# Understanding vulnerability scanning in WP Toolkit > WP Toolkit scans your WordPress site, plugins, and themes for known vulnerabilities and gives each site a security risk score, with steps to reduce your risk. Source: https://www.kualo.com/knowledgebase/wp-toolkit/understanding-vulnerability-scanning-in-wp-toolkit Updated: 2026-06-11 --- WP Toolkit scans your WordPress installations, plugins, and themes for known vulnerabilities, giving you a clear report and practical steps to reduce your risk. ## What are vulnerabilities? Imagine your WordPress site as a medieval castle. Vulnerabilities are the hidden cracks in the walls or secret tunnels that invaders could exploit. In WordPress terms, they are weak points in your site's code or configuration that attackers can use to slip in unnoticed, cause damage, and steal data. The most common sources are outdated WordPress core software, plugins, and themes. ## How Kualo's security and WP Toolkit work together Kualo's shared hosting includes several layers of protection: real-time malware scanning via Imunify360, tools that inspect and block potentially malicious code executions, multiple firewall layers with AI and machine learning capabilities, and systems that automatically patch many known vulnerabilities in WordPress core. Think of this as a team of elite knights defending your castle around the clock. But no security system is bulletproof. Ultimately, keeping your WordPress site safe means making sure the code it is built on is itself secure. This is where WP Toolkit's vulnerability scanning comes in. WP Toolkit regularly scans your site, plugins, and themes for known vulnerabilities and provides a comprehensive report with recommendations. It is like having a map that highlights every weak spot in your castle walls - without it, you would have no idea where an attacker might break through. ## How to access vulnerability scanning in WP Toolkit 1. **Log in to cPanel** and open **WordPress Management** (WP Toolkit) from the left-hand navigation. 2. Find the WordPress site you want to review. Each site's card shows a **security risk score** out of 10 - the lower the score, the safer your site. 3. Click **Mitigate vulnerabilities** (or the security score) on the site's card to open the **Security Status** panel. ![The Security Status panel in WP Toolkit, showing the security risk score](https://kb-cdn.kualo.com/9a/a4/9aa48e5bc665736927b44b071da17831a25b9fc5.png) 4. Open the **Vulnerable Components** tab to see any vulnerabilities WP Toolkit has found in your WordPress core, plugins, or themes. If the list is empty, your site has no known vulnerabilities - great news. 5. **Review the results.** Each vulnerability is listed with its risk level, type, and the date it was first detected. 6. **Take action.** Each entry shows a suggested action, such as **Update** or **Deactivate**. Read the sections below before you proceed. ## Common vulnerability types - **Cross-Site Scripting (XSS):** Attackers inject malicious scripts into pages viewed by other users, potentially stealing login credentials or spreading malware. - **SQL Injection (SQLi):** Malicious SQL queries manipulate your database, allowing attackers to read, modify, or delete data. - **Remote Code Execution (RCE):** Attackers run arbitrary code on your hosting account remotely, potentially taking full control of your site. - **Cross-Site Request Forgery (CSRF):** A logged-in user is tricked into performing actions they did not intend, such as making unauthorised changes or transactions. - **Sensitive information exposure:** Passwords or personal data are unintentionally exposed, leading to identity theft or financial loss. - **Privilege escalation:** A user gains higher permissions than intended, potentially reaching admin-level access. - **Arbitrary file upload:** Attackers upload malicious files to your server, which can then be used to compromise your site or steal data. - **Broken access control:** Users can access resources or perform actions beyond their permitted level, leading to data breaches or site defacement. ## Fixing vulnerabilities by updating your software Keeping WordPress core, plugins, and themes up to date is the most effective way to close known vulnerabilities. WP Toolkit lets you run updates directly from the vulnerability scan results. A word of caution before you update: depending on how out of date your code is, an update could be incompatible with your current PHP version or cause a conflict with other installed software. If a developer manages your site, it is worth checking with them first. If you are handling this yourself, consider enabling [Smart Updates](/knowledgebase/wp-toolkit/using-smart-updates-in-wp-toolkit) before proceeding. Smart Updates clones your site and runs checks before and after each update, helping to catch problems before they affect your live site. You will need enough free disk space on your account for this to work. If space is tight, you may need to update without Smart Updates or upgrade your hosting plan. You can also configure Smart Updates to run automatically, and limit them to specific plugins, themes, or minor version updates only. Alternatively, WP Toolkit can create a [separate staging site](/knowledgebase/wp-toolkit/creating-staging-websites-with-wp-toolkit) where you can test updates in a safe, sandboxed environment before pushing them live. ## What if no update is available? Sometimes a vulnerable plugin or theme has no update to install. There are usually two reasons for this: 1. **The vulnerability is very recent.** The developer may not yet have released a fix. Check the date listed against the vulnerability - if it is recent, a patch may be on the way. Check back in a few days. 2. **The plugin or theme has been abandoned.** If the vulnerability was detected some time ago and there is still no fix, the developer may have stopped maintaining it or it may have been removed from the WordPress repository. In this case, remove the plugin or theme and find a maintained alternative. If it is your active theme, it may be time to switch. If updating is not possible, deactivating the plugin or theme is a reasonable temporary measure. Be aware that deactivating a plugin may break functionality on your site, and deactivating a theme will break its appearance and layout entirely. If you no longer need a plugin or theme, remove it completely - even deactivated code can pose a risk if it contains vulnerabilities that can be triggered directly. ## Do not ignore these vulnerabilities Imagine waking up to find your castle overrun. Attackers have slipped through those cracks, and now they have access to everything - sensitive data, your site's content, and potentially the ability to use your site to attack others. Your reputation suffers, your users lose trust, and recovery can be costly and time-consuming. It is not just a broken gate; it is your entire kingdom to rebuild. Do not ignore vulnerabilities, particularly high-risk ones. Regular scanning and keeping your WordPress installation, plugins, and themes updated are the equivalent of keeping your castle walls solid and your defences ready. WP Toolkit gives you the tools to stay on top of this without it becoming a constant worry. For more detail on additional security measures available in WP Toolkit, see our guide: [Security measures in WP Toolkit](/knowledgebase/wp-toolkit/security-measures-in-wp-toolkit). --- _Source: Kualo Knowledgebase — https://www.kualo.com/knowledgebase/wp-toolkit/understanding-vulnerability-scanning-in-wp-toolkit · © Kualo Ltd._