Word Press website with same origin issues and other insecurity...

See: https://sritest.io/#report/35a9f09c-fa33-4e0d-bdab-f848ab8988d2
F-F-F-F-X status: https://observatory.mozilla.org/analyze.html?host=www.hospitalaleman.com
Re: https://aw-snap.info/file-viewer/?protocol=secure&tgt=www.hospitalaleman.com&ref_sel=GSP2&ua_sel=ff&fs=1
1 vuln.library detected: http://retire.insecurity.today/#!/scan/8b6630f81acd54c12e7b5546d16e1cc4609d15c0c536579116e7a5294532867c
Check WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

vipers-video-quicktags
gfdd-fancybox

Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled
/wp-content/plugins/ disabled
Directory indexing was tested on the /wp-content/uploads/ and /wp-content/plugins/ directores. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

Warning: Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

Secure Cookie Warning: Overview
Cookies served over HTTPS but not flagged as “secure” may be sent over an insecure connection by the browser. Often this may be a simple request for an asset such as a bitmap file but if it’s on the same domain as the cookie is valid for then it will be sent in an insecure fashion. This poses a risk of interception via a man in the middle attack.

Result
It looks like a cookie is being served over HTTPS without the “secure” flag being set (name : value):

qtrans_front_language : es
Unless the cookie needs to be sent over an insecure connection, the “secure” flag should always be set to ensure it can only be sent with an HTTPS request.

polonus (volunteer website security analyst and website error-hunter)