WP Spike
Secure your Wordpress site with WP Spike
As of July 2026, WP Spike has — users in the Productivity category.
Usersno change0%
—
—
Ratingno change0%
—
— reviews
Reviewsno change0%
—
Version
3.5
Manifest V3
History
1 snapshotsTracking since Jul 10, 2026.
Not enough history yet for this metric — the chart fills in as we collect more snapshots.
View as table
| Date | Users | Rating | Reviews | Version |
|---|---|---|---|---|
| Jul 10, 2026 | — | — | — | 3.5 |
| Now | — | — | — | 3.5 |
Permissions & access
- Permissions
- activeTabtabsstorage
- Host access
- http://*/*, https://*/*
Screenshots
About
WP Spike is a one-click WordPress security scanner that runs right in your Chrome toolbar and grades your site 0 to 100 with an A to F hardening score. Point WP Spike at any site you own or are authorized to test. It first confirms the site is running WordPress, then runs 55 read-only checks for the exact misconfigurations attackers probe first, and gives you a plain-English fix for every finding. WHAT WP SPIKE CHECKS: • Information disclosure: readme.html, license.txt, version-leaking generator tags, wp-config-sample.php, full path disclosure, an exposed .git repository or .env file, and a robots.txt that maps your admin paths. • Leaked config and database backups: wp-config.php.bak / .old / .txt and editor swap files (vim .swp, emacs autosave), plus public SQL dumps (wordpress.sql, /backup/, uploads/dump.sql, backup-db, Duplicator and migration leftovers). • User enumeration: the REST users API (and rest_route and mixed-case bypasses), ?author=1 redirects, core and Yoast author sitemaps, RSS dc:creator, oEmbed, and the WordPress.com public API. Every leaked login is listed in a Discovered Usernames panel with how many endpoints exposed it. • Directory listing: browsable uploads, plugins, includes and mu-plugins folders. • Attack surface: XML-RPC, admin-ajax, the Heartbeat API, async-upload, wp-cron, trackbacks, the login page, open registration, and a reachable install.php. • Security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and leaked server or PHP version tokens. • Access control: default "admin" account, wp-admin authentication, and takeover scripts like emergency.php and searchreplacedb2.php. • Search and OSINT dorking: one click opens the same Google dorks, Wayback Machine and WordPress public-API queries an attacker would run against your domain, so you can see and clean up what is publicly indexed. TRACK YOUR PROGRESS Fix an issue, re-scan, and WP Spike shows the point change since your last scan so you can prove your site is hardening over time. PRIVATE BY DESIGN No account and no server install. Scans are read-only requests sent with credentials omitted. WP Spike never submits your login credentials, and your scan history stays on your device. IMPORTANT: Only scan sites you own or have explicit permission to test. Any unauthorized or illegal use is forbidden.
Technical
- Version
- 3.5
- Manifest
- V3
- Size
- 166KiB
- Min Chrome
- 88
- Languages
- 1
- Featured
- No
Metadata
- ID
- eejdnekgchilofcopnkclndffhicjeci
- Developer ID
- uae6cd3462d00c1513c18aa919c3dd878
- Developer Email
- [email protected]
- Created
- Jul 9, 2026
- Last Updated (Store)
- Jul 9, 2026
- Last Scraped
- Jul 10, 2026
- Website
- https://teamofmonkeys.com/
- Support URL
- —
- Privacy Policy
- https://teamofmonkeys.com/chrome-privacy-policy.html
Data sourced from the Chrome Web Store · last verified Jul 10, 2026.