CRO breakdown of WPScan's WordPress vulnerability database click-through. Design analysis and conversion insights by Apexure.
What is ConvertScore™? ConvertScore™ is Apexure's proprietary landing page performance metric. We evaluate every page across four dimensions — Copy & Messaging, Layout & Hierarchy, Trust & Social Proof, and CTA & Conversion Path — to produce a single score out of 100.
WPScan provides a continuously updated vulnerability database for WordPress — a product that security-conscious WordPress developers, agencies, and site owners use to check their installations against known vulnerabilities. The visitor is either proactively security-conscious or they’ve just had a scare.
The page needs to work for both: the proactive visitor who wants reassurance, and the reactive visitor who just found out their site might be compromised.
The purple and dark colour system aligns WPScan with the security and developer tool aesthetic — it reads as technical, professional, and specialised. Purple is used extensively in cybersecurity branding because it sits at the intersection of authority (dark tones) and innovation (the creative edge of the spectrum). The dark background also makes code snippets and data visualisations — core to the product’s proof — visually crisp.
The stats bar — showing the number of vulnerabilities in the database, the number of scans run, the number of plugins covered — anchors the product’s scale early. For a security tool, scale matters: a database with 97,000 entries is more comprehensive than one with 10,000. The numbers establish WPScan as the definitive WordPress vulnerability resource, not a niche tool with limited coverage.
The feature grid translates technical capabilities into plain-English outcomes. “Scan for known vulnerabilities” is less persuasive than “Know within seconds if your WordPress installation is at risk.” We rewrote feature descriptions as outcomes wherever possible — developers care about capability, but the conversion decision is emotional (“do I feel protected?”) as well as rational.
The pricing table shows the free tier prominently at the leftmost position — the natural starting point for a developer’s eyes scanning a pricing table. The free tier is listed with full detail of what’s included, not as an afterthought. Visitors who qualify for the free tier can self-select without feeling that the paid tiers are being forced on them.
The code snippet integration examples (showing API usage and CLI commands) serve dual purposes: they prove the product has technical depth, and they signal to developer visitors that the product is built for people like them. A page without code examples feels too marketing-focused for a developer audience; a page with them feels peer-to-peer.
WPScan's integration with WP-CLI, Wordfence, and other established WordPress tools is positioned as a feature, but it functions as a trust signal. Established tool integrations mean that if the visitor already uses one of those tools, they've already indirectly validated WPScan. The page needs to surface that connection explicitly, because the visitor may not make it themselves.
Security tool trust is technical trust, not emotional trust. The signals that matter are: database scale (proving comprehensive coverage), update frequency (proving the database is maintained and current), developer adoption (number of scans run, tools integrated with), and open-source history (WPScan’s background as an open-source project gives it credibility with developer audiences who distrust closed, commercial-only security tools).
"Developer audiences do their own due diligence. They'll check the GitHub repo, read the documentation, and look at the changelogs. The landing page doesn't need to convince a developer — it needs to give them enough to start their own evaluation. Make the free start easy, and let the product do the persuading."
Read more about SaaS landing page trust in our guide to B2B Landing Page Examples.
The "Start Scanning for Free" CTA removes the financial commitment barrier completely. For a product that proves its value through usage, getting the visitor to take one free scan is worth more than any copy on the page. A visitor who has run a scan and seen a vulnerability report is functionally already converted to the paid tier — they just haven't paid yet.
As a click-through page, the visitor’s first conversion point is the free account creation — not a payment or a consultation. This reduces the first-step friction to near zero and moves conversion responsibility to the in-app experience. The page’s job is simply to get a qualified developer to start a free scan. Everything after that is handled by the product.
"For developer SaaS, the landing page is top of a funnel that the product closes. The page's conversion goal isn't a paid subscription — it's a free trial start. Optimise for trial starts, not paid conversions, and let product-led growth do the upgrade work. Many teams confuse these two objectives and over-complicate the free trial CTA as a result."
WPScan uses WordPress as its own platform — a deliberate and trust-building choice. A WordPress security tool built and operated on WordPress demonstrates that the team understands and trusts the platform deeply enough to run their own business on it. This meta-message is not lost on the developer audience.
More than 60% of WPScan’s visitors arrive on mobile. The pricing table uses a tabbed interface on mobile — one plan visible at a time with tab navigation — to prevent the horizontal scroll that breaks pricing comparisons on small screens. The code snippets use a monospaced typeface at a size that’s readable without zooming, and tap targets on copy-to-clipboard buttons are sized for thumbs.
We run speed tests on every page we build because a slow landing page is a leaking bucket. You can spend thousands driving traffic, but every additional second of load time costs conversions. We treat PageSpeed results as a to-do list, not just a score.
Three improvements for the next iteration:
WPScan scores 84 on our ConvertScore framework. The page is technically credible and the free-tier CTA is well-positioned. The gap to 90+ lies in the absence of video proof, the missed opportunity for agency-specific messaging, and the static vulnerability count that could be made dynamic.
Browse our full collection of landing page examples or read our guide to Landing Page Call to Action Tips.
This principle influences visitor behaviour and supports the page's conversion goal.
People trust credible experts. Certifications, awards, media mentions, and expert endorsements boost credibility.
People follow the actions of others. Testimonials, reviews, and client logos build trust and reduce hesitation.
Simpler pages convert better. Reducing visual noise, breaking forms into steps, and clear copy lower mental effort.
Security products are sold on fear of what happens without them, not excitement about the features. The most effective security landing pages lead with a threat — the scale of the problem, the consequences of being hacked, or a recent industry statistic about WordPress vulnerabilities. Once the threat is real for the visitor, the product becomes a relief rather than a purchase. The secondary conversion driver is the free tier — for a developer audience, 'try before you buy' is table stakes.
Developers don't buy tools they haven't used. The free tier is not a marketing concession — it's a mandatory part of the conversion funnel. It converts visitors who are evaluating to users; users convert to paid at dramatically higher rates than cold visitors. WPScan's free plan needs to be displayed prominently and clearly, with a precise description of what's included, so developers can assess whether the free tier meets their needs or whether they'll need to upgrade.
Vulnerability statistics work best when they're current, specific, and attributed to a credible source. '97,000+ WordPress vulnerabilities in the database' is more persuasive than 'thousands of vulnerabilities' because the specificity signals that the data is real and maintained. Statistics should be placed early — in the hero or the first content section — because they establish the scale of the problem that justifies the product's existence.
For developer tools, a free tier plus paid tiers based on usage or features is the standard model that converts best. The free tier handles initial acquisition; the paid tier captures users who hit the free tier's limits. Pricing should be transparent on the landing page — developers will find the pricing page eventually, and hiding it creates friction and suspicion.
We design high-converting landing pages for B2B and B2C brands. Let's talk about yours.
Get a Free Consultation Or browse more examples →
Founder & CEO of Apexure, Waseem worked in London's Financial Industry. He has worked on trading floors in BNP Paribas and Trafigura, developing complex business systems. Waseem loves working with Startups and combines data and design to create improved User Experiences.
Get quality posts covering insights into Conversion Rate Optimisation, Landing Pages and great design
"Security products are unique because the conversion trigger is often negative: the visitor just got hacked, or they read about a vulnerability, or their client asked if their site is secure. When the visitor arrives in a heightened state of concern, the page's job is to be the calm, competent solution. Not alarmist — reassuring. 'We've got this covered' is more converting than 'your site is at risk.'"