WordPress Security Posture API
WordPress security posture check — a PASSIVE hygiene assessment from public signals: detects WordPress, flags version disclosure (generator tag, readme.html), xmlrpc.php exposure, REST/author user enumeration, uploads directory listing, default login exposure, missing security headers, and HTTPS. Returns a 0-100 posture score with prioritized remediation. Flags security *practice*, not exploitable vulnerabilities — no version-to-CVE matching, no intrusion. For site owners and authorized auditors. ?url=
Parameters
| Name | In | Description | |
|---|---|---|---|
url | query | required | WordPress site URL to assess (homepage) |
Example request
curl "https://api.webbersites.com/api/wp/assess?url=https%3A%2F%2Fexample.com"
# first call returns 402 + payment requirements; an x402 client pays and retries automaticallyExample response
{
"url": "https://example.com",
"is_wordpress": true,
"posture_score": 71,
"grade": "C",
"finding_counts": {
"medium": 2,
"low": 3
},
"findings": [
{
"severity": "medium",
"area": "xmlrpc",
"detail": "xmlrpc.php is reachable…",
"fix": "Disable XML-RPC if unused…"
}
],
"disclaimer": "Passive hygiene assessment from public signals only."
}How payment works
There is no signup and no API key. Call the endpoint; it replies 402 Payment Required with machine-readable payment requirements. Your client signs a USDC transfer authorization (EIP-3009, gasless) and retries with the X-PAYMENT header — @x402/fetch does this automatically. See the overview for a working snippet.