// documentation

WordPress Fix Guide

For each issue detected in your report, find the clear and actionable solution.

Security18 articles

critical

Sensitive files exposed on your WordPress site

Files containing your passwords, API keys or database backups are publicly accessible from the internet.

Read article →critical

Vulnerabilities detected in WordPress plugins or themes

One or more plugins or themes installed on your site have security vulnerabilities referenced in CVE databases.

Read article →high

XML-RPC enabled on WordPress

The xmlrpc.php file is publicly accessible and responds to requests. It is an old WordPress API, enabled by default, that most sites do not use.

Read article →high

Missing HSTS header on your WordPress site

The Strict-Transport-Security (HSTS) header is missing from your site. Without it, browsers can be redirected to the HTTP version of your site.

Read article →high

Content Security Policy (CSP) missing on WordPress

No Content-Security-Policy is defined on your site. The browser is therefore allowed to load scripts from any source.

Read article →high

Invalid or expiring SSL certificate

Your SSL/TLS certificate is invalid, self-signed, or expires in less than 30 days. Visitors will see a security warning in their browser.

Read article →high

WordPress out of date - outdated version detected

The installed WordPress version is below the current stable version. Important security patches are not applied.

Read article →high

PHP end-of-life (EOL) on your server

The PHP version detected on your server is no longer actively maintained. It no longer receives security patches.

Read article →medium

WordPress user enumeration

Your administrator login names are accessible via the /wp-json/wp/v2/users URL or by adding ?author=1 to your site address.

Read article →medium

Missing X-Frame-Options header

The X-Frame-Options header is absent. Your site can be embedded in an iframe on any other site.

Read article →medium

Missing X-Content-Type-Options header

The X-Content-Type-Options header is absent. Browsers may then interpret files with a different MIME type than declared.

Read article →medium

WordPress cookies missing Secure, HttpOnly or SameSite flags

WordPress session cookies (PHPSESSID, wordpress_logged_in, etc.) do not all have the recommended security attributes.

Read article →medium

wp-login.php exposed without protection

The WordPress login page (wp-login.php) is accessible from the internet without any additional protection. It is a constant target of automated attacks.

Read article →medium

Directory listing enabled on WordPress

The web server displays the list of files in /wp-content/uploads/ (and potentially other folders). Anyone can browse your files.

Read article →low

Missing Referrer-Policy header

The Referrer-Policy header is absent. When a visitor clicks an external link from your site, the full URL (including paths and parameters) is transmitted to the destination site.

Read article →low

Missing Permissions-Policy header

The Permissions-Policy header is absent. Third-party iframes and embedded scripts can access browser features (camera, microphone, geolocation) without restriction.

Read article →low

WP-Cron publicly accessible

The /?doing_wp_cron=1 endpoint responds publicly. WordPress uses it to schedule tasks (emails, updates), but its triggering by visitors can overload the server.

Read article →low

WordPress readme.html exposed

The readme.html file at the root of your WordPress installation is publicly accessible. It contains the exact installed WordPress version.

Read article →

Performance10 articles

high

LCP (Largest Contentful Paint) too high on WordPress

Your site's Largest Contentful Paint (LCP) exceeds 2.5 seconds. This is the time before the main visible element of the page is loaded.

Read article →medium

CLS (Cumulative Layout Shift) too high on WordPress

Your site's Cumulative Layout Shift (CLS) is above 0.1. Elements move visually during page loading.

Read article →medium

FCP (First Contentful Paint) too high

The First Contentful Paint (FCP) is too slow. Users see a blank page for too long before the first content appears.

Read article →medium

TBT (Total Blocking Time) too high

The Total Blocking Time (TBT) is too high. Long JavaScript tasks block the main thread and prevent the page from responding to interactions.

Read article →medium

Render-blocking scripts in the WordPress <head>

Script tags without defer or async attributes are present in the <head>. They block page rendering until fully loaded.

Read article →medium

Gzip or Brotli compression disabled on the server

The server does not compress its HTTP responses. HTML, CSS and JavaScript are sent without compression, unnecessarily increasing each request.

Read article →medium

Browser cache misconfigured on WordPress

Cache-Control headers are absent or misconfigured. Browsers do not cache your static files (images, CSS, JS).

Read article →medium

Too many third-party scripts on your WordPress site

A high number of JavaScript scripts from third-party domains was detected. Each third-party script adds an extra network connection and JavaScript to execute.

Read article →low

Images without lazy loading on WordPress

Images outside the visible area (below the fold) are loaded immediately instead of waiting for the user to scroll to them.

Read article →low

Images in JPEG/PNG format - WebP or AVIF recommended

Your site's images use JPEG or PNG formats. WebP and AVIF formats offer much better compression for equivalent quality.

Read article →

SEO14 articles

high

Missing or poorly optimized title tag on WordPress

The <title> tag of your page is missing, too short (less than 30 characters) or too long (more than 60 characters).

Read article →high

Missing viewport tag

The <meta name="viewport"> tag is missing from your page. Without it, mobile browsers display your site as a scaled-down desktop version.

Read article →medium

Missing or too short meta description

The meta description tag is missing or too short on this page. Google may generate its own description, often less relevant.

Read article →medium

H1 tag missing or duplicated

The page has no H1 tag, or has multiple. A well-structured page must contain exactly one H1 tag describing its main topic.

Read article →medium

Images without alt attribute on WordPress

Some images on your site have no alt attribute. Search engines and screen readers cannot interpret these images.

Read article →medium

Missing canonical URL on WordPress

No <link rel="canonical"> tag is defined on this page. Without it, duplicate URLs (with/without www, with parameters...) can create duplicate content.

Read article →medium

robots.txt missing or misconfigured on WordPress

The robots.txt file is absent, inaccessible or does not contain a Sitemap directive - limiting the control you have over your site's indexing.

Read article →medium

XML sitemap missing or unreferenced

No XML sitemap was found on your site, or it is not referenced in robots.txt. Google must discover your pages on its own, which may delay indexing.

Read article →low

Missing lang attribute on HTML tag

The <html> tag does not have a lang attribute. Browsers, screen readers and search engines do not know the language of the content.

Read article →low

Missing Open Graph tags

Open Graph tags (og:title, og:description, og:image) are missing. When your content is shared on social networks, it displays no visual preview.

Read article →low

Missing Twitter Card

The <meta name="twitter:card"> tag is missing. Shares on X (Twitter) do not display a rich preview.

Read article →low

Missing Schema.org structured data

No structured data (JSON-LD / Schema.org) was detected on your site. Google cannot generate rich snippets for your pages.

Read article →low

Missing favicon on WordPress

No favicon is defined on your site. Browser tabs and bookmarks display a generic icon.

Read article →low

HTML errors detected by W3C validator

The W3C validator detected errors in your page HTML. These errors indicate markup that does not conform to web standards.

Read article →

Accessibility5 articles

medium

Color contrast issues

Text elements on your site have insufficient contrast with their background. This does not meet WCAG 2.1 criteria (minimum 4.5:1 ratio for normal text).

Read article →medium

Missing or incorrectly associated form labels

Form fields on your site do not have a correctly associated <label> tag. Screen reader users do not know what each field corresponds to.

Read article →medium

Missing or incorrect ARIA attributes

Interactive components (menus, modals, tabs) do not have the necessary ARIA attributes to be accessible to assistive technologies.

Read article →medium

Keyboard navigation impossible or dysfunctional

Some interactive elements on your site are not accessible or usable with keyboard only.

Read article →low

Incorrect H1-H6 heading structure

The heading hierarchy (H1, H2, H3...) on your page does not follow logical order. Levels are skipped or duplicated.

Read article →

Guides3 articles

How to interpret your WPPulse report

Your WPPulse report presents four analysis categories: Security, Performance, Accessibility and SEO. Each category receives a score from 0 to 100.

Read article →

How to prioritize WordPress fixes

Your report may present 20, 30 recommendations or more. Here is a simple method to prioritize them effectively.

Read article →

Understanding the WPPulse score

WPPulse calculates four scores (0-100) and an overall score. Here is how each score is calculated and what it measures.

Read article →