I didn't start any security scan, or activated any module. Does SecuPress actually do something?

Yes it does.

SecuPress works as soon as it is activated, but unlike WP Rocket, which does its job on its own once activated, SecuPress requires you to scan your site and go through the four simple steps of the securing process at least once.

When SecuPress is activated, very few things are set by default and you can undo them later :

• When a user wants to change his password, SecuPress asks for the current password.
• The anti-spam module directly sends your spam to the trash, blocks shortcodes in comments, and improves the comment blacklist.
• Bad plugin or theme detection is active by default.