Why We Built the WordPress Risk Score (And Why It’s Free)

The Email We Were Writing Five Times a Week

Most weeks, somebody emails us a screenshot of a broken WordPress site and asks if it’s salvageable. The reply is always the same shape: which version of WordPress, which plugins, what the headers say, whether anything’s leaking from the footprint, what the homepage performance looks like. Twenty minutes of triage, then a reasoned answer.

That email is a useful answer for the one person who got it. It’s a terrible use of time when ten people a week need the same thing. So we built the WordPress Risk Score — the same triage, automated, public, with the report you actually wanted.

What the Score Is

It’s a public-signal scan. You hand it a URL, it grades five categories on a 0–100 scale, and it returns a letter and a one-page verdict. The five categories are the ones that matter for day-one operational risk:

• Update Hygiene. Whether the WordPress core is current, and whether the visible plugin/theme versions are fresh or stale.
• Backup Exposure. Whether anything that looks like a backup file is sitting at a public URL where anyone can grab it.
• Security Headers. The six headers that quietly do most of the heavy lifting against common attacks. Most sites have two.
• Plugin Risk. Cross-checks detected plugins and themes against a curated vulnerability database. Specific CVEs, specific versions.
• Performance. Mobile PageSpeed via Google’s API. Not because PageSpeed is the whole story, but because it’s a reliable proxy for whether the site is built for the device 70% of your visitors actually use.

Each category gets a sub-score, the overall is a weighted blend, and the letter grade is calibrated to mean something. An A is an A. An F is an F.

What It Deliberately Isn’t

This is not a penetration test. It does not log in to your site, does not attempt any exploit, does not modify a single byte of the target. Everything it checks is information your site is already broadcasting to the public internet, often in ways the owner doesn’t realize.

It’s also not a complete audit. The scan can’t see your admin user list, can’t tell whether your daily backups have ever been tested, can’t audit the roles your contributors have, can’t read your hosting environment. Those are real things that matter, and the Risk Score doesn’t pretend to cover them. That’s what the human WordPress Audit is for.

Why It’s Free

Three reasons, in order of honesty.

One: it actually is free. No signup wall, no email required to see the grade, no “unlock the full report.” You run the scan, you get the score, you can download the PDF without giving us anything. We chose that on purpose because we hate how every “free tool” on the internet quietly turns into a lead form before you see anything useful.

Two: a small percentage of users are going to want a human review. They’ll hit a B-tier score, decide they want a Parameter operator to walk through the report and dig into the things automation can’t see, and request the WordPress Audit. That’s a real conversion path for us, and we’re upfront about that on the result page. Not hidden. Not gated. Right there next to the PDF download.

Three: putting a public scan out there raises the floor for everyone. The owner of a D-tier site rarely knows they’re at a D until something proves it. The scan proves it in under a minute, with specifics. Some of those owners fix it themselves. Some hire someone else. Some hire us. All three outcomes are better than “the site stays at D until it gets compromised.”

The Calibration We Argued About Most

Letter grades are easy to fake. The temptation is to set the curve so most sites land at C or D, then sell yourself as the fix. We refused to do that. The grading band is calibrated against real production WordPress sites we’ve operated, audited, or rescued. A site running current core, decent headers, no exposed backups, and a healthy plugin slate genuinely earns an A. Most sites don’t, but the ones that do should see the A.

The flip side: the F is a real F. We don’t soften it because the visitor might feel bad about their site. The whole point of an honest grade is that the grade is honest.

What the Score Doesn’t Replace

If your site is actively broken, hacked, or you’ve already got a real incident on your hands, the Risk Score is a triage tool — it’ll tell you what’s visible from outside, but it won’t recover anything. The right move there is the Emergency Diagnostic: a $250 two-hour deep look with root-cause analysis, credited toward any annual Protect plan if you decide to keep working with us.

If your site is fine but you want a real second opinion — someone reading the WordPress admin, the host environment, the role assignments, the SEO, the accessibility — that’s the WordPress Audit. Free, with a Parameter operator review and a follow-up call.

The Risk Score sits one layer above both of those: a fast, public, honest read on what the internet sees when it looks at your site. If the score makes you flinch, that’s useful information. If it doesn’t, that’s also useful. Either way, you walk away with a number and a report you didn’t have an hour ago.

Bottom Line

We built the Risk Score because the same diagnostic email was eating an hour of someone’s week, every week. We made it free because gating the answer behind a sales form is the kind of thing we’d refuse to fall for ourselves. We made it honest because the alternative is a tool that grades on a curve to manufacture leads — and that’s the exact pattern Parameter exists to be the opposite of.

If you’ve never run it, run it on your own site first. The scan takes under a minute. The report is yours either way: parameterllc.com/wordpress-risk-score.