E:LAB
← Services
Sample report

Preview the result layout first.

This is the card layout a real audit produces. On your own domain, every region unlocks after payment — and the result URL stays stable, so you can forward it to your developer or agency as-is.

example.com
Security score47/ 100D
  • Critical2
  • High2
  • Medium2
  • Low1
  • Info4
  • CRITICALExposed assets

    /.env file is publicly accessible

    The production .env returns 200 OK to anonymous requests. DB passwords, API keys, and session secrets are very likely already exposed.

    Block dotfiles at the web-server level (e.g. `location ~ /\. { deny all; }`) and rotate every leaked credential immediately.

  • CRITICALCode & dependencies

    jQuery 1.7.2 has 3 known XSS CVEs

    The jQuery version on the site hasn't been updated since 2012. CVE-2012-6708, CVE-2015-9251, and CVE-2019-11358 all match. Comment, search, and form inputs are exploitable for script injection.

    Upgrade to jQuery 3.7+, or — if it's bundled by a WordPress theme — replace the theme with a current build.

  • HIGHHeaders

    Content-Security-Policy header missing

    Your first line of XSS defense isn't in place. Injected scripts can execute from any origin. Frequently flagged by PG security reviews.

    Start with a minimal CSP (self-host + known CDNs), then narrow gradually using violation reports.

  • HIGHExposed assets

    /wp-admin reachable without IP restriction

    The WordPress admin login is exposed to the public internet. It's the top target for brute-force bots — one weak password and the whole site is gone.

    Whitelist admin IPs, or at minimum install a 2FA + rate-limit plugin (Wordfence, Limit Login Attempts) immediately.

  • MEDIUMEmail auth

    DMARC policy is p=none

    Spoofed mail from your domain still gets delivered. One phishing message reaching a client and your trust drops overnight; your sending reputation also suffers and legit mail deliverability falls.

    Move to p=quarantine, watch the aggregate reports, then ratchet up to p=reject.

  • MEDIUMTransport

    TLS certificate expires in 23 days

    Let's Encrypt auto-renewal looks stalled. Once expired the browser shows a red warning page — checkout and signup stop dead.

    Verify the certbot renewal cron is running, or re-enable the auto-renew toggle in your hosting panel.

  • LOWHeaders

    Referrer-Policy header missing

    Your internal URLs leak verbatim to every external link target a visitor clicks. Checkout or admin URLs ending up in third-party logs is an extra exposure.

    Add `Referrer-Policy: strict-origin-when-cross-origin`.

Locked items · unlock to reveal

On your real result page, items below show as category-only previews — titles, details, and fix steps stay masked until you unlock. The $29 payment opens them in-place on the same page.

  • Exposed assets× 2
  • Code & dependencies× 1
  • Headers× 1

If the sample feels right, run it against your domain. Verify-to-result takes under 5 minutes, and the free audit alone reveals the count and category of every risk.

Start audit