Authenticated Scanning
By default, seeshare scans your site as an unauthenticated visitor, but adding credentials unlocks deeper scanning of protected areas like admin panels and server infrastructure. This article covers how to configure WordPress, OpenVAS, and HTTP authentication credentials, and when authenticated scanning is worth setting up.
Authenticated Scanning
By default, seeshare scans your website as an unauthenticated visitor. Authenticated scanning lets the tools log in and test areas behind authentication — admin panels, dashboards, and protected pages — where many vulnerabilities hide.
WordPress Credentials
If your site runs WordPress, providing credentials enables scanning of WordPress admin areas, deeper plugin and theme vulnerability detection, configuration auditing of WordPress settings, and detection of vulnerabilities in authenticated-only functionality.
To configure, go to Domains, click your domain, find the WordPress Credentials section, enter your WordPress admin URL, username, and password, and click Save.
Create a dedicated scanning user rather than using your primary admin account. Give it the Administrator role for complete coverage and use a strong, unique password. Credentials are stored securely and only used during scans.
OpenVAS Credentials (Professional Tier)
OpenVAS provides host-level vulnerability scanning, and adding credentials enables authenticated vulnerability checks on the server, detection of missing security patches, configuration auditing of server software, and more comprehensive service-level testing.
To configure, go to Domains, click your domain, find the OpenVAS Credentials section (Professional tier only), enter your server credentials, and click Save. Use a read-only or limited-privilege account where possible, and ensure it has access to the services you want tested.
Authentication Config (Password-Protected Sites)
If your site is behind HTTP Basic Auth or a login wall, go to the domain settings, configure the authentication method (Basic Auth, form-based, etc.), provide the necessary credentials, and the scanner will authenticate before running its tests.
Security of Your Credentials
All credentials are encrypted at rest and only accessed by the scanning engine during active scans. They are never exposed in reports or logs, and you can update or remove them at any time.
When to Use Authenticated Scanning
Unauthenticated scanning is usually sufficient for public-facing marketing sites. Add WordPress credentials for any WordPress site with plugins. Configure authentication for web applications with user accounts to get full coverage. Add OpenVAS credentials on the Professional tier for server and infrastructure assessment. For staging or development environments behind Basic Auth, configure HTTP auth so the scanner can access the site.