When a website undergoes a PCI compliance scan through tools like Clover Security, it’s not uncommon to see alarming vulnerability reports. In this case, a WordPress site behind Cloudflare was flagged with multiple security issues—but not all of them required action.
After a detailed review, Freshy identified the real issue, implemented targeted fixes, and clarified which findings were safe to ignore—resulting in a fully compliant PCI scan.
Issue Background
A WordPress website underwent a Clover PCI security scan and returned multiple flagged vulnerabilities. The report included:
- Weak cryptography warnings
- TLS 1.0 and TLS 1.1 reported as enabled
- BEAST attack vulnerability flags
- Dozens of low-severity findings across various ports (e.g., 443, 2053, 2083, 8443)
At first glance, the report appeared critical and required immediate remediation.
However, not all flagged issues in PCI scans are actionable—especially for sites behind services like Cloudflare.
Diagnosis
After reviewing the Clover Security report and environment setup, we identified two key categories of findings:
1. Legitimate issue: outdated TLS versions
The primary cause of the PCI scan failure was:
- TLS 1.0 and TLS 1.1 being reported as enabled
- This triggered:
- Weak cryptography warnings
- BEAST vulnerability flags (which rely on TLS 1.0)
These are valid compliance issues and must be resolved.
2. False positives and informational findings
The scan also reported:
- Open ports like 2083, 8443, and 8080
- SSL certificate warnings
- Service discovery flags
These were traced back to:
- Cloudflare edge network behavior
- Hosting-level services outside the application layer
Since the site is proxied through Cloudflare, these findings:
- Do not expose the origin server
- Do not impact the cardholder data environment
- Are considered non-actionable for PCI compliance
Resolution Steps
Step 1: Update Cloudflare SSL/TLS settings
The critical fix was applied at the Cloudflare level:
- Set Minimum TLS Version → TLS 1.2
- Ensure SSL mode is set to Full (Strict)
This disables legacy protocols (TLS 1.0 and 1.1) and enforces modern encryption standards.
Step 2: Re-run the PCI scan
After updating TLS settings:
- A new Clover scan was initiated
- Results were reviewed for remaining issues
Step 3: Validate remaining findings
Post-scan results showed:
- 0 high vulnerabilities
- 0 medium vulnerabilities
- Only low-level informational findings remained
We confirmed that:
- Reported ports (e.g., 2083, 8443) are part of Cloudflare’s infrastructure
- SSL certificate warnings were irrelevant due to Cloudflare-managed certificates
- No exposure existed on the origin WordPress environment
Step 4: Clarify “acknowledgement” vs actual vulnerabilities
A follow-up Clover notification included items that required acknowledgement, not remediation.
These included:
- Directory listing concerns
- Remote access flags
After verification:
- No directory listing was enabled
- No direct remote access services were exposed
- These findings were not applicable to the environment
Final Outcome
- PCI scan returned PASS
- 0 high or medium vulnerabilities
- All remaining findings confirmed as informational
- No additional remediation required
This ensured full compliance while avoiding unnecessary changes that could impact site performance or infrastructure.
Need help passing a PCI scan or fixing WordPress security issues?
Security scans can be confusing—especially when reports mix real vulnerabilities with harmless findings. Our team specializes in diagnosing and resolving WordPress security issues efficiently.
Contact Freshy to get expert help.
