Free instant website security audit and email health check (SPF / DKIM / DMARC). WebsiteScanner runs deep scans and delivers plain-English AI reports — exactly what to fix and why it matters.
No account needed · 6 passive checks · Results in ~10 seconds
No account needed · SPF, DKIM, DMARC, MX, Blacklist, BIMI · Results in seconds
Checking DNS records…
We run the same checks a professional penetration tester would — automatically, on demand.
Validates certificate chain, expiry, protocol strength & cipher suites.
Checks CSP, HSTS, X-Frame-Options, X-Content-Type, Referrer-Policy & more.
Scans top 20 ports for exposed databases, admin panels & legacy services.
Tests cross-origin resource sharing for misconfigurations that could expose your data.
Checks CSRF protection, username enumeration, rate limiting & form security.
WordPress, Joomla, Drupal — known vulnerabilities, exposed admin paths, plugin/theme versions.
Finds hidden paths, backup files & admin panels exposed to the public internet.
Verifies SPF / DMARC / DKIM DNS records to prevent spoofing & phishing.
Scans pages for malware, phishing, tech stack & certificate analysis via Cloudflare Radar.
Checks Google's real-time threat database for malware & social engineering warnings.
Checks if your domain appears in known data breaches. Professional+ plans.
Our comprehensive email health check analyses your DNS records and tests your mail server's live SMTP configuration.
Don't just find problems — prove you fixed them. Track, compare, and demonstrate your security improvements.
Up to 12 months of scan history. Compare scores between scans to track improvement.
Visual score tracking shows your security posture improving as you fix findings.
Re-scan after fixes to prove remediation. Show stakeholders measurable progress.
No agents to install, no complex setup. Just results.
No agents, no installs. We work against your public-facing site.
SSL, headers, ports, DNS, email auth, threat intel — all in parallel.
AI writes plain-English guidance with exact steps and severity.
Practical, hand-written articles on email deliverability, web security, and Australian privacy law.
Most Australian small business cookie banners don't meet the OAIC's informed-consent standard. Here is what does, what doesn't, and how to fix it without paying for an enterprise consent platform.
Read article →Six HTTP headers stop the most common attacks against your website. Here is what each one does in plain English, and the exact lines to add to nginx, Apache, or your WordPress config.
Read article →WordPress runs over 40% of websites and is the most-targeted CMS on the internet. The good news: a clear ten-step hardening checklist closes most attacks, and none of the steps require a developer.
Read article →Yes. The free instant scan runs around 15 passive checks — SSL/TLS, security headers, open ports, DNS, email authentication, threat intelligence — against any public domain in roughly 10 seconds. No account or payment required. Paid Starter plans add active vulnerability testing, scheduled scans, and AI-generated remediation reports.
SSL/TLS certificate validity and protocol strength, HTTPS enforcement, HTTP security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy), open port exposure, CMS vulnerabilities (WordPress, Joomla, Drupal), directory discovery, email authentication (SPF, DKIM, DMARC, BIMI), DNSSEC, and threat-intelligence feeds (Cloudflare URL Scanner, Google Safe Browsing, HIBP).
We query the live DNS records for SPF, DKIM, DMARC, MX, and BIMI, and run live SMTP tests (port connectivity, server banner, STARTTLS, TLS certificate, open relay, MTA-STS, DANE/TLSA) on Professional and Enterprise plans. Results include an A–F grade and step-by-step fix instructions.
No. WebsiteScanner runs entirely against your public-facing site from our scanner — no agents, no plugins, no DNS changes.
The free passive scan only reads publicly available signals (DNS records, headers, certificate info) — it is read-only and indistinguishable from normal traffic. Active vulnerability tests on paid plans run at a controlled rate well below typical pen-test thresholds.
No. You must verify domain ownership before any active scan can run. The free passive scan is rate-limited and only inspects information already exposed to the public internet.
Two versions — a plain-English report aimed at the business owner (what the issue means and why it matters) and a technical remediation report aimed at a developer (specific config changes, code examples, CVE references, severity ranking).
Join thousands of website owners protecting their sites with WebsiteScanner.
Start Your Free AuditWe use cookies
We use essential cookies to keep your session secure. Optional cookies help us improve your experience. Privacy Policy · Cookie Policy
Choose which cookies you accept.
Session authentication, CSRF protection, and Livewire functionality. The site cannot function without these.
laravel_session, XSRF-TOKEN
Helps us understand how the service is used so we can improve it. No personal data is shared with third parties.
_ga, _ga_R581LZLTQX (Google Analytics 4)
Used to deliver relevant promotional content. We do not sell your data to third parties.
No marketing cookies currently set.