Most exploits aren't sophisticated. They target known, preventable gaps. This page shows you exactly what those gaps are — and what attackers do when they find them first.
The vast majority of Shopify and WordPress store owners are not security experts. They're entrepreneurs, designers, and operators — people focused on their product, their customers, and their growth. Security is something that happens to them, not something they actively manage.
That's the gap we're here to close. Sekura gives any store owner a clear, plain-English picture of exactly what their site looks like to an attacker — without needing to understand HTTP headers, DNS records, or TLS handshakes to act on it.
Every finding comes with a description of the risk in real terms ("an attacker could send your customers a fake refund email from your exact domain") and a specific, prioritised fix. No jargon, no noise, no list of CVE numbers that mean nothing to someone running a store.
The uncomfortable truth: most sites aren't hacked because attackers are clever. They're hacked because the same basic gaps go unfixed. Every finding Sekura surfaces has a documented, real-world exploit behind it.
We build a security product, so we hold ourselves to a high standard. These are the non-negotiable rules every scan follows.
Every check we run is equivalent to what a browser or a monitoring service does. We read public HTTP headers, look up DNS records, check SSL certificates, and inspect publicly available files. We never attempt logins, directory traversal, SQL injection, brute-forcing, or exploitation of any kind.
If our scanner finds a real API key or password in a public JS file, we flag the finding but redact the value before it reaches our database. We store the type of credential found and its approximate location — never the credential itself.
By submitting a domain, users confirm they have authorisation to scan it. Our terms of service are unambiguous on this point. We enforce per-IP rate limits to prevent automated abuse.
We store only what's needed to show you your results and track your score over time: the domain, the findings, timestamps, and your risk score. We don't store the raw HTTP responses or page content from scanned sites.
Our backend runs on a hardened server with a minimal attack surface. Authentication is handled by Supabase using industry-standard JWTs. Passwords are hashed by Supabase with bcrypt — we never see them. Database access is restricted to the API server.
We never re-scan your site without your instruction or an active monitoring subscription. If you're on a free plan and walk away, we don't keep probing your domain in the background.
Every scan runs seven independent modules. Here's exactly what each one does, what it looks for, and how it stays passive.
Reads the HTTP response headers your server sends with every page load.
Queries public DNS to check the email authentication records protecting your domain.
Inspects your certificate and the TLS configuration your server advertises.
Probes predictable paths that are commonly left public by accident.
Reads public JavaScript files and source maps for patterns that look like credentials.
Enumerates subdomains using public DNS and certificate transparency logs.
Identifies the CMS, framework, and server software your store is running.
Every gap Sekura finds has a documented, predictable outcome. These aren't hypothetical — they're the exact techniques used in real attacks every day.
We passively scanned 282 live Shopify and WordPress/WooCommerce stores in June 2025. Every check was passive — no store owner was contacted, no credentials attempted, no content downloaded. The results are aggregated; no individual store is identifiable.
When you scan a domain, here's the complete picture of what gets stored.
Free scan. Passive only. Results in under 30 seconds.
Scan your site free