Skip to main content
Vantyris

Vulnerabilities

What a passive security scan can and cannot prove about your site.

Published 2026-04-09 · Last updated 2026-04-09 · Vantyris editorial

If a security scanner says 'WordPress login reachable without rate-limiting', what does it actually know? A passive external scanner reads what's already publicly visible — DNS records, response headers, certificates, HTML, REST endpoints, exposed paths. It cannot see your server-side rate-limiting rules, your Cloudflare bot-protection settings, or whether 2FA prompts appear after the password step. Those controls are usually present but invisible from outside. This article unpacks the boundary, so you can read passive-scan findings without either dismissing them or panicking.

What this means for your business

How to fix

Read passive-scan findings as 'flagged for confirmation'. If you already enforce the relevant server-side control, mark the finding 'Accepted as known risk' with a written reason — the workflow records the decision and auto-expires after 90 days. If you don't enforce the control, fix it.

  1. Identify the confidence band of the finding. Open the finding in the report. The evidence pack header shows confidence: high, medium, or low. Medium-confidence findings always carry a 'Caveats' line explaining the boundary — what the scanner saw versus what it cannot see from outside.
  2. If you already enforce the control, mark as Accepted. Click the finding's status, choose 'Accepted as known risk', and write the reason: 'WAF rules block /wp-login.php after 5 attempts per IP per 60 seconds; Wordfence 2FA enforced on every admin account; Cloudflare bot-protection rule confirmed via test on YYYY-MM-DD.' The workflow auto-expires the suppression after 90 days, so you re-confirm rather than silently forget.
  3. If you don't enforce the control, fix it. Add the missing layer. /wp-login.php: install Wordfence (rate-limit + 2FA), or move the URL with WPS Hide Login, or enable a Cloudflare WAF rule against the path. The remediation entry in the finding card names the specific layered hardening.
  4. Re-run the scan. Vantyris can't re-test the server-side control from outside (the whole point of this article). What re-running does verify: that the public surface — the page being reachable, the lack of visible 2FA hints — hasn't changed. The 'Accepted as known risk' state with the written reason is the audit trail.

Owner: Site owner reviews the finding; whoever runs the server-side controls implements them. · Time: Reading the finding: 2 minutes. Acceptance with reason: 5 minutes. Adding a control if missing: anywhere from 15 minutes to an afternoon.

Common gotchas

How to verify the fix

Read the finding card. Look for the confidence rating and the 'Caveats' line in the evidence pack. If you've enforced the control, the verification is server-side: check the WAF / plugin logs, run a synthetic test, then mark the finding accepted. If you haven't, add the control and re-scan to confirm the finding's public surface still reads consistently.

Common follow-up questions

Why doesn't Vantyris just try ten wrong passwords to test rate-limiting?

Two reasons. Legal: actively testing authentication boundaries on a third-party service crosses into 'unauthorised access' territory under the UK Computer Misuse Act 1990, even with the site owner's consent for the scan itself. Practical: it would generate alerts in your WAF, IDS, and SIEM, and create exactly the kind of false-positive incident-response work that wastes your operations team's afternoon.

Is there a way to do active testing if I want it?

Yes, but not via Vantyris. Active authentication testing is the territory of a penetration test — a human-driven engagement, scoped against a specific application, with written authorisation and a rollback plan. We refer customers to credentialled pen-testing firms when active testing is the right call. Vantyris is the right tool to keep the hygiene-scan baseline current between pen tests, not to replace them.

Are 'medium confidence' findings less important than 'high confidence' ones?

Not necessarily. Confidence is about how certain we are the finding describes reality; severity is about how bad the finding is if real. A medium-confidence Critical (e.g., a CMS version disclosure suggesting an outdated install) is still urgent — you should verify the actual version internally and patch, not dismiss it.

What about findings that are wrong?

Passive scanning has a false-positive rate; we tune downward by preferring medium-confidence over a higher rating when scanners disagree. If you find a finding is wrong, use 'Mark as Ignored with reason' to suppress it for 90 days while we review the rule. Every suppression with a reason flows back to the rule maintainer.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0