpc",
            "detail": "xmlrpc.php is reachable…",
            "fix": "Disable XML-RPC if unused…"
        }
    ],
    "disclaimer": "Passive hygiene assessment from public signals only."
}
MCP tool: get_wp_assess — via npx -y webbersites-x402-mcp (local, key stays on your machine) or the remote endpoint https://api.webbersites.com/mcp.

How payment works

There is no signup and no API key. Call the endpoint; it replies 402 Payment Required with machine-readable payment requirements. Your client signs a USDC transfer authorization (EIP-3009, gasless) and retries with the X-PAYMENT header — @x402/fetch does this automatically. See the overview for a working snippet.