How to check if my WordPress site is vulnerable?

Check that WordPress core, all plugins, and themes are running the latest versions. Look for exposed sensitive files like wp-config.php, debug.log, and database backups. Verify that directory listing is disabled on /wp-content/uploads/ and /wp-content/plugins/. Test whether XML-RPC is accessible and user enumeration is possible through the REST API. Check for security headers in your HTTP responses. Verify that your login page has brute-force protection. UNPWNED automates all of these checks and more, scanning your WordPress site for known CVEs, exposed files, missing security configurations, and common vulnerabilities in a single comprehensive scan.