Blog
Contact
Sign in
Scan complete
C
77/100
wp.pl
No changes since last scan
1 critical issue needs immediate attention.
16/16
checks
61
passed
finished
Scan timestamps
Created
Jul 18, 2026, 6:08 AM
Started
Jul 18, 2026, 6:08 AM
Finished
Jul 18, 2026, 6:08 AM
Updated
Jul 18, 2026, 6:08 AM
Export PDF
Re-scan
Findings by severity
75 results
1
Critical
5
High
3
Medium
5
Low
61
Pass
Report coverage
98.52%
20 skipped - these limit completeness.
20 skipped
All
95
Critical
1
High
5
Medium
3
Low
5
Pass
61
Skipped
20
Email
96%
Domain Alignment (DMARC)
Learn how it works
Info
3/7 pass
Domain Alignment (DMARC)
DMARC policy is monitoring only
The DMARC policy uses p=none and does not ask receivers to block or quarantine failing mail.
High
Domain Alignment (DMARC)
DMARC subdomain policy is weak
Subdomains are not protected by an enforcement policy.
High
Domain Alignment (DMARC)
DMARC alignment is relaxed
The DMARC record allows relaxed identifier alignment for DKIM or SPF.
Low
Transport Encryption (SMTP TLS)
Learn how it works
Info
4/5 pass
Transport Encryption (SMTP TLS)
Some MX host certificates are self-signed or use an untrusted chain
At least one MX host presents a self-signed certificate or one not issued by a publicly trusted CA. Senders enforcing MTA-STS (RFC 8461) validate the certificate against the WebPKI trust store and will refuse delivery to these hosts.
Medium
Certificate Binding (DANE)
Learn how it works
Info
1/5 pass
Certificate Binding (DANE)
No MX host TLSA zone is protected by DNSSEC
None of the MX hosts have DNSSEC on their TLSA lookup zones. DANE SMTP cannot function without DNSSEC, as sending servers will ignore TLSA records from unsigned zones.
Critical
DNS
100%
DNS Integrity (DNSSEC)
Learn how it works
Info
0/7 pass
DNS Integrity (DNSSEC)
DNSSEC is not enabled
The parent zone does not publish a DS record for this domain.
Medium
CAA and Certificate Issuance Surface
Learn how it works
Info
1/6 pass
CAA and Certificate Issuance Surface
No CAA record is published
The domain does not publish a CAA record, so any publicly trusted certificate authority may issue certificates for it after standard validation.
Low
TLS
100%
TLS Configuration
Learn how it works
Info
5/6 pass
TLS Configuration
Weak elliptic curve accepted for key exchange
The server negotiates an elliptic curve below 256 bits for at least one ECDHE cipher suite. Weak curves reduce the effective security margin of the key exchange well below modern standards.
High
Web
100%
Disclosure Policy (security.txt)
Learn how it works
Info
3/4 pass
Disclosure Policy (security.txt)
Expires is set more than one year in the future
The Expires date is valid and in the future, but RFC 9116 recommends keeping the expiry within one year to avoid the file becoming stale.
Low
HTTP Security Headers
Learn how it works
Info
2/7 pass
HTTP Security Headers
HSTS is not enforced
The site does not send a usable Strict-Transport-Security header, so browsers do not automatically upgrade future requests to HTTPS.
High
HTTP Security Headers
Content-Security-Policy is weak and bypass-prone
The CSP allows inline script execution without a nonce or hash, a wildcard or http:/data: script source, or does not restrict script sources at all. Such policies are commonly reported as bypassable in independent CSP research.
High
HTTP Security Headers
Referrer-Policy allows partial URL disclosure
The Referrer-Policy value allows the origin (and in some cases the full URL on same-origin navigation) to be disclosed to cross-origin destinations.
Low
HTTP Security Headers
Permissions-Policy is missing or ineffective
The site either does not send a Permissions-Policy header, or the header only lists directives with a wildcard allowlist that does not restrict anything.
Medium
HTTP Security Headers
Deprecated security headers are present
The response sends one or more deprecated headers (X-XSS-Protection, Expect-CT, or Public-Key-Pins) that modern browsers ignore or that carry their own operational risk (HPKP).
Low
Feedback