Guide · 8 min read

What a RecapWP scan checks: a tour of every area

One scan, every area, worst-first. Here is everything RecapWP looks at, and which findings it can fix for you.

Most plugins that watch over a WordPress site specialize. One does security, another does broken links, a third nags about SEO, and you end up running five of them and reconciling five dashboards by hand. RecapWP takes the opposite approach. It runs a single on-demand scan, looks across every area of your site in one pass, and hands you a list sorted worst-first, so the thing most worth your attention sits at the top.

That scan is dozens of deterministic checks. Some findings come with a one-click fix that applies the change for you and records it so you can reverse it later. Others are flagged for you to handle, because the right call depends on context a plugin should not assume. This is a tour of every area, what each one looks for, and where the line falls between a fix and a flag.

Security and hardening

This is the largest area and the one most sites need most. It looks for the exposures attackers fingerprint a site by: XML-RPC left open to the public, the WordPress version on display in your page source, usernames that can be enumerated through author archives, missing HTTP security headers, no limit on failed logins, mixed content over an otherwise secure connection, and browsable folders that list their contents to anyone who asks. Many of these carry a one-click fix, because each is a known configuration change rather than a judgment call. RecapWP is not a firewall and does not watch traffic. It closes the doors that should never have been open.

Platform and updates

Outdated software is the most common way a healthy site quietly drifts into a vulnerable one. This area surfaces the plugin, theme, and WordPress core updates waiting for you, flags a PHP version that has fallen out of date, and points out plugins sitting inactive (code you are still shipping but not using). It is detect-only by design. RecapWP shows you exactly what is behind, but the act of updating stays in your hands, where a backup and a moment of attention belong.

Errors

A PHP fatal error is the kind of problem you usually hear about from a visitor, long after it started. This area captures those fatals from real visitor requests as they happen and groups them by message, so a single recurring failure does not show up as fifty separate alarms. Because it watches live traffic, these surface in real time without your having to run a scan first. When you fix the underlying cause and the error stops reappearing, that silence is the confirmation your fix held.

Performance

Performance here is about the structural waste that piles up inside WordPress rather than any single speed score. The scan flags a missing page cache or persistent object cache, options bloated with oversized autoloaded data that loads on every request, post revisions stacked up by the hundreds, and the emoji and embed scripts WordPress loads whether or not you use them. The emoji and embed item is a one-click fix. The rest are flagged, because adding a cache layer or pruning revisions is a decision about your stack, not a switch a plugin should flip for you.

A scan that only tells you what is wrong has done half the job. The half that matters is the one that closes it.

SEO: caught per page, not in the bulk scan

SEO is the one set of checks that does not live in the scan. Instead of a bulk-scan area, the on-page basics are caught per page by the Frontend Auditor (a Pro capability), which flags them as you browse the live site: a page missing a meta description, an image missing alt text, content thin enough that it likely is not earning its place. Every one of these is detect-only, and that is the point: a plugin should not write your meta descriptions or describe your images for you, and it makes no promise about rankings. It simply shows you the gaps, on the exact page you are looking at, so a human who knows that page can fill them well.

Links

Broken links are the kind of rot that accumulates invisibly. A background crawl (part of the Pro capabilities) is links-only: it finds broken internal and external links, orphan pages that nothing links to, and dead URLs that visitors are still landing on despite the page being gone. For the internal broken links and those dead-but-trafficked URLs, RecapWP offers a "create redirect" fix, so you can send the traffic somewhere useful instead of into a 404. External breaks are flagged, since you do not control the other end.

Content

Old content is not automatically bad content, but content that has quietly aged out of date often is, and it tends to slip out of mind precisely because nobody is looking at it. This area surfaces stale, aging posts so you can decide what to refresh, what to consolidate, and what to retire. It is detect-only, an editorial nudge rather than an action: only you know which of those old posts still deserves to rank and which has had its day.

Users

User hygiene is one of those things that is obvious in hindsight and invisible until someone points it out. The scan flags a default admin username (the one every brute-force list starts with), more administrator accounts than a site that size plausibly needs, and any account whose public display name is identical to its login (which hands an attacker the username for free). All three are detect-only, because removing or renaming a real person's account is a human decision, not one a scan should make on your behalf.

WooCommerce

For stores, a few catalog problems cost real money and are easy to miss in a large product list. This area (a Pro capability that requires WooCommerce active) flags products published with no price, products with no image, and products still listed as published while out of stock. Each is detect-only, because the fix is a merchandising choice: set the price, add the photo, or pull the listing. RecapWP just makes sure none of them sit broken on your storefront without your knowing.

Environment and config

The last area catches the settings that are fine on a staging site and quietly harmful in production. It flags search engines being blocked from the site (the "discourage search engines" box left checked after launch is a classic), debug mode running in production where it can leak detail to visitors, and the built-in file editor left enabled in wp-admin. The "search engines blocked" finding is a one-click fix, since the remedy is unambiguous. The others are surfaced for you to confirm, because debug and the file editor are sometimes on for a reason.

Fix or flag, and why it is always deterministic

The split that runs through every area is the same one: where the remedy is a known, unambiguous configuration change, RecapWP offers a one-click fix and records it. Where the right answer depends on your content, your host, or your business, it flags the finding and leaves the call to you. Nothing about that split is guesswork. Detection and fixing are both fully deterministic, and the same site returns the same findings every time. The optional assistant can explain a finding in plain English if you ask it to, but it never applies a fix. And because every fix is backed by an apply and undo ledger, you can reverse any one of them, or revert everything at once.

Every area, one scan, your list. The fastest way to understand what RecapWP looks at is not to read about it but to point it at your own site: run a scan, read the findings worst-first, and see which doors are open and which posts have gone quietly stale on you.

  • WordPress
  • Site audits
  • Security
  • SEO
Try it on a real site

Stop reading about it. Run the scan.

RecapWP Pro runs dozens of deterministic checks across every area and fixes them for you, with undo, plus the full-site crawl, redirect manager, frontend auditor and the Ask RecapWP assistant.