API & MCP

WP Spike

Secure your Wordpress site with WP Spike

As of July 2026, WP Spike has users in the Productivity category.

Usersno change0%
Ratingno change0%
— reviews
Reviewsno change0%
Version
3.5
Manifest V3

History

1 snapshots

Tracking since Jul 10, 2026.

Not enough history yet for this metric — the chart fills in as we collect more snapshots.
View as table
DateUsersRatingReviewsVersion
Jul 10, 20263.5
Now3.5

Permissions & access

Permissions
activeTabtabsstorage
Host access
http://*/*, https://*/*

Screenshots

WP Spike screenshot 1WP Spike screenshot 2WP Spike screenshot 3WP Spike screenshot 4WP Spike screenshot 5

About

WP Spike is a one-click WordPress security scanner that runs right in your Chrome toolbar and grades your site 0 to 100 with an A to F hardening score.

Point WP Spike at any site you own or are authorized to test. It first confirms the site is running WordPress, then runs 55 read-only checks for the exact misconfigurations attackers probe first, and gives you a plain-English fix for every finding.

WHAT WP SPIKE CHECKS:

• Information disclosure: readme.html, license.txt, version-leaking generator tags, wp-config-sample.php, full path disclosure, an exposed .git repository or .env file, and a robots.txt that maps your admin paths.

• Leaked config and database backups: wp-config.php.bak / .old / .txt and editor swap files (vim .swp, emacs autosave), plus public SQL dumps (wordpress.sql, /backup/, uploads/dump.sql, backup-db, Duplicator and migration leftovers).

• User enumeration: the REST users API (and rest_route and mixed-case bypasses), ?author=1 redirects, core and Yoast author sitemaps, RSS dc:creator, oEmbed, and the WordPress.com public API. Every leaked login is listed in a Discovered Usernames panel with how many endpoints exposed it.

• Directory listing: browsable uploads, plugins, includes and mu-plugins folders.

• Attack surface: XML-RPC, admin-ajax, the Heartbeat API, async-upload, wp-cron, trackbacks, the login page, open registration, and a reachable install.php.

• Security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and leaked server or PHP version tokens.

• Access control: default "admin" account, wp-admin authentication, and takeover scripts like emergency.php and searchreplacedb2.php.

• Search and OSINT dorking: one click opens the same Google dorks, Wayback Machine and WordPress public-API queries an attacker would run against your domain, so you can see and clean up what is publicly indexed.

TRACK YOUR PROGRESS
Fix an issue, re-scan, and WP Spike shows the point change since your last scan so you can prove your site is hardening over time.

PRIVATE BY DESIGN
No account and no server install. Scans are read-only requests sent with credentials omitted. WP Spike never submits your login credentials, and your scan history stays on your device.

IMPORTANT: Only scan sites you own or have explicit permission to test. Any unauthorized or illegal use is forbidden.

Technical

Version
3.5
Manifest
V3
Size
166KiB
Min Chrome
88
Languages
1
Featured
No

Metadata

ID
eejdnekgchilofcopnkclndffhicjeci
Developer ID
uae6cd3462d00c1513c18aa919c3dd878
Developer Email
[email protected]
Created
Jul 9, 2026
Last Updated (Store)
Jul 9, 2026
Last Scraped
Jul 10, 2026
Support URL

Data sourced from the Chrome Web Store · last verified Jul 10, 2026.