Skip to main content
How Can We Help?
< All Topics
Print

How Scoring Works

Posted
Updated
Byadmin

Purpose

This article explains, at a high level, how CMSSPM turns scan results into an overall security posture score. The goal is to help you understand what the score represents, why some issues matter more than others, and how certain findings can be handled when a compensating control or accepted mitigation is already in place.

Where to find it

You will see scoring throughout the Overview Dashboard after running a scan. CMSSPM uses scan results from different security areas to produce both section-level scoring and an overall posture score for the site.

This page is only meant to explain the general idea behind that scoring.

What the score is based on

CMSSPM looks at the findings from its security checks and weighs them based on importance. Not every issue affects the score equally.

A more serious finding will usually affect the score more than a minor recommendation. For example, a missing critical protection or a highly exposed weakness should count more heavily than a lower-priority hardening suggestion.

That means the score is designed to reflect relative security impact, not just the number of items in a list.

Why weighting is used

Weighting is used because security issues are not all equal. Some problems are more likely to lead to real-world abuse, some have broader impact if something goes wrong, and some affect more important trust boundaries such as login security, transport security, or email authentication.

CMSSPM uses those kinds of factors to decide how much influence a finding should have on the overall score. In other words, the system is trying to reflect both risk and probability, not just count how many warnings appear after a scan.

This also means one important finding may lower the score more than several small ones.

How scan results affect the score

In general, findings that pass do not reduce the score. Findings that are still open, unresolved, or need review may reduce it depending on their assigned weight.

Some checks are mainly informational and may still appear in the interface without affecting the main score the same way. This helps separate “useful visibility” from “actual scoring impact.”

The result is a scoring model that tries to stay practical: showing what was found, while also emphasizing what matters most.

How mitigated findings are handled

In some cases, a finding may still appear during a scan even though the risk is already being addressed in another way. When that happens, an administrator can mark the finding as mitigated.

When a finding is marked as mitigated:

  • it is treated as passing for scoring purposes,
  • the user who applied the mitigation is logged,
  • a note or justification is stored with the finding,
  • the mitigation remains in place until an administrator removes it.

This is useful when a control is being handled through another product, an alternate safeguard, an environmental limitation, or a deliberate risk decision that should be documented.

The purpose of mitigation is not to hide findings. It is to let the score better reflect the site’s real-world security posture when there is a valid and documented reason a finding should not continue to count against the site.

Why the score may differ from other platforms

The scoring approach was influenced in part by the general idea behind systems like SecurityScorecard, where categories and findings are weighted instead of treated equally. That kind of model is useful because it better reflects how real security risk works.

At the same time, CMSSPM has different visibility and a different scope than external rating platforms. It looks at WordPress-specific settings, local configuration choices, and operational details that some outside systems may not see or score the same way.

Because of that, CMSSPM scoring may not match other scoring systems exactly. That does not necessarily mean one score is wrong and the other is right. It usually means the systems are looking at different signals, with different weighting models, for different purposes.

How to interpret your score

The score should be treated as a guide for prioritization, not as a perfect or universal measure of security. It is meant to help you quickly understand where the most meaningful weaknesses are and where improvement work should start.

A lower score means there are more unresolved findings, more heavily weighted findings, or both. A higher score generally means the site has fewer open issues in the areas CMSSPM is able to assess.

The most useful way to use the score is to:

  • identify higher-impact issues,
  • make improvements one section at a time,
  • rescan after changes,
  • use mitigations carefully and document them clearly,
  • watch the score improve as posture improves.

Notes and scope

CMSSPM scoring is intended to be practical, risk-informed, and understandable. It is not meant to be a direct copy of any outside rating system, and it may evolve over time as the plugin expands and new checks are added.

Table of Contents