Pulse WP - Demo report

New scan

demo.wordpress.org

…·47s

WordPress6.4.2

PHP7.4.33

ServerApache/2.4.54 (Debian)

ThemeDivi

AuthorElegant Themes

Version4.22.1

Security23

Performance31

Accessibility74

SEO83

CRITIQUE

overall score

Click a vulnerability to show details

Plugin	Version	Latest	Vulnerabilities
Ultimate Member	2.7.0	2.8.3	? 2 vulns▼
Really Simple SSL	7.0.5	9.1.0	? 1 vuln▼
Backup Migration	1.3.7	1.4.2	? 1 vuln▼
WPForms Lite	1.8.1	1.9.2	? 1 vuln▼
WooCommerce	8.3.1	9.8.0	✓ None
Contact Form 7	5.8	5.9.5	✓ None
Yoast SEO	21.7	23.4	✓ None
Elementor	3.18.2	3.24.0	✓ None

NomDivi

AuteurElegant Themes

Installed version4.22.1Outdated → 4.25.0

Child themeNo

Vulnerabilities1 vulnerabilityy

[!]

XML-RPC active

xmlrpc.php accessible - brute-force & DDoS pingback risk

high

[!]

User enumeration

REST API reveals user logins: ["admin"]

medium

[!]

/wp-login.php accessible without IP restriction or rate limiting

medium

[!]

Directory listing enabled

/wp-content/uploads/ exposes the structure of uploaded files

medium

[!]

readme.html exposed

readme.html reveals the exact WordPress version to attackers

low

[!]

license.txt exposed

license.txt confirms WordPress usage and its version

low

[✓]

WP_DEBUG disabled

WP_DEBUG is disabled in production - no sensitive information exposed

[✓]

Public registration

Public registration is disabled

Header	Statut	Valeur / Recommandation	Severity
Strict-Transport-Security	✓ Present	max-age=31536000	OK
X-Content-Type-Options	✓ Present	nosniff	OK
X-XSS-Protection	✓ Present	1; mode=block	OK
Content-Security-Policy	✗ Absent	Define a strict CSP policy to prevent XSS attacks	high
X-Frame-Options	✗ Absent	Ajouter: X-Frame-Options: SAMEORIGIN	medium
Referrer-Policy	✗ Absent	Ajouter: Referrer-Policy: strict-origin-when-cross-origin	low
Permissions-Policy	✗ Absent	Limit browser permissions (camera, microphone, geolocation)	low
Cross-Origin-Embedder-Policy	✗ Absent	Consider: Cross-Origin-Embedder-Policy: require-corp	Info

Cookie security

Cookie	Secure	HttpOnly	SameSite
wordpress_logged_in_abc123	✓ Yes	✓ Yes	lax
wordpress_test_cookie	✗ No	✗ No	✗ Not set
PHPSESSID	✗ No	✓ Yes	✗ Not set

HTTPS✓ Active

Certificate✓ Valid

ExpirationExpires in 18 days6/22/2026

TLS ProtocolTLSv1.2

IssuerLet's Encrypt

Mobile

Poor

Desktop

Needs improvement

LCP

Largest Contentful Paint

BonPassableMauvais

5.2s2.1sField data Poor

FCP

First Contentful Paint

BonPassableMauvais

3.1s1.2sField data Needs improvement

TBT

Total Blocking Time

BonPassableMauvais

1840ms320ms

CLS

Visual Stability

BonPassableMauvais

0.210.05Field data Needs improvement

Speed Index

BonPassableMauvais

6.8s2.8s

INP

Interaction responsiveness

Field data Needs improvement

Optimizations5

−1.2 s
Eliminate render-blocking resources
4 resources detected
−284 KB
Remove unused JavaScript
284 KB unused
−320 KB
Serve properly sized images
Estimated savings: 320 KB
−420 KB
Use next-generation image formats
Estimated savings: 420 KB (WebP/AVIF)
−180 KB
Use video formats for animations
2 GIFs detected

Diagnostics3

DOM size too large
2,847 elements
A large DOM increases memory usage and slows style recalculation. Aim for fewer than 1,500 nodes.
High third-party code impact
6 sources - 3.2 s blocking
Third-party code can significantly impact performance (Google Analytics, Facebook Pixel, etc.).
Excessive JavaScript execution time
4.8 s JS processing
Reduce the time spent parsing, compiling and executing JavaScript.

Response timeFast1840 ms

Compression✓ gzip

Cache-Control✓ public, max-age=3600

Scripts bloquants4 without defer/async

Lazy loading images7 / 14

Dimensions images (CLS)9 / 14 with width+height

Formats modernes

✗ WebP✗ AVIF

Resource hintspreload×2 preconnect×1

Scripts tiers6 scripts externes

Balise titleOKAccueil - Mon Site WordPress (30 chars.)

Meta descriptionToo short(48 chars.)

Balise H1OK (×1)Digital solutions for your business

Balises H24 found

Images sans alt3 / 14

URL canonique✓ Set

Languefr-FR

Indexation✓ Indexable

Viewport✓ Set

Favicon✓ Present

hreflangNot set

robots.txt✓ PresentNo Sitemap directive

Sitemap XMLNot found

HTML validity

3 errors, 7 warnings

L.42The element "div" is not allowed as a child of "ul" in this context.
L.156The attribute "onclick" is not allowed on element "a" at this point.
L.298End tag "p" seen, but there was no open element.

Detected issues16 passeds

Meta description too short or missing
48 characters (recommended: 120–158)
Meta descriptions can appear in search results and influence click-through rate.

criticalUpdate WordPress to 6.8.1

Fixes 2 critical CVEs (SSRF, data exposure). Perform a full backup before updating.

Learn more →

criticalUpdate Ultimate Member to 2.8.3

Fixes CVE-2024-1071, an unauthenticated SQL injection with CVSS 9.8. Risk of complete database compromise.

Learn more →

highMigrate PHP to 8.2 minimum

PHP 7.4 reached end-of-life in December 2022 and no longer receives security patches. PHP 8.2 also offers better performance.

Learn more →

highDisable or secure XML-RPC

Block xmlrpc.php via .htaccess or use a security plugin. If Jetpack is used, whitelist only Automattic IPs.

Learn more →

highConfigure a Content-Security-Policy header

Add a strict CSP header to significantly reduce the XSS attack surface. Start in report-only mode to identify violations.

Learn more →

mediumRestrict access to wp-login.php

Limit login page access to administrator IPs only via .htaccess or a WAF (Cloudflare, etc.).

Learn more →

mediumDisable user enumeration

Add a redirect_canonical filter or use a security plugin to hide logins via the REST API and /?author=N URLs.

Learn more →

mediumOptimize mobile performance (score: 31)

Eliminate 4 render-blocking resources, remove unused JavaScript (284 KB) and convert images to WebP to save ~420 KB.

Learn more →

lowDelete readme.html and license.txt

These files reveal the exact WordPress version to attackers and facilitate targeting. Delete them or block them in .htaccess.

Learn more →

New scan

demo.wordpress.org

…·47s

WordPress6.4.2

PHP7.4.33

ServerApache/2.4.54 (Debian)

ThemeDivi

AuthorElegant Themes

Version4.22.1

Security23

Performance31

Accessibility74

SEO83

CRITIQUE

overall score

Click a vulnerability to show details

Plugin	Version	Latest	Vulnerabilities
Ultimate Member	2.7.0	2.8.3	? 2 vulns▼
Really Simple SSL	7.0.5	9.1.0	? 1 vuln▼
Backup Migration	1.3.7	1.4.2	? 1 vuln▼
WPForms Lite	1.8.1	1.9.2	? 1 vuln▼
WooCommerce	8.3.1	9.8.0	✓ None
Contact Form 7	5.8	5.9.5	✓ None
Yoast SEO	21.7	23.4	✓ None
Elementor	3.18.2	3.24.0	✓ None

NomDivi

AuteurElegant Themes

Installed version4.22.1Outdated → 4.25.0

Child themeNo

Vulnerabilities1 vulnerabilityy

[!]

XML-RPC active

xmlrpc.php accessible - brute-force & DDoS pingback risk

high

[!]

User enumeration

REST API reveals user logins: ["admin"]

medium

[!]

/wp-login.php accessible without IP restriction or rate limiting

medium

[!]

Directory listing enabled

/wp-content/uploads/ exposes the structure of uploaded files

medium

[!]

readme.html exposed

readme.html reveals the exact WordPress version to attackers

low

[!]

license.txt exposed

license.txt confirms WordPress usage and its version

low

[✓]

WP_DEBUG disabled

WP_DEBUG is disabled in production - no sensitive information exposed

[✓]

Public registration

Public registration is disabled

Header	Statut	Valeur / Recommandation	Severity
Strict-Transport-Security	✓ Present	max-age=31536000	OK
X-Content-Type-Options	✓ Present	nosniff	OK
X-XSS-Protection	✓ Present	1; mode=block	OK
Content-Security-Policy	✗ Absent	Define a strict CSP policy to prevent XSS attacks	high
X-Frame-Options	✗ Absent	Ajouter: X-Frame-Options: SAMEORIGIN	medium
Referrer-Policy	✗ Absent	Ajouter: Referrer-Policy: strict-origin-when-cross-origin	low
Permissions-Policy	✗ Absent	Limit browser permissions (camera, microphone, geolocation)	low
Cross-Origin-Embedder-Policy	✗ Absent	Consider: Cross-Origin-Embedder-Policy: require-corp	Info

Cookie security

Cookie	Secure	HttpOnly	SameSite
wordpress_logged_in_abc123	✓ Yes	✓ Yes	lax
wordpress_test_cookie	✗ No	✗ No	✗ Not set
PHPSESSID	✗ No	✓ Yes	✗ Not set

HTTPS✓ Active

Certificate✓ Valid

ExpirationExpires in 18 days6/22/2026

TLS ProtocolTLSv1.2

IssuerLet's Encrypt

Mobile

Poor

Desktop

Needs improvement

LCP

Largest Contentful Paint

BonPassableMauvais

5.2s2.1sField data Poor

FCP

First Contentful Paint

BonPassableMauvais

3.1s1.2sField data Needs improvement

TBT

Total Blocking Time

BonPassableMauvais

1840ms320ms

CLS

Visual Stability

BonPassableMauvais

0.210.05Field data Needs improvement

Speed Index

BonPassableMauvais

6.8s2.8s

INP

Interaction responsiveness

Field data Needs improvement

Optimizations5

−1.2 s
Eliminate render-blocking resources
4 resources detected
−284 KB
Remove unused JavaScript
284 KB unused
−320 KB
Serve properly sized images
Estimated savings: 320 KB
−420 KB
Use next-generation image formats
Estimated savings: 420 KB (WebP/AVIF)
−180 KB
Use video formats for animations
2 GIFs detected

Diagnostics3

DOM size too large
2,847 elements
A large DOM increases memory usage and slows style recalculation. Aim for fewer than 1,500 nodes.
High third-party code impact
6 sources - 3.2 s blocking
Third-party code can significantly impact performance (Google Analytics, Facebook Pixel, etc.).
Excessive JavaScript execution time
4.8 s JS processing
Reduce the time spent parsing, compiling and executing JavaScript.

Response timeFast1840 ms

Compression✓ gzip

Cache-Control✓ public, max-age=3600

Scripts bloquants4 without defer/async

Lazy loading images7 / 14

Dimensions images (CLS)9 / 14 with width+height

Formats modernes

✗ WebP✗ AVIF

Resource hintspreload×2 preconnect×1

Scripts tiers6 scripts externes

Balise titleOKAccueil - Mon Site WordPress (30 chars.)

Meta descriptionToo short(48 chars.)

Balise H1OK (×1)Digital solutions for your business

Balises H24 found

Images sans alt3 / 14

URL canonique✓ Set

Languefr-FR

Indexation✓ Indexable

Viewport✓ Set

Favicon✓ Present

hreflangNot set

robots.txt✓ PresentNo Sitemap directive

Sitemap XMLNot found

HTML validity

3 errors, 7 warnings

L.42The element "div" is not allowed as a child of "ul" in this context.
L.156The attribute "onclick" is not allowed on element "a" at this point.
L.298End tag "p" seen, but there was no open element.

Detected issues16 passeds

Meta description too short or missing
48 characters (recommended: 120–158)
Meta descriptions can appear in search results and influence click-through rate.

criticalUpdate WordPress to 6.8.1

Fixes 2 critical CVEs (SSRF, data exposure). Perform a full backup before updating.

Learn more →

criticalUpdate Ultimate Member to 2.8.3

Fixes CVE-2024-1071, an unauthenticated SQL injection with CVSS 9.8. Risk of complete database compromise.

Learn more →

highMigrate PHP to 8.2 minimum

PHP 7.4 reached end-of-life in December 2022 and no longer receives security patches. PHP 8.2 also offers better performance.

Learn more →

highDisable or secure XML-RPC

Block xmlrpc.php via .htaccess or use a security plugin. If Jetpack is used, whitelist only Automattic IPs.

Learn more →

highConfigure a Content-Security-Policy header

Add a strict CSP header to significantly reduce the XSS attack surface. Start in report-only mode to identify violations.

Learn more →

mediumRestrict access to wp-login.php

Limit login page access to administrator IPs only via .htaccess or a WAF (Cloudflare, etc.).

Learn more →

mediumDisable user enumeration

Add a redirect_canonical filter or use a security plugin to hide logins via the REST API and /?author=N URLs.

Learn more →

mediumOptimize mobile performance (score: 31)

Eliminate 4 render-blocking resources, remove unused JavaScript (284 KB) and convert images to WebP to save ~420 KB.

Learn more →

lowDelete readme.html and license.txt

These files reveal the exact WordPress version to attackers and facilitate targeting. Delete them or block them in .htaccess.

Learn more →