Skip to main content
Free Website Scan — No Signup Required

Scan Results

Here is what we found for xcii.my. Review the checks below and take action on anything flagged in red.

77 / 100

Overall Score: 77/100

Your website has a solid foundation but there are several areas that need attention to improve rankings and performance.

25 Passed
3 Warnings
9 Failed

Website Preview

https://xcii.my

Capturing screenshot…

Google SERP Preview

This is how your page may appear in Google search results.

https://xcii.my
xciimy
No meta description provided. Google will auto-generate a snippet from page content.

WordPress Detected

WordPress Version 7.0.1 / 7.0.1 latest

Running the latest version.

Version is publicly visible. Hide it with remove_action('wp_head', 'wp_generator')

Twenty Twenty-Five screenshot
Theme Twenty Twenty-Five

by the WordPress team

v1.5 PHP 7.2+ WP 6.7+ twentytwentyfive

Twenty Twenty-Five emphasizes simplicity and adaptability. It offers flexible design options, supported by a variety of patterns for different page types, such as services and landing pages, making it ideal for building personal blogs, professional portfolios, online magazines, or business websites. Its templates cater to various blog styles, from text-focused to image-heavy layouts. Additionally, it supports international typography and diverse color palettes, ensuring accessibility and customization for users worldwide.

one-column custom-colors custom-menu custom-logo editor-style featured-images full-site-editing block-patterns rtl-language-support sticky-post threaded-comments translation-ready wide-blocks block-styles style-variations accessibility-ready blog portfolio news
Login Page Exposed

wp-login.php is publicly accessible. Consider hiding it with a plugin like WPS Hide Login or restrict by IP.

REST API Users Exposed

Usernames visible via REST API: admin. Disable with disable_rest_api_users or a security plugin.

Endpoint Security 4 Endpoints Exposed
/wp-admin/ Accessible
/xmlrpc.php Accessible
/wp-cron.php Publicly accessible
/?author=1 Enumerates user: admin

XML-RPC enables brute-force and DDoS amplification attacks. Disable with add_filter('xmlrpc_enabled', '__return_false') or block in .htaccess.

Public wp-cron.php can be abused for DDoS. Set define('DISABLE_WP_CRON', true) and use a real server cron job instead.

Author enumeration exposes usernames for brute-force attacks. Block with a security plugin or redirect rule.

File Exposure 2 Files Accessible
/readme.html Reveals WordPress version
/license.txt Confirms WordPress install
/wp-content/debug.log Not accessible
Plugin readme.txt Not accessible
/dup-installer/ Not accessible
Duplicator status log Not accessible
/emergency.php Not accessible
Information Leakage 3 Signals Expose Information
Generator meta tag Exposes WordPress version
RSD link (EditURI) Really Simple Discovery endpoint
WP Core Sitemap Built-in sitemap exposes URL structure

Remove unnecessary head links: remove_action('wp_head', 'rsd_link'), remove_action('wp_head', 'wlwmanifest_link'), remove_action('wp_head', 'wp_oembed_add_discovery_links')

Directory Security All Directories Protected
/wp-content/ Accessible but no listing
/wp-content/uploads/ Forbidden (403)
/wp-content/plugins/ Accessible but no listing
/wp-content/themes/ Accessible but no listing
/wp-includes/ Forbidden (403)
/wp-content/mu-plugins/ Not found (404)

Domain Information

Loading domain information…

CDN & Infrastructure

Server Location CDN Network

Cloudflare edge — 2606:4700:3032::6815:595

Provider Cloudflare

cloudflare

PageSpeed Insights

Powered by Google Lighthouse. Scores are out of 100.

Running Lighthouse audit… This may take up to 60 seconds.

Detailed Analysis

SEO

Search engine optimisation checks

SEO

Page Title

Title: "xciimy" (6 chars). Too short. Aim for 50-60 characters for optimal SERP display.

Recommendation: Write a unique, descriptive <title> tag (50-60 characters) that includes your main keyword.
SEO

Meta Description

No meta description found. Google will auto-generate one, which may not represent your page well.

Recommendation: Write a compelling meta description (140-160 characters) that summarises the page and includes your target keyword.
SEO

H1 Heading

One H1 heading found correct structure.

SEO

Image Alt Attributes

No images found on the page.

SEO

Canonical URL

No canonical tag found. Without it, search engines may index multiple versions of the same page.

Recommendation: Add <link rel="canonical" href="YOUR_PAGE_URL"> pointing to the preferred version of each page.
SEO

Robots Noindex Check

No noindex directive found your page is eligible for Google indexing.

SEO

Schema.org Structured Data

No structured data found. Adding Schema.org markup can improve how your page appears in Google search.

Recommendation: Add JSON-LD structured data (Organization, LocalBusiness, FAQPage, etc.) to help search engines understand your content.
SEO

URL Length

URL is 15 characters. Good — short URLs are easier to share and rank better in search.

SEO

Content Length

34 words detected. Very thin content. Search engines may not consider this page valuable enough to rank.

Recommendation: Add more meaningful text content. Aim for at least 300 words of unique, relevant content that addresses user intent.
SEO

Hreflang Tags

No hreflang tags found. If your site targets multiple languages or regions, add hreflang tags to avoid duplicate content issues across locales.

SEO

Noindex Header Test

No noindex directive in HTTP headers (X-Robots-Tag). The server is not blocking indexing via response headers.

SEO

Robots.txt

robots.txt file found with valid directives. This file controls which parts of your site search engines can crawl.

SEO

Blocked by Robots.txt

This page is NOT blocked by robots.txt. Search engines are free to crawl and index it.

SEO

LLM.txt

No llms.txt file found. Adding one helps AI assistants provide accurate information about your business when users ask.

Recommendation: Create a /llms.txt file in your site root with a structured description of your business, services, and key information. See llmstxt.org for the specification.
SEO

XML Sitemap

XML sitemap found at /sitemap.xml. Also referenced in robots.txt.

SEO

WWW Redirect Consistency

Both www and non-www versions resolve but serve separate content. www.xcii.my does not redirect to xcii.my. This causes duplicate content in search engines.

Recommendation: Configure a 301 redirect so that one version (www or non-www) permanently redirects to the other. Add the rule in your web server config or .htaccess.

Security

Security and safety checks

Security

HTTPS / SSL Certificate

Your site uses HTTPS good for security and Google rankings.

Security

Security Headers

1 of 5 security headers found: Strict-Transport-Security (HSTS).

Recommendation: Add missing security headers: X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Strict-Transport-Security, Content-Security-Policy.
Security

Server Technology Exposure

No server technology or version information is leaked in HTTP headers.

Security

Permissions-Policy

No Permissions-Policy header. Third-party scripts could access browser features like camera, microphone, or geolocation without restriction.

Recommendation: Add a Permissions-Policy header to restrict browser features, e.g.: Permissions-Policy: camera=(), microphone=(), geolocation=()
Security

Referrer-Policy

No Referrer-Policy set. The browser will send the full URL as referrer to third-party sites, potentially leaking private URLs or query strings.

Recommendation: Add Referrer-Policy: strict-origin-when-cross-origin to your server config. This is the recommended balance between privacy and analytics functionality.
Security

Google Safe Browsing

Checking Google Safe Browsing…

Security

VirusTotal Reputation

Checking VirusTotal threat intelligence…

Security

Malware & Suspicious Code

No common malware indicators found in the page source. No hidden iframes, obfuscated scripts, crypto miners, or suspicious redirects detected.

Security

Cookie Security

All cookies have proper security attributes, or no cookies were set on initial load.

Security

Mixed Content

No mixed content detected. All resources load over HTTPS.

Security

JS Library Versions

No outdated JavaScript libraries detected in page source.

Security

Staging / Debug References

No staging, development, or debug references found in page source.

Performance

Speed and delivery checks

Performance

Server Response Time

Your server responded in 0.86s. Excellent response time.

Performance

HTML Page Size

HTML size is 68 KB lightweight and fast to download.

Performance

Gzip / Brotli Compression

Compression is enabled pages are served compressed to reduce transfer size.

Performance

Cache Headers

Caching is active: CF-Cache-Status: DYNAMIC.

Performance

China Firewall Compatibility

Server location: Canada.

Mobile & UX

Mobile-friendliness and user experience

Mobile

Viewport Meta Tag

Viewport meta tag is present your site should render properly on mobile devices.

UX

Favicon

No favicon link tag detected. Your site will show a generic icon in browser tabs and bookmarks.

Recommendation: Add a favicon by placing a favicon.ico in your root directory and adding <link rel="icon"> to your <head>.

Social & Analytics

Social sharing and tracking

Social

Open Graph Tags

No Open Graph tags found. Shared links on social media will show generic previews instead of your custom title, image, and description.

Recommendation: Add og:title, og:description, og:image, and og:url meta tags to your <head>.
Analytics

Analytics Detection

Analytics detected: Google Analytics 4.

Need help fixing these issues?

Our team can optimise your website for speed, SEO, and security. Get a free consultation no obligations.

Website Scan FAQ

Common questions about our free website scanning tool.

Our scanner runs 37+ checks across SEO, security, performance, and WordPress. General checks cover: HTTPS/SSL, server response time, page size, gzip/Brotli compression, title tag, meta description, viewport meta, H1 heading, image alt attributes, Open Graph tags, canonical URL, security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), cookie security (Secure, HttpOnly, SameSite), robots noindex, favicon, Schema.org structured data, server technology exposure, cache headers, mixed content detection, outdated JavaScript libraries, China Firewall compatibility, URL length, content length, hreflang tags, X-Robots-Tag, robots.txt, llms.txt, XML sitemap, analytics, and staging/debug reference detection. For WordPress sites, we run a full deep audit including: version check, theme & plugin detection, WPScan known CVEs, endpoint security (wp-login.php, xmlrpc.php, wp-cron.php, author enumeration), file exposure (readme.html, license.txt, debug.log, error_log, backup files), directory listing, and information leakage (generator tag, RSD, WLW manifest, oEmbed). We also run a full Google PageSpeed Insights audit showing Performance, Accessibility, Best Practices, and SEO scores plus Core Web Vitals (FCP, LCP, TBT, CLS) for both mobile and desktop.
Yes, completely free with no signup required. Enter your URL, hit Scan Now, and get your results in seconds. No email, no credit card, no strings attached.
Most free scanners only check basic SEO or performance. Ours goes deeper — especially for WordPress sites. We probe actual endpoints like xmlrpc.php and wp-cron.php, check for exposed error logs and backup files, detect information leakage signals, and cross-reference your plugins and themes against the WPScan vulnerability database. We also check cookie security attributes, mixed content, and outdated JavaScript libraries that could expose your users to attacks.
The scan provides a reliable snapshot of your website’s fundamentals. It checks the same core metrics that affect Google rankings and user experience. For a deeper audit covering Core Web Vitals, database queries, and server-level issues, contact us for a full audit.
Aim for 80 or above. A score of 80–100 means your fundamentals are solid. Below 50 means there are critical issues hurting your SEO and user experience that should be fixed urgently.
For WordPress sites, we run a dedicated security audit on top of the standard checks. This includes: whether wp-login.php is exposed, if xmlrpc.php is accessible (a common attack vector for brute-force and DDoS amplification), whether wp-cron.php can be triggered publicly, if author enumeration is possible via ?author=1, whether sensitive files like readme.html, license.txt, debug.log, PHP error logs, and backup config files are publicly accessible, directory listing status on core WordPress folders, information leakage signals like generator meta tags and RSD/WLW manifest links, and known security vulnerabilities in your WordPress version, theme, and plugins via the WPScan database.
If the scan finds any of these, fix them immediately: exposed debug.log or error_log files (they can contain passwords and API keys), publicly accessible wp-config.php backups or .env files (contain database credentials), xmlrpc.php accessible (enables brute-force attacks at scale), and known CVEs in your plugins or theme. After that, address author enumeration, wp-cron.php exposure, and information leakage signals.
Absolutely. We specialise in WordPress optimisation, server hardening, and technical SEO. Most fixes can be completed within 48 hours. WhatsApp us with your scan results and we will give you a free quote.
It works for any publicly accessible website — WordPress, Shopify, Wix, custom-built, or any other platform. The URL must start with http:// or https:// and be reachable from our servers. The deep WordPress audit only runs when WordPress is detected.
No. The scan makes a small number of lightweight requests to your website, similar to normal visitors loading your page. For WordPress sites, additional HEAD requests are made to probe specific endpoints — these are read-only and cause no meaningful load.
We recommend scanning after every major update — plugin updates, theme changes, hosting migrations, or content overhauls. A monthly check is a good habit to catch newly disclosed CVEs, configuration drift, and any files that may have been accidentally exposed.

Disclaimer: This scan is provided for informational purposes only and does not constitute professional security advice. XCII Technologies makes no warranties regarding the accuracy, completeness, or reliability of the results. Third-party data sources used in this report include:

  • Domain & WHOIS data — sourced via the IANA RDAP Bootstrap service, with registry and registrar RDAP referral. Providers include MYNIC (.my domains), Google Registry (.app, .dev, .page, .new and other Google TLDs), Verisign, PIR (.org), Identity Digital, Aliyun, CNNIC (.cn domains), and individual registrar RDAP endpoints. Accuracy depends on the respective provider.
  • PageSpeed Insights — performance, accessibility, best practices, and SEO audits are powered by Google PageSpeed Insights and Lighthouse. Results may vary between runs.
  • Google Safe Browsing — threat detection data is provided by Google Safe Browsing. A clean result does not guarantee the site is free from all threats.
  • VirusTotal — domain and IP reputation data is provided by VirusTotal (a Google subsidiary). Results reflect analysis from 70+ security vendors and may include false positives.
  • WPScan Vulnerability Database — WordPress vulnerability data is provided by WPScan. Coverage depends on their database and may not include all known vulnerabilities.
  • WPVulnerability Database — WordPress, PHP, Apache, and nginx vulnerability data is provided by WPVulnerability. This free, community-maintained database may not include all known vulnerabilities.
  • WordPress.org & Envato — plugin and theme metadata is sourced from WordPress.org and Envato/CodeCanyon APIs.
  • Joomla Extensions Directory — Joomla extension metadata is sourced from the Joomla Extensions Directory (JED). Not all extensions may be listed in JED.
  • Server geolocation — IP-based server location data is provided by ip-api.com. Geolocation accuracy may vary.

XCII Technologies is not affiliated with any of the above services and is not responsible for the data they provide. Use this report at your own discretion.