[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXflw7PiPEZPeOm94FZ1Rh153b98z6tf1Ba9g-9dpkxs":3,"$flI2xSA65NUjJbQ41eXBpi1funvOjKDbhbedE7phHuTo":274,"$fdD5D9WX9H9UHwIZrO0oRA-xNqEtmod8HS-crxMgZtbA":278},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":30,"crawl_stats":26,"alternatives":36,"analysis":141,"fingerprints":247},"boonrisk-site-security-check-report","BoonRisk – Site Security Check & Report","1.0.2","Boon Band","https:\u002F\u002Fprofiles.wordpress.org\u002Fboonband\u002F","\u003Cp>BoonRisk gives you a \u003Cstrong>clear security and readiness report\u003C\u002Fstrong> for your WordPress site. See exactly what security risks exist, why they matter, and what to do about them — all explained in plain language.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Safe & Read-Only:\u003C\u002Fstrong> This plugin only reads your site configuration. It does not scan files, block traffic, or make any changes to your WordPress installation.\u003C\u002Fp>\n\u003Ch4>What You Get\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security Check Report\u003C\u002Fstrong> — See your site’s security status: PHP version, WordPress updates, user settings, HTTPS, and 30+ configuration checks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clear Explanations\u003C\u002Fstrong> — Every finding explains “why this matters” and “what to do about it” in plain language\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Prioritized Risks\u003C\u002Fstrong> — Top risks ranked by impact so you know what to fix first\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Printable Report\u003C\u002Fstrong> — Professional HTML report you can view, print, or share directly from WordPress admin\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>What This Plugin Does NOT Do (100% Safe)\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>No file scanning\u003C\u002Fstrong> — Does not scan your files or look for malware\u003C\u002Fli>\n\u003Cli>\u003Cstrong>No traffic blocking\u003C\u002Fstrong> — Does not act as a firewall or block visitors\u003C\u002Fli>\n\u003Cli>\u003Cstrong>No site changes\u003C\u002Fstrong> — Does not modify settings, files, or database\u003C\u002Fli>\n\u003Cli>\u003Cstrong>No active testing\u003C\u002Fstrong> — Does not simulate attacks or run security scans\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Read-only analysis\u003C\u002Fstrong> — Only reads your configuration, never writes or changes anything\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Who Is It For?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Site owners\u003C\u002Fstrong> — Understand your security risks without technical expertise\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Freelancers & agencies\u003C\u002Fstrong> — Generate client-ready reports in minutes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developers\u003C\u002Fstrong> — Quick baseline check before or after deployments\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Teams\u003C\u002Fstrong> — Consistent security reporting across multiple WordPress sites\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Free Security Check (No Account Required)\u003C\u002Fh4>\n\u003Cp>Run a complete security and readiness check instantly — 100% local, no data sent anywhere:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Overall Risk Level\u003C\u002Fstrong> — Clear Low\u002FMedium\u002FHigh rating with explanation of what it means\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Top Risks First\u003C\u002Fstrong> — See your biggest security issues ranked by impact\u003C\u002Fli>\n\u003Cli>\u003Cstrong>30+ Configuration Checks\u003C\u002Fstrong> — WordPress updates, PHP version, HTTPS, user permissions, backups, 2FA, debug mode, and more\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Action Plan\u003C\u002Fstrong> — Every issue includes “why it matters” and “how to fix it”\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Professional Report\u003C\u002Fstrong> — Printable HTML report you can view in WordPress admin or share with your team\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>What you’ll learn:\u003C\u002Fstrong> “Is my site at risk?” and “What should I fix first?”\u003C\u002Fp>\n\u003Cp>\u003Cstrong>100% Private:\u003C\u002Fstrong> All checks run on your server. Nothing is sent externally. No account or email required.\u003C\u002Fp>\n\u003Ch4>Optional: Web Dashboard\u003C\u002Fh4>\n\u003Cp>Connect the plugin to the \u003Ca href=\"https:\u002F\u002Fboonrisk.com\u002F\" rel=\"nofollow ugc\">BoonRisk web dashboard\u003C\u002Fa> for additional capabilities (optional, requires free account):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fboonrisk.com\u002Fscanner\u002F\" rel=\"nofollow ugc\">Surface Scan\u003C\u002Fa>\u003C\u002Fstrong> — External scan of your site’s public-facing security headers, SSL configuration, and exposed services\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Vulnerability Intelligence\u003C\u002Fstrong> — Known CVEs matched to your installed plugins and themes with severity ratings\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Continuous Monitoring\u003C\u002Fstrong> — Automatic daily checks with alerts when your security posture changes\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Track Over Time\u003C\u002Fstrong> — See how your site security improves (or changes) month over month\u003C\u002Fli>\n\u003Cli>\u003Cstrong>PDF Reports\u003C\u002Fstrong> — Download professional reports to share with clients or management\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Note:\u003C\u002Fstrong> The local security check is fully functional on its own. The web dashboard is completely optional.\u003C\u002Fp>\n\u003Cp>Learn more at \u003Ca href=\"https:\u002F\u002Fboonrisk.com\u002F\" rel=\"nofollow ugc\">boonrisk.com\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>How It Works\u003C\u002Fh3>\n\u003Ch4>Local Assessment (Default)\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Install and activate the plugin\u003C\u002Fli>\n\u003Cli>Go to \u003Cstrong>BoonRisk\u003C\u002Fstrong> \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> \u003Cstrong>Local Assessment\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Click \u003Cstrong>Run Assessment Now\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>View your Security Posture Summary and Top Risks\u003C\u002Fli>\n\u003Cli>Click \u003Cstrong>View Full Report\u003C\u002Fstrong> for a printable HTML report\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>All analysis happens on your server. Nothing is sent externally.\u003C\u002Fp>\n\u003Ch4>Web Dashboard (Optional)\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Create a free account at \u003Ca href=\"https:\u002F\u002Fboonrisk.com\u002F\" rel=\"nofollow ugc\">boonrisk.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Go to \u003Cstrong>BoonRisk\u003C\u002Fstrong> \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> \u003Cstrong>Connect (Optional)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Enter your API key\u003C\u002Fli>\n\u003Cli>Send your assessment to the dashboard for vulnerability intelligence, surface scan, and monitoring\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>External API calls only happen when you explicitly request them.\u003C\u002Fp>\n\u003Ch3>Data Usage\u003C\u002Fh3>\n\u003Ch4>Local Assessment\u003C\u002Fh4>\n\u003Cp>In local mode, \u003Cstrong>no data is sent externally\u003C\u002Fstrong>. All checks run inside WordPress.\u003C\u002Fp>\n\u003Ch4>Web Dashboard (Optional)\u003C\u002Fh4>\n\u003Cp>When you send data to the dashboard, the following is transmitted:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>PHP and WordPress versions\u003C\u002Fli>\n\u003Cli>Active plugin and theme names\u002Fversions\u003C\u002Fli>\n\u003Cli>Configuration flags (debug mode, file editor status, etc.)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>What you get in return:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Known vulnerability data for your installed plugins and themes\u003C\u002Fli>\n\u003Cli>Surface scan results for public-facing security\u003C\u002Fli>\n\u003Cli>Severity context for identified risks\u003C\u002Fli>\n\u003Cli>Historical trend data and monitoring alerts\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>What is never collected:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>User data or personal information\u003C\u002Fli>\n\u003Cli>Passwords or credentials\u003C\u002Fli>\n\u003Cli>Post\u002Fpage content\u003C\u002Fli>\n\u003Cli>Database contents\u003C\u002Fli>\n\u003Cli>File contents\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Data is sent \u003Cstrong>only when you click\u003C\u002Fstrong> Send to Dashboard or enable automatic daily sync. No personal data is collected.\u003C\u002Fp>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>Read our full privacy policy at https:\u002F\u002Fboonrisk.com\u002Fprivacy\u003C\u002Fp>\n","Security posture report for WordPress — 30+ checks, prioritized risks, and a printable report. Get a clear picture in minutes.",0,171,"2026-02-16T17:38:00.000Z","6.9.4","5.0","7.4",[18,19,20,21,22],"audit","hardening","security","site-health","vulnerability","https:\u002F\u002Fboonrisk.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fboonrisk-site-security-check-report.1.0.2.zip",100,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"boonband",1,30,94,"2026-05-19T19:15:46.554Z",[37,56,81,97,122],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":25,"num_ratings":47,"last_updated":48,"tested_up_to":14,"requires_at_least":49,"requires_php":50,"tags":51,"homepage":52,"download_link":53,"security_score":54,"vuln_count":32,"unpatched_count":11,"last_vuln_date":55,"fetched_at":27},"wpvulnerability","WPVulnerability","4.3.1","Javier Casares","https:\u002F\u002Fprofiles.wordpress.org\u002Fjaviercasares\u002F","\u003Cp>This plugin integrates with the WPVulnerability API to provide real-time vulnerability assessments for your WordPress core, plugins, themes, PHP version, Apache HTTPD, nginx, MariaDB, MySQL, ImageMagick, curl, memcached, Redis, and SQLite.\u003C\u002Fp>\n\u003Cp>It delivers detailed reports directly within your WordPress dashboard, helping you stay aware of potential security risks. Configure the plugin to send periodic notifications about your site’s security status, ensuring you remain informed without being overwhelmed. Designed for ease of use, it supports proactive security measures without storing or retrieving any personal data from your site.\u003C\u002Fp>\n\u003Ch4>Data reliability\u003C\u002Fh4>\n\u003Cp>The information provided by the information database comes from different sources that have been reviewed by third parties. There is no liability of any kind for the information. Act at your own risk.\u003C\u002Fp>\n\u003Ch3>Using the plugin\u003C\u002Fh3>\n\u003Ch4>WP-CLI\u003C\u002Fh4>\n\u003Cp>You can use the following WP-CLI commands to manage and check vulnerabilities:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Core: \u003Ccode>wp wpvulnerability core\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Plugins: \u003Ccode>wp wpvulnerability plugins\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Themes: \u003Ccode>wp wpvulnerability themes\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>PHP: \u003Ccode>wp wpvulnerability php\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Apache HTTPD: \u003Ccode>wp wpvulnerability apache\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>nginx: \u003Ccode>wp wpvulnerability nginx\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>MariaDB: \u003Ccode>wp wpvulnerability mariadb\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>MySQL: \u003Ccode>wp wpvulnerability mysql\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>ImageMagick: \u003Ccode>wp wpvulnerability imagemagick\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>curl: \u003Ccode>wp wpvulnerability curl\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>memcached: \u003Ccode>wp wpvulnerability memcached\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Redis: \u003Ccode>wp wpvulnerability redis\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>SQLite: \u003Ccode>wp wpvulnerability sqlite\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>To configure the plugin you can use:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Hide component: \u003Ccode>wp wpvulnerability config hide \u003Ccomponent> [on|off]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Notification email: \u003Ccode>wp wpvulnerability config email \u003Cemails>\u003C\u002Fcode> (comma separatted)\u003C\u002Fli>\n\u003Cli>Notification period: \u003Ccode>wp wpvulnerability config period \u003Cnever|daily|weekly>\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Log retention: \u003Ccode>wp wpvulnerability config log-retention \u003C0|1|7|14|28>\u003C\u002Fcode> (in days)\u003C\u002Fli>\n\u003Cli>Cache duration: \u003Ccode>wp wpvulnerability config cache \u003C1|6|12|24>\u003C\u002Fcode> (in hours)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>All commands support the \u003Ccode>--format\u003C\u002Fcode> option to specify the output format:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>--format=table\u003C\u002Fcode>: Displays the results in a table format (default).\u003C\u002Fli>\n\u003Cli>\u003Ccode>--format=json\u003C\u002Fcode>: Displays the results in JSON format.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Need help?\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>wp wpvulnerability --help\u003C\u002Fcode>: Displays help information for WPVulnerability commands.\u003C\u002Fli>\n\u003Cli>\u003Ccode>wp wpvulnerability [command] --help\u003C\u002Fcode>: Displays help information for a WPVulnerability command.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>REST API\u003C\u002Fh4>\n\u003Cp>The WPVulnerability plugin provides several \u003Cstrong>REST API endpoints\u003C\u002Fstrong> to fetch vulnerability information for different components of your WordPress site.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Core: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fcore\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Plugins: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fplugins\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Themes: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fthemes\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>PHP: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fphp\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Apache HTTPD: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fapache\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>nginx: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fnginx\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>MariaDB: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fmariadb\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>MySQL: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fmysql\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>ImageMagick: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fimagemagick\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>curl: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fcurl\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>memcached: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fmemcached\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Redis: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fredis\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>SQLite: \u003Ccode>\u002Fwpvulnerability\u002Fv1\u002Fsqlite\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The WPVulnerability REST API uses \u003Cstrong>Application Passwords\u003C\u002Fstrong> for authentication. You need to include a valid Application Password in the Authorization header of your requests.\u003C\u002Fp>\n\u003Cp>Example Request with Authentication\u003C\u002Fp>\n\u003Cpre>\u003Ccode>curl -X GET https:\u002F\u002Fexample.com\u002Fwp-json\u002Fwpvulnerability\u002Fv1\u002Fplugins -u username:application_password\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Replace username with your WordPress \u003Ccode>username\u003C\u002Fcode> and \u003Ccode>application_password\u003C\u002Fcode> with your \u003Ca href=\"https:\u002F\u002Fmake.wordpress.org\u002Fcore\u002F2020\u002F11\u002F05\u002Fapplication-passwords-integration-guide\u002F\" rel=\"nofollow ugc\">Application Password\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Extra Configurations\u003C\u002Fh3>\n\u003Ch4>“From:” mail (since: 3.2.2)\u003C\u002Fh4>\n\u003Cp>If, for some reason, you need the emails sent by the plugin to have a From different from the site administrator, you can change it from the \u003Ccode>wp-config.php\u003C\u002Fcode> by adding a constant:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_MAIL', 'sender@example.com' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>If the constant is active, it will be visible in the configuration screen.\u003C\u002Fp>\n\u003Ch4>Force hiding checks (since: 4.1.0)\u003C\u002Fh4>\n\u003Cp>If you want to always hide a specific component, you can define a constant in \u003Ccode>wp-config.php\u003C\u002Fcode>. When set to \u003Ccode>true\u003C\u002Fcode>, the option will be checked automatically in the settings screen and the related analysis will be skipped.\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_HIDE_APACHE', true );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Available constants: \u003Ccode>WPVULNERABILITY_HIDE_CORE\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_PLUGINS\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_THEMES\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_PHP\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_APACHE\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_NGINX\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_MARIADB\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_MYSQL\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_IMAGEMAGICK\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_CURL\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_MEMCACHED\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_REDIS\u003C\u002Fcode>, \u003Ccode>WPVULNERABILITY_HIDE_SQLITE\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Ch4>Cache duration (since: 4.1.0)\u003C\u002Fh4>\n\u003Cp>By default, data from the API is cached for 12 hours. To change this, define \u003Ccode>WPVULNERABILITY_CACHE_HOURS\u003C\u002Fcode> in \u003Ccode>wp-config.php\u003C\u002Fcode> with one of \u003Ccode>1\u003C\u002Fcode>, \u003Ccode>6\u003C\u002Fcode>, \u003Ccode>12\u003C\u002Fcode> or \u003Ccode>24\u003C\u002Fcode>. This value overrides the setting screen and WP-CLI command.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_CACHE_HOURS', 24 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>Log rotation (since: 4.2.0)\u003C\u002Fh4>\n\u003Cp>WPVulnerability stores the most recent API responses so you can review recent calls from the new log tab. Define \u003Ccode>WPVULNERABILITY_LOG_RETENTION_DAYS\u003C\u002Fcode> in \u003Ccode>wp-config.php\u003C\u002Fcode> to control how many days of entries are preserved. Supported values are \u003Ccode>0\u003C\u002Fcode>, \u003Ccode>1\u003C\u002Fcode>, \u003Ccode>7\u003C\u002Fcode>, \u003Ccode>14\u003C\u002Fcode> or \u003Ccode>28\u003C\u002Fcode>; using \u003Ccode>0\u003C\u002Fcode> disables logging entirely.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_LOG_RETENTION_DAYS', 14 );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>When the constant is present its value is enforced in the settings UI and through WP-CLI, ensuring consistent log rotation across environments.\u003C\u002Fp>\n\u003Ch4>Security configuration (since: 4.3.0)\u003C\u002Fh4>\n\u003Cp>WPVulnerability uses a hybrid detection approach for server software (ImageMagick, Redis, Memcached, SQLite): PHP extensions first (most secure), then shell commands as fallback (most accurate). You can control this behavior using security configuration constants in \u003Ccode>wp-config.php\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Global disable of shell commands:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_DISABLE_SHELL_EXEC', true );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Completely disables shell command usage. Falls back to PHP extensions only. Use for maximum security when accuracy loss is acceptable.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security mode (standard\u002Fstrict\u002Fdisabled):\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_SECURITY_MODE', 'strict' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cul>\n\u003Cli>\u003Ccode>standard\u003C\u002Fcode> – Hybrid detection: PHP extensions first, shell commands fallback (default, best accuracy)\u003C\u002Fli>\n\u003Cli>\u003Ccode>strict\u003C\u002Fcode> – PHP extensions only, no shell commands (high security, lower accuracy)\u003C\u002Fli>\n\u003Cli>\u003Ccode>disabled\u003C\u002Fcode> – No software detection at all (maximum security)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Component whitelist:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_SHELL_EXEC_WHITELIST', 'imagemagick,redis' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Allows shell commands only for specified components. Available components: \u003Ccode>imagemagick\u003C\u002Fcode>, \u003Ccode>redis\u003C\u002Fcode>, \u003Ccode>memcached\u003C\u002Fcode>, \u003Ccode>sqlite\u003C\u002Fcode>. Use for granular control.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Examples:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Maximum security (no shell commands):\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_SECURITY_MODE', 'strict' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Only allow ImageMagick shell detection:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_SHELL_EXEC_WHITELIST', 'imagemagick' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Complete disable:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'WPVULNERABILITY_DISABLE_SHELL_EXEC', true );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>All shell commands are hardcoded and validated – no user input is involved. Commands are logged for security auditing.\u003C\u002Fp>\n\u003Ch3>Compatibility\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WordPress: 4.7 – 6.9\u003C\u002Fli>\n\u003Cli>PHP: 5.6 – 8.5\u003C\u002Fli>\n\u003Cli>WP-CLI: 2.3.0 – 2.11.0\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security\u003C\u002Fh3>\n\u003Cp>This plugin adheres to the following security measures and review protocols for each version:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002F\" rel=\"nofollow ugc\">WordPress Plugin Handbook\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fwordpress-org\u002Fplugin-security\u002F\" rel=\"nofollow ugc\">WordPress Plugin Security\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdeveloper.wordpress.org\u002Fapis\u002Fsecurity\u002F\" rel=\"nofollow ugc\">WordPress APIs Security\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWordPress\u002FWordPress-Coding-Standards\" rel=\"nofollow ugc\">WordPress Coding Standards\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fplugin-check\u002F\" rel=\"ugc\">Plugin Check (PCP)\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>This plugin or the WordPress Vulnerability Database API does not collect any information about your site, your identity, the plugins, themes or content the site has.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Vulnerabilities\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>A security vulnerability was found and fixed in version 4.2.2.1. All previous versions (3.3.0 – 4.2.1) are affected. Please update to version 4.2.2.1 or later.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Found a security vulnerability? Please report it to us privately at the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fjaviercasares\u002Fwpvulnerability\u002Fsecurity\u002Fadvisories\u002Fnew\" rel=\"nofollow ugc\">WPVulnerability GitHub repository\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Contributors\u003C\u002Fh3>\n\u003Cp>You can contribute to this plugin at the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fjaviercasares\u002Fwpvulnerability\" rel=\"nofollow ugc\">WPVulnerability GitHub repository\u003C\u002Fa>.\u003C\u002Fp>\n","Get WordPress vulnerability alerts from the WPVulnerability Database API.",10000,539168,20,"2026-01-20T15:01:00.000Z","4.7","5.6",[20,21,22],"https:\u002F\u002Fwww.wpvulnerability.com\u002Fplugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpvulnerability.4.3.1.zip",99,"2026-03-18 00:00:00",{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":64,"downloaded":65,"rating":66,"num_ratings":67,"last_updated":68,"tested_up_to":14,"requires_at_least":69,"requires_php":70,"tags":71,"homepage":76,"download_link":77,"security_score":78,"vuln_count":79,"unpatched_count":11,"last_vuln_date":80,"fetched_at":27},"sitelock","SiteLock Security – WP Hardening, Login Security & Malware Scans","5.1.1","SiteLock","https:\u002F\u002Fprofiles.wordpress.org\u002Fsitelocksecurity\u002F","\u003Cblockquote>\n\u003Cp>\u003Cstrong>🌟 Completely redesigned in Version 5.0 — now even stronger with 2FA in 5.1 🌟\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>The SiteLock WordPress plugin was recently rebuilt with three goals: make it faster, make it clearer and move the heavy work to the cloud. We built a cloudfirst architecture, modernized UI, expanded security controls and stripped out everything that didn’t need to be there. Our latest 5.1 release builds on that foundation with TwoFactor Authentication (2FA) to strengthen login security and give you tighter control over access.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>The big changes:\u003C\u002Fstrong>\u003Cbr \u002F>\n  – 🔒 Enhanced WordPress-specific hardening and login security controls\u003Cbr \u002F>\n  – ☁️ Cloud-powered scanning architecture for zero performance impact\u003Cbr \u002F>\n  – 🩺 New Site Health interface that shows you what matters in one view\u003Cbr \u002F>\n  – ⚡ Streamlined controls (fewer clicks to get protected)\u003Cbr \u002F>\n  – ✨ Modern codebase built for the WordPress you’re actually using today\u003Cbr \u002F>\n  – 🔢 Two-Factor Authentication (2FA) now available for stronger login protection\u003C\u002Fp>\n\u003Cp>If you used the old plugin: this is a different tool. If you’re new: you’re starting with the cleanest, fastest version of the plugin.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>Your website deserves protection that’s simple, fast and built for WordPress. SiteLock WordPress Security focuses on the everyday controls that matter most and helps you establish a secure baseline in minutes — WordPress-specific hardening, login protection with Two-Factor Authentication (2FA) and a clear Site Health dashboard that keeps you in control without slowing your site down. It’s lightweight, action-first protection that complements your host defenses: essential safeguards run inside WordPress while deeper checks happen securely in the SiteLock cloud. Skip heavy on-server scans and alert fatigue — run on-demand checks when you need extra assurance, so you can ship updates with confidence.\u003C\u002Fp>\n\u003Ch4>Security that grows with you\u003C\u002Fh4>\n\u003Cp>Our goal is straightforward: maintain a strong baseline with minimal overhead while giving you clear visibility and room to grow as your needs evolve.\u003Cbr \u002F>\nAnd because security is never static, this plugin keeps pace. Two-Factor Authentication (2FA) is now available to strengthen login security with an extra layer of protection.\u003C\u002Fp>\n\u003Ch4>Commercial plugin\u003C\u002Fh4>\n\u003Cp>This plugin is free but offers additional paid commercial upgrades or support.\u003C\u002Fp>\n\u003Ch3>What’s included\u003C\u002Fh3>\n\u003Ch4>WordPress Hardening: Cut common attack paths in just a few clicks\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable directory listing\u003C\u002Fli>\n\u003Cli>Restrict PHP execution in upload folders\u003C\u002Fli>\n\u003Cli>Limit unsafe script types\u003C\u002Fli>\n\u003Cli>Force strong configuration defaults to close risky gaps\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>All options are toggle-based and reversible — safe to enable, easy to test and lightweight on performance.\u003C\u002Fem>\u003C\u002Fp>\n\u003Ch4>Login Security: Protect what matters most — your access\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Two-Factor Authentication (2FA)\u003C\u002Fstrong>: Add a second layer of verification to protect admin access\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brute-force defense\u003C\u002Fstrong>: Blocks repeated failed logins and temporarily locks abusive IPs\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Password policy prompts\u003C\u002Fstrong>: Encourage stronger credentials without breaking workflows\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Session timeouts\u003C\u002Fstrong>: Automatically end idle sessions to prevent account hijacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Activity awareness\u003C\u002Fstrong>: View recent logins and admin changes in the \u003Cstrong>Activity Log\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Site Health & Cloud Checks: Clarity without noise\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Site Health Dashboard\u003C\u002Fstrong>: Surface key signals in one view — WordPress hardening status, last scan timestamp and actionable indicators\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cloud Checks\u003C\u002Fstrong>: Connect your free SiteLock account to enable recurring off-server checks (Webpage Scan, SSL Verification, Email Reputation and more)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Scan Now\u003C\u002Fstrong>: Run on-demand checks after updates or changes for instant assurance — no heavy, always-on local scanners\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Activity Log\u003C\u002Fstrong>: Track what’s happening across your WordPress admin. See admin\u002Flogin events at a glance making it easy to spot anomalies early and keep accountability clear\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Why Choose SiteLock WordPress Security?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Lightweight by design\u003C\u002Fstrong>: All high-impact protections, no unnecessary load\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real visibility\u003C\u002Fstrong>: Know your security posture in seconds with Site Health\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cloud-powered assurance\u003C\u002Fstrong>: Checks run off-server, protecting performance\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Flexible setup\u003C\u002Fstrong>: Use standalone or connect a SiteLock account for added layers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Strong login protection\u003C\u002Fstrong>: Two-Factor Authentication (2FA) alongside brute-force defense and session controls\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Trusted heritage\u003C\u002Fstrong>: From the global leader in SMB website security backed by continuous innovation and research\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Aligned to WordPress\u003C\u002Fstrong>: Designed to stay out of your way and keep performance priorities intact\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Who It’s For\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Small businesses & startups\u003C\u002Fli>\n\u003Cli>Portfolio & personal brand sites\u003C\u002Fli>\n\u003Cli>WooCommerce shops & small e-commerce\u003C\u002Fli>\n\u003Cli>Agencies & website maintenance services\u003C\u002Fli>\n\u003Cli>Freelance developers & web designers\u003C\u002Fli>\n\u003Cli>Bloggers, creators & publishers\u003C\u002Fli>\n\u003Cli>Community & membership sites\u003C\u002Fli>\n\u003Cli>Nonprofits & educational sites\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>If you manage a WordPress website, SiteLock gives you confidence and control whether you run one site or hundreds.\u003C\u002Fem>\u003C\u002Fp>\n\u003Ch4>Can I Fix an Already-Infected Site with This Plugin?\u003C\u002Fh4>\n\u003Cp>The plugin focuses on prevention, posture and visibility — not full malware removal. It isn’t designed to fully clean up sites that were infected before it was active.\u003Cbr \u002F>\nIf your site is already compromised, act quickly, we recommend:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Restoring from a clean backup if available\u003C\u002Fli>\n\u003Cli>Remove malicious files manually or with professional help\u003C\u002Fli>\n\u003Cli>For urgent assistance, consider \u003Ca href=\"https:\u002F\u002Fwww.sitelock.com\u002Fproducts\u002Ffix-hacked-site\u002F\" rel=\"nofollow ugc\">SiteLock 911 – Emergency Malware Removal\u003C\u002Fa> for rapid cleanup\u003C\u002Fli>\n\u003Cli>For ongoing defense, consider \u003Ca href=\"https:\u002F\u002Fwww.sitelock.com\u002Fpricing\u002F\" rel=\"nofollow ugc\">choosing a comprehensive SiteLock plan\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Don’t Know Where To Start? Try This\u003C\u002Fh4>\n\u003Cp>Here are common first moves teams take with SiteLock. Order isn’t enforced — choose what fits your site and workflow:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Enable WordPress hardening that matches your hosting and theme setup\u003C\u002Fli>\n\u003Cli>Turn on Login Security controls: brute-force lockouts, session timeouts, and password-hygiene prompts\u003C\u002Fli>\n\u003Cli>Connect a free SiteLock account, then use Scan Now to run an on-demand check after plugin\u002Ftheme updates\u003C\u002Fli>\n\u003Cli>Review the Activity Log after major changes to spot unexpected admin\u002Flogin events quickly\u003Cbr \u002F>\nMake one change at a time, validate and roll back any toggle that conflicts with your stack.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Need Help with Setup or Fixes?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Visit \u003Ca href=\"https:\u002F\u002Fwww.sitelock.com\u002Fhelp-center\u002F?topics=wordpress-plugin\" rel=\"nofollow ugc\">Help Center – WordPress\u003C\u002Fa> for plugin specific help\u003C\u002Fli>\n\u003Cli>For broader topics explore the \u003Ca href=\"https:\u002F\u002Fwww.sitelock.com\u002Fhelp-center\u002F\" rel=\"nofollow ugc\">SiteLock Help Center\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security\u003C\u002Fh4>\n\u003Cp>Protecting our customers and systems is a top priority, and we take security very seriously. If you believe you’ve found a security vulnerability in the SiteLock WordPress plugin, please let us know at vuln-reporting@sitelock.com before sharing any details publicly.\u003C\u002Fp>\n","Free, lightweight WordPress security. Harden your site with login protection & 2FA, see Site Health clearly and run on-demand checks—setup in minutes.",1000,50150,68,14,"2026-04-07T18:44:00.000Z","3.8","8.0",[72,73,21,74,75],"login-security","malware-scan","vulnerability-scanner","wordpress-security","https:\u002F\u002Fwww.sitelock.com\u002Fwordpress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsitelock.5.1.1.zip",98,2,"2026-01-25 00:00:00",{"slug":82,"name":83,"version":84,"author":85,"author_profile":86,"description":87,"short_description":88,"active_installs":11,"downloaded":89,"rating":11,"num_ratings":11,"last_updated":90,"tested_up_to":14,"requires_at_least":91,"requires_php":16,"tags":92,"homepage":95,"download_link":96,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"resilience-compliance-manager","Resilience Compliance Manager","1.2.12","bean1352","https:\u002F\u002Fprofiles.wordpress.org\u002Fbean1352\u002F","\u003Cp>If you sell a WordPress plugin or theme to anyone in the EU, the EU Cyber Resilience Act (Regulation 2024\u002F2847) applies to you. It does not matter where you are based or whether your product is free. Agencies distributing custom plugins or themes to EU clients are also in scope.\u003C\u002Fp>\n\u003Cp>From September 11, 2026, you need a documented vulnerability reporting process, the required security documents, and a way to monitor your products for known vulnerabilities. ResilienceWP is built for WordPress developers — plugin developers, theme developers, and agencies — to cover all of that in one place.\u003C\u002Fp>\n\u003Cp>Non-compliance carries fines up to EUR 15 million or 2.5% of global annual turnover. Authorities can also force non-compliant products off the EU market.\u003C\u002Fp>\n\u003Cp>The free plan covers the paperwork side of compliance: checklist, five document templates, and the CRA education guide. Paid plans add automated vulnerability scanning, email alerts, the Incident Center for ENISA notification management, and downloadable compliance reports, all directly inside your WordPress admin. Pro plans also include webhook integrations for CI\u002FCD pipelines and external tools — get real-time notifications when scans complete or vulnerabilities are found.\u003C\u002Fp>\n\u003Cp>For pricing, documentation, and more details visit \u003Ca href=\"https:\u002F\u002Fwww.resiliencewp.com\" rel=\"nofollow ugc\">resiliencewp.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Compliance Checklist (Free)\u003C\u002Fh4>\n\u003Cp>26 actionable items, each mapped to a specific CRA article. Five categories cover everything the regulation requires:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Risk Assessment: documenting threats, attack surfaces, and mitigations\u003C\u002Fli>\n\u003Cli>Secure Development: secure defaults, no known exploitable vulnerabilities at release\u003C\u002Fli>\n\u003Cli>Vulnerability Handling: disclosure policy, coordinated reporting, user notification\u003C\u002Fli>\n\u003Cli>Required Documentation: SBOM, Declaration of Conformity, technical file\u003C\u002Fli>\n\u003Cli>Post-Market Obligations: ongoing monitoring, security updates, end-of-life policy\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Every item has a plain-English explanation of what it means and why it matters. Check items off as you complete them. Progress saves automatically.\u003C\u002Fp>\n\u003Ch4>Document Generator (Free)\u003C\u002Fh4>\n\u003Cp>Generate the five documents the CRA requires before you can legally place a product on the EU market:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Vulnerability Disclosure Policy (Article 13(6)): your public process for receiving and handling security reports from researchers\u003C\u002Fli>\n\u003Cli>Incident Response Plan: your internal procedure when a vulnerability is discovered or actively exploited\u003C\u002Fli>\n\u003Cli>EU Declaration of Conformity: the formal self-declaration that your product meets CRA essential requirements\u003C\u002Fli>\n\u003Cli>Software Bill of Materials (SBOM) (Article 13): a structured inventory of your plugin’s components, dependencies, and third-party libraries\u003C\u002Fli>\n\u003Cli>security.txt: the machine-readable contact file security researchers use to reach you, placed at \u002F.well-known\u002Fsecurity.txt\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Fill in your plugin name, contact details, and a few specifics. Download in text or markdown format. No starting from scratch, no lawyer needed for the first draft.\u003C\u002Fp>\n\u003Ch4>CRA Education Centre (Free)\u003C\u002Fh4>\n\u003Cp>An article-by-article breakdown of Regulation (EU) 2024\u002F2847, written for developers rather than legal teams. Understand what each obligation actually requires: what counts as “active exploitation,” what an SBOM needs to contain, what the 24-hour reporting window really means.\u003C\u002Fp>\n\u003Ch4>Vulnerability Scanner (Basic and Pro)\u003C\u002Fh4>\n\u003Cp>Connect your account to ResilienceWP and it monitors your plugins against the WPScan vulnerability database on a regular schedule. Weekly on Basic, daily on Pro.\u003C\u002Fp>\n\u003Cp>You can monitor any plugin by its WordPress.org slug, not just the plugins currently installed on your site. If your plugin depends on WooCommerce, ACF, or any other third-party plugin, you can add those slugs directly and track vulnerabilities in your dependencies. Plugins can also be added directly from your installed plugins list.\u003C\u002Fp>\n\u003Cp>The moment a new vulnerability is found, you get an email with the severity rating, CVE ID, affected version range, and fix version if one is available. Back in your WordPress admin, vulnerabilities are grouped by plugin and sorted by date discovered, so you can see at a glance which plugins have open issues and how old they are.\u003C\u002Fp>\n\u003Cp>Each vulnerability card shows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Severity (Critical \u002F High \u002F Medium \u002F Low \u002F Info) with colour coding\u003C\u002Fli>\n\u003Cli>CVE identifier linked directly to the NVD entry\u003C\u002Fli>\n\u003Cli>The fix version (or “no fix available yet”)\u003C\u002Fli>\n\u003Cli>An action hint: whether to update, acknowledge, or open an incident\u003C\u002Fli>\n\u003Cli>A button to report the incident directly to the Incident Center\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Status tracking lets you mark vulnerabilities as Open, Acknowledged, In Progress, Resolved, or False Positive. Export the full vulnerability list as CSV for your compliance records.\u003C\u002Fp>\n\u003Ch4>Incident Center (Basic and Pro)\u003C\u002Fh4>\n\u003Cp>When a vulnerability in your plugin is being actively exploited, the CRA requires you to notify ENISA within 24 hours. The Incident Center tracks that deadline from the moment you log first awareness and guides you through the complete regulatory workflow.\u003C\u002Fp>\n\u003Cp>Creating a new incident logs the discovery timestamp and starts all three countdown timers simultaneously:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Early Warning: due within 24 hours of first awareness\u003C\u002Fli>\n\u003Cli>Vulnerability Notification: due within 72 hours, with full technical details\u003C\u002Fli>\n\u003Cli>Final Report: due within 14 days, including root cause and remediation steps\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>The case view shows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Live countdown timers for each notification deadline, turning amber at 6 hours and red when overdue\u003C\u002Fli>\n\u003Cli>A completeness score on your incident report so you know exactly what information is still missing\u003C\u002Fli>\n\u003Cli>A “Where to Submit” section with direct links to ENISA’s reporting portal, the EU CSIRT network directory, and the CVE Programme at MITRE\u003C\u002Fli>\n\u003Cli>A full audit log recording every action taken, every field updated, and every notification submitted\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>On Pro, you can export the full incident case including all notifications and the complete audit log, formatted for submission to regulators or for your compliance archive.\u003C\u002Fp>\n\u003Ch4>Dashboard and Compliance Score\u003C\u002Fh4>\n\u003Cp>The dashboard gives you a live compliance score (0-100) with a transparent breakdown:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>-15 points per open critical vulnerability\u003C\u002Fli>\n\u003Cli>-7 points per open high vulnerability\u003C\u002Fli>\n\u003Cli>-3 points per open medium vulnerability\u003C\u002Fli>\n\u003Cli>-20 points per overdue incident (past the 24-hour ENISA deadline)\u003C\u002Fli>\n\u003Cli>-5 points per active open incident\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>It is not a vanity metric. It is a working indicator of where you stand against your CRA obligations at any point in time, with the exact deductions shown so you know what to fix first.\u003C\u002Fp>\n\u003Ch4>Compliance Reports and SBOM Export (Basic and Pro)\u003C\u002Fh4>\n\u003Cp>Generate a PDF compliance report for auditors or regulators covering your vulnerability history, resolution timeline, and document status. Export your Software Bill of Materials in standard format, as required by CRA Article 13.\u003C\u002Fp>\n\u003Ch4>Webhook Integrations (Pro)\u003C\u002Fh4>\n\u003Cp>Connect ResilienceWP to your CI\u002FCD pipeline, Slack, or any external tool with webhook callbacks. Configure webhook endpoints in Settings and receive real-time HTTP POST notifications with HMAC-SHA256 signed payloads when:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A scheduled or manual scan completes\u003C\u002Fli>\n\u003Cli>A new vulnerability is found in one of your monitored plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Each webhook delivery is logged with status codes and response data, so you can debug integration issues directly from your WordPress admin. Manage up to 5 webhook endpoints per account, toggle them on and off, and filter by event type.\u003C\u002Fp>\n\u003Ch4>Who needs to comply\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Commercial plugin developers: selling to EU customers through any channel (your site, Envato, direct) makes you the manufacturer under the CRA\u003C\u002Fli>\n\u003Cli>WordPress agencies: distributing custom-built plugins to EU clients, even for a single client, counts as placing a product on the market\u003C\u002Fli>\n\u003Cli>Freemium developers: having a free version does not exempt you; any commercial activity tied to the product brings you in scope\u003C\u002Fli>\n\u003Cli>Theme developers: themes with shortcodes, API integrations, or custom post types may qualify as “products with digital elements”\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Key dates\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>10 December 2024: CRA entered into force. Transition period began.\u003C\u002Fli>\n\u003Cli>11 September 2026: Vulnerability and incident reporting obligations apply.\u003C\u002Fli>\n\u003Cli>11 December 2027: Full CRA application. All requirements in effect.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Source Code\u003C\u002Fh4>\n\u003Cp>The admin dashboard is built with React and compiled using Vite. The uncompiled source is included in the plugin ZIP under admin\u002Fsrc\u002F. To rebuild from source:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Install Node.js 20+ and pnpm 10+\u003C\u002Fli>\n\u003Cli>Run \u003Ccode>pnpm install\u003C\u002Fcode> in the plugin directory\u003C\u002Fli>\n\u003Cli>Run \u003Ccode>pnpm build\u003C\u002Fcode> to recompile the admin dashboard\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>External Services\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>ResilienceWP API\u003C\u002Fstrong> (https:\u002F\u002Fapi.resiliencewp.com)\u003Cbr \u002F>\nUsed for API key verification, vulnerability scanning, incident management, and report generation. Data sent: API key, WordPress site URL, plugin slugs and versions.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.resiliencewp.com\u002Fterms\" rel=\"nofollow ugc\">Terms of Service\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwww.resiliencewp.com\u002Fprivacy\" rel=\"nofollow ugc\">Privacy Policy\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WPScan\u003C\u002Fstrong> (via ResilienceWP API)\u003Cbr \u002F>\nPlugin vulnerability data is sourced from the WPScan database. Plugin slugs are sent through the ResilienceWP API. No personal data is sent from your WordPress installation directly to WPScan.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fterms\" rel=\"nofollow ugc\">WPScan Terms\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fprivacy\" rel=\"nofollow ugc\">WPScan Privacy Policy\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Paddle\u003C\u002Fstrong> (payments)\u003Cbr \u002F>\nSubscription payments are processed by Paddle as merchant of record. Payment data is handled entirely by Paddle and never passes through our servers.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.paddle.com\u002Flegal\u002Fterms\" rel=\"nofollow ugc\">Paddle Terms\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwww.paddle.com\u002Flegal\u002Fprivacy\" rel=\"nofollow ugc\">Paddle Privacy\u003C\u002Fa>\u003C\u002Fp>\n","CRA compliance for WordPress developers. Checklist, document generator, vulnerability scanner, and incident reporting for the 2026 EU deadline.",645,"2026-03-11T17:21:00.000Z","6.0",[18,93,94,20,74],"compliance","gdpr","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresilience-compliance-manager.1.2.12.zip",{"slug":98,"name":99,"version":100,"author":101,"author_profile":102,"description":103,"short_description":104,"active_installs":105,"downloaded":106,"rating":107,"num_ratings":108,"last_updated":109,"tested_up_to":110,"requires_at_least":91,"requires_php":111,"tags":112,"homepage":117,"download_link":118,"security_score":119,"vuln_count":120,"unpatched_count":11,"last_vuln_date":121,"fetched_at":27},"aryo-activity-log","Activity Log – Monitor & Record User Changes","2.11.2","Elementor","https:\u002F\u002Fprofiles.wordpress.org\u002Felemntor\u002F","\u003Cp>\u003Cstrong>AN EASY TO USE & FULLY SUPPORTED WORDPRESS ACTIVITY LOG PLUGIN\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Want to monitor and track your WordPress website activity? Find out exactly who does what on your WordPress website with this plugin. Activity Log is like an airplane’s black box that logs every action in the WordPress admin, and lets you see exactly what users are doing on your WordPress website.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>If someone is trying to hack your site\u003C\u002Fli>\n\u003Cli>When a post was published, and who published it\u003C\u002Fli>\n\u003Cli>If a plugin\u002Ftheme was activated\u002Fdeactivated\u003C\u002Fli>\n\u003Cli>Suspicious admin activity\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>It’s so essential; you’ll wonder how you ever managed your website without it. The plugin is also lightning fast and works behind the scenes, so it doesn\\’t affect site and admin performance. For optimal performance, we built the plugin so that it runs on a separate table in the database.\u003C\u002Fp>\n\u003Cp>If you have more than a handful of users, keeping track of who did what is virtually impossible. This plugin solves that issue by tracking what actions were initiated by which users, and displaying it in an easy-to-use and easy-to-filter view on the dashboard of your WordPress site.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>New! Introducing Email Logging\u003C\u002Fstrong> – Capture all emails sent from your WordPress site for streamlined debugging and compliance. Gain better visibility into email communication, aiding both troubleshooting and record-keeping. This is particularly beneficial for WooCommerce stores, allowing you to easily track sent emails alongside other critical site events.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Export to CSV\u003C\u002Fstrong> – Export your Activity Log data records to CSV. Developers can easily add support for custom data formats with our new dedicated Export API.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Data Privacy and GDPR Compliance\u003C\u002Fstrong> – We provide the tools to help you adhere to GDPR compliance standards, including Export\u002FErasure of data via the WordPress Privacy Tools.\u003C\u002Fp>\n\u003Ch3>With the Activity Log you can record:\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>WordPress\u003C\u002Fstrong> – Core updates\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Posts\u003C\u002Fstrong> – Created, updated, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Pages\u003C\u002Fstrong> – Created, updated, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Post Type\u003C\u002Fstrong> – Created, updated, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Tags\u003C\u002Fstrong> – Created, updated, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Categories\u003C\u002Fstrong> – Created, updated, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Taxonomies\u003C\u002Fstrong> – Created, updated, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Menus\u003C\u002Fstrong> – Created, updated, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Media\u003C\u002Fstrong> – Created, updated, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comments\u003C\u002Fstrong> – Created, approved, unapproved, trashed, untrashed, spammed, unspammed, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Users\u003C\u002Fstrong> – Login, logout, login failed, update profile, registered, deleted\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Plugins\u003C\u002Fstrong> – Installed, updated, activated, deactivated, changed\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Themes\u003C\u002Fstrong> – Installed, updated, deleted, activated, changed (Editor and Customizer)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Widgets\u003C\u002Fstrong> – Added to sidebar, deleted from sidebar, order widgets\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Setting\u003C\u002Fstrong> – General, writing, reading, discussion, media, permalinks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Options\u003C\u002Fstrong> – Extended custom settings for 3rd party plugins\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Export\u003C\u002Fstrong> – Exported activity log file\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WooCommerce\u003C\u002Fstrong> – Track products, orders, customers, and more\u003C\u002Fli>\n\u003Cli>\u003Cstrong>bbPress\u003C\u002Fstrong> – Forums, topics, replies, taxonomies, and other actions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Emails sent from WordPress site\u003C\u002Fstrong> – Sending successful, sending failed\u003C\u002Fli>\n\u003Cli>There’s more, of course, but you get the point…\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For each event recorded by the activity log, the following details are also logged:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Date and time of occurrence\u003C\u002Fli>\n\u003Cli>User and user role responsible for the change\u003C\u002Fli>\n\u003Cli>Source IP address from which the change originated\u003C\u002Fli>\n\u003Cli>Affected object where the change occurred\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The plugin doesn\\’t require any kind of setup; it works right out of the box (just another reason people love it)!\u003C\u002Fp>\n\u003Ch3>Data Storage and Performance Optimization\u003C\u002Fh3>\n\u003Cp>In order to ensure optimal performance of your website, all events and logs data are stored in a dedicated custom table within your WordPress database. This approach significantly reduces the impact on your website’s performance, ensuring seamless operation even during peak traffic periods.\u003C\u002Fp>\n\u003Ch3>Uninstall Clean-up\u003C\u002Fh3>\n\u003Cp>We understand the importance of maintaining a clean and efficient database environment. That’s why our plugin features an uninstall hook that seamlessly removes all traces of its presence from your website when uninstalling. This meticulous clean-up process ensures that your database remains lean and clutter-free even after our plugin has been removed.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>With our optimized data storage, thorough logging, and meticulous clean-up process, you can trust that our plugin will enhance the functionality and security of your WordPress site without compromising its performance.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch3>What users have to say\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cem>“Its tools, particularly for data privacy and GDPR compliance, make it indispensable for websites operating within European Union boundaries or dealing with EU citizens’ data”\u003C\u002Fem> – \u003Ca href=\"https:\u002F\u002Fblog.hubspot.com\u002Fwebsite\u002F8-best-plugins-tracking-user-activity-wordpress\" rel=\"nofollow ugc\">HubSpot.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cem>“If you’re after a competent WP security audit log plugin with all the basic features you need, Activity Log is it!”\u003C\u002Fem> – \u003Ca href=\"https:\u002F\u002Fwpastra.com\u002Fplugins\u002Fwordpress-activity-log-plugins\u002F\" rel=\"nofollow ugc\">WPAstra.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cem>“Activity Log features a remarkably straightforward dashboard interface, providing administrators with an at-a-glance understanding of site interactions”\u003C\u002Fem> – \u003Ca href=\"https:\u002F\u002Fwww.malcare.com\u002Fblog\u002Fwordpress-activity-log\u002F\" rel=\"nofollow ugc\">Malcare.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cem>“Best 10 Free WordPress Plugins of the Month: Keeping tabs on what your users do with their access to the Dashboard”\u003C\u002Fem> – \u003Ca href=\"https:\u002F\u002Fmanagewp.com\u002Fbest-free-wordpress-plugins-july-2014\" rel=\"nofollow ugc\">ManageWP.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cem>“Thanks to this step, we’ve discovered that our site was undergoing a brute force attack”\u003C\u002Fem> – \u003Ca href=\"https:\u002F\u002Fartdriver.com\u002Fblog\u002Fwordpress-site-hacked-solution-time\" rel=\"nofollow ugc\">Artdriver.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cem>“Optimized code – The plugin itself is blazing fast and leaves almost no footprint on the server”\u003C\u002Fem> – \u003Ca href=\"https:\u002F\u002Fwww.freshtechtips.com\u002F2014\u002F01\u002Fbest-audit-trail-plugins-for-wordpress.html\" rel=\"nofollow ugc\">FreshTechTips.com\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cem>“Activity Log lets you track a huge range of activities. Overall, very easy to use and setup”\u003C\u002Fem> – \u003Ca href=\"https:\u002F\u002Fwww.elegantthemes.com\u002Fblog\u002Ftips-tricks\u002F5-best-ways-to-monitor-wordpress-activity-via-the-dashboard\" rel=\"nofollow ugc\">ElegantThemes.com\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Contributions:\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Would you like to contribute to this plugin?\u003C\u002Fstrong> You’re more than welcome to submit your pull requests on the \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fpojome\u002Factivity-log\" rel=\"nofollow ugc\">GitHub repo\u003C\u002Fa>. And, if you have any notes about the code, please open a ticket on the issue tracker.\u003C\u002Fp>\n","This top rated Activity Log plugin helps you monitor & log all changes and actions on your WordPress site, so you can remain secure and organized.",200000,4007371,86,74,"2024-11-12T14:55:00.000Z","6.7.5","7.0",[113,114,115,20,116],"activity-log","audit-log","email-log","user-log","https:\u002F\u002Factivitylog.io\u002F?utm_source=wp-plugins&utm_campaign=plugin-uri&utm_medium=wp-dash","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faryo-activity-log.2.11.2.zip",85,9,"2024-11-20 17:10:23",{"slug":123,"name":124,"version":125,"author":126,"author_profile":127,"description":128,"short_description":129,"active_installs":130,"downloaded":131,"rating":78,"num_ratings":132,"last_updated":133,"tested_up_to":14,"requires_at_least":134,"requires_php":50,"tags":135,"homepage":139,"download_link":140,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"patchstack","Patchstack – WordPress & Plugins Security","2.3.5","Patchstack","https:\u002F\u002Fprofiles.wordpress.org\u002Fpatchstack\u002F","\u003Cp>Patchstack is a powerful tool that helps identify security vulnerabilities within your websites’ plugins, themes, and WordPress core. It is powered by the WordPress ecosystem’s most active community of ethical hackers. Patchstack is trusted by leading WordPress experts such as Pagely, Cloudways, GridPane, Plesk, and others!\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002Fz2nuYpg26Vc?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Cp>Patchstack is a security plugin for WordPress that finds WP core, plugin and theme vulnerabilities in your websites.\u003C\u002Fp>\n\u003Cp>The free version includes up to 48-hour early warning for new vulnerabilities found by our security research community. It also allows you to automatically update vulnerable software, manage updates remotely, and get snapshot reports on your sites’ security status.\u003C\u002Fp>\n\u003Cp>The paid version includes automatic vulnerability protection. Patchstack deploys highly targeted rules on a per-site basis, only when a specific vulnerability is detected on a site.\u003C\u002Fp>\n\u003Cp>This prevents vulnerable components from being exploited without modifying website code, or impacting site performance or functionality. Patchstack’s paid version includes access to 12,000+ individual protection rules (vPatches).\u003C\u002Fp>\n\u003Cp>Patchstack paid version also includes other preventive security features, such as 2 factor authentication, WordPress specific hardening rules, a Community IP blocklist for malicious IP addresses, advanced security settings, and custom protection rules.\u003C\u002Fp>\n\u003Ch3>Post-hack cleanups vs attack prevention in WordPress security\u003C\u002Fh3>\n\u003Cp>Unlike the standard approach to WordPress security (malware scanning and infection cleanups), Patchstack is focused on preventing infections in the first place.\u003C\u002Fp>\n\u003Cp>Thanks to its big WordPress security research community and partnerships with nearly one thousand plugin vendors and developers, Patchstack is regularly among the first to identify new vulnerabilities.\u003C\u002Fp>\n\u003Ch3>Who is Patchstack’s WordPress security plugin for?\u003C\u002Fh3>\n\u003Cp>Patchstack’s vulnerability management works extremely well for:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Agencies with WordPress care\u002Fmaintenance plans for their customers’ websites\u003C\u002Fli>\n\u003Cli>WooCommerce websites to protect their revenue and customers from attacks\u003C\u002Fli>\n\u003Cli>Hosting companies that want to deliver highly targeted vulnerability protection easily and at scale\u003Cbr \u002F>\nWebsite owners\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You don’t have to be highly technical to use it. Install the plugin, connect it with the Patchstack App, and stay safe!\u003C\u002Fp>\n\u003Ch3>What features are included in the Patchstack Personal (Free) plan?\u003C\u002Fh3>\n\u003Cp>Patchstack’s Personal plan is a free security service for WordPress that lets you find and manage vulnerabilities in your websites. It includes access to a central security dashboard via the Patchstack web App for more visibility and control over your sites’ security:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Be the first to know about new vulnerabilities.\u003C\u002Fli>\n\u003Cli>Receive notifications if any installed plugins or themes have security issues.\u003C\u002Fli>\n\u003Cli>Detect the latest security vulnerabilities in WordPress plugins.\u003C\u002Fli>\n\u003Cli>Detect the latest security vulnerabilities in WordPress themes.\u003C\u002Fli>\n\u003Cli>Detect the latest security vulnerabilities in WordPress core.\u003C\u002Fli>\n\u003Cli>Receive real-time alerts via email if any security vulnerabilities are found.\u003C\u002Fli>\n\u003Cli>Manage core, plugin and theme updates from a single dashboard.\u003C\u002Fli>\n\u003Cli>[Optional] Enable automatic updates for vulnerable plugins only.\u003C\u002Fli>\n\u003Cli>Generate snapshot reports about the security status of your website.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>What features do Patchstack paid subscriptions have?\u003C\u002Fh3>\n\u003Cp>Patchstack’s paid subscriptions include automatic protection for WordPress vulnerabilities, as well as other protection modules.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Virtual patching to prevent vulnerable components from being exploited\u003C\u002Fli>\n\u003Cli>Advanced hardening module for added WordPress security\u003C\u002Fli>\n\u003Cli>Remote hardening settings (including .httacess, login protection and reCAPTCHA)\u003C\u002Fli>\n\u003Cli>Community IP Blocklist of known attacker IP addresses\u003Cbr \u002F>\nAll of these features are included in the Developer and Enterprise plans.\u003Cbr \u002F>\nAdditionally, Developer and Enterprise plan users have access to custom protection rule creation, periodical security reports and report scheduling.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Personal (Free) plan users can enable these features on a per-site basis for $5 \u002F site per month.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Important Resources\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpatchstack.com\" rel=\"nofollow ugc\">Patchstack website\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdocs.patchstack.com\" rel=\"nofollow ugc\">Help Center\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fdocs.patchstack.com\u002Fpatchstack-plugin\u002Fchangelog\u002F\" rel=\"nofollow ugc\">Changelog\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fpatchstack.com\u002Fdatabase\" rel=\"nofollow ugc\">Patchstack Vulnerability Database\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>See what our customers say about our paid plans:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>“An excellent and valuable service that’s backed by a company that contributes a significant number of resources and money directly back to the WordPress ecosystem.” – John Blackbourn  \u003C\u002Fli>\n\u003Cli>“Patchstack is like CrowdStrike, but for websites!” – Ryan McCue, HumanMade  \u003C\u002Fli>\n\u003Cli>“The service here is superb! And they are always right on it with the best solution to solve the problem or question at hand. The tool itself speaks for itself. I am very satisfied with this project and the service they offer.” – Daniel Canup  \u003C\u002Fli>\n\u003Cli>“This is a security plugin everyone needs to install. The Patchstack team are incredible at what they do. We have been using them for years and have not been disappointed!” – @craniumstudio  \u003C\u002Fli>\n\u003Cli>“We’ve been with Patchstack for a LONG time (even before they were Patchstack). It has always done its job seamlessly and without fail. Ongoing innovation and updates to the Patchstack product mean this plugin is a winner. 5 stars all the way.” – @guapx  \u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>(*Comparisons are made by evaluating paid versions.)\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fpatchstack.com\u002Fsucuri-alternative\u002F\" rel=\"nofollow ugc\">Sucuri vs. Patchstack\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fpatchstack.com\u002Fwordfence-alternative\u002F\" rel=\"nofollow ugc\">Wordfence vs. Patchstack\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fpatchstack.com\u002Fmalcare-alternative\u002F\" rel=\"nofollow ugc\">Malcare vs. Patchstack\u003C\u002Fa>\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fpatchstack.com\u002Fsitelock-alternative\u002F\" rel=\"nofollow ugc\">Sitelock vs. Patchstack\u003C\u002Fa>\u003C\u002Fp>\n","Patchstack automatically identifies and mitigates security vulnerabilities in WordPress plugins, themes, and core.",40000,567481,61,"2026-01-06T14:10:00.000Z","4.4",[136,20,137,138,22],"firewall","virtual-patching","vulnerabilities","https:\u002F\u002Fpatchstack.com\u002F?utm_medium=wp&utm_source=dashboard&utm_campaign=patchstack%20plugin","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpatchstack.2.3.5.zip",{"attackSurface":142,"codeSignals":196,"taintFlows":211,"riskAssessment":238,"analyzedAt":246},{"hooks":143,"ajaxHandlers":162,"restRoutes":192,"shortcodes":193,"cronEvents":194,"entryPointCount":195,"unprotectedCount":11},[144,150,154,158],{"type":145,"name":146,"callback":147,"file":148,"line":149},"action","admin_menu","add_admin_menu","boonrisk-agent.php",64,{"type":145,"name":151,"callback":152,"file":148,"line":153},"admin_init","register_settings",65,{"type":145,"name":155,"callback":156,"file":148,"line":157},"admin_enqueue_scripts","enqueue_admin_assets",66,{"type":145,"name":159,"callback":160,"file":148,"line":161},"plugins_loaded","closure",593,[163,169,173,177,181,185,188],{"action":164,"nopriv":165,"callback":166,"hasNonce":167,"hasCapCheck":167,"file":148,"line":168},"boonrisk_local_assessment",false,"ajax_local_assessment",true,69,{"action":170,"nopriv":165,"callback":171,"hasNonce":167,"hasCapCheck":167,"file":148,"line":172},"boonrisk_test_connection","ajax_test_connection",70,{"action":174,"nopriv":165,"callback":175,"hasNonce":167,"hasCapCheck":167,"file":148,"line":176},"boonrisk_app_analysis","ajax_app_analysis",71,{"action":178,"nopriv":165,"callback":179,"hasNonce":167,"hasCapCheck":167,"file":148,"line":180},"boonrisk_save_api_key","ajax_save_api_key",72,{"action":182,"nopriv":165,"callback":183,"hasNonce":167,"hasCapCheck":167,"file":148,"line":184},"boonrisk_remove_api_key","ajax_remove_api_key",73,{"action":186,"nopriv":165,"callback":187,"hasNonce":167,"hasCapCheck":167,"file":148,"line":108},"boonrisk_toggle_auto_sync","ajax_toggle_auto_sync",{"action":189,"nopriv":165,"callback":190,"hasNonce":167,"hasCapCheck":167,"file":148,"line":191},"boonrisk_manual_sync","ajax_manual_sync",75,[],[],[],7,{"dangerousFunctions":197,"sqlUsage":198,"outputEscaping":208,"fileOperations":11,"externalRequests":79,"nonceChecks":195,"capabilityChecks":195,"bundledLibraries":210},[],{"prepared":11,"raw":79,"locations":199},[200,204],{"file":201,"line":202,"context":203},"includes\\collectors\\class-extended-collector.php",482,"$wpdb->get_var() with variable interpolation",{"file":205,"line":206,"context":207},"includes\\collectors\\class-updates-collector.php",295,"$wpdb->get_results() with variable interpolation",{"escaped":12,"rawEcho":11,"locations":209},[],[],[212,230],{"entryPoint":213,"graph":214,"unsanitizedCount":11,"severity":229},"ajax_save_api_key (boonrisk-agent.php:429)",{"nodes":215,"edges":227},[216,221],{"id":217,"type":218,"label":219,"file":148,"line":220},"n0","source","$_POST",436,{"id":222,"type":223,"label":224,"file":148,"line":225,"wp_function":226},"n1","sink","update_option() [Settings Manipulation]",442,"update_option",[228],{"from":217,"to":222,"sanitized":167},"low",{"entryPoint":231,"graph":232,"unsanitizedCount":11,"severity":229},"\u003Cboonrisk-agent> (boonrisk-agent.php:0)",{"nodes":233,"edges":236},[234,235],{"id":217,"type":218,"label":219,"file":148,"line":220},{"id":222,"type":223,"label":224,"file":148,"line":225,"wp_function":226},[237],{"from":217,"to":222,"sanitized":167},{"summary":239,"deductions":240},"The boonrisk-site-security-check-report plugin v1.0.2 exhibits a generally good security posture with no reported vulnerabilities in its history and strong implementation of security best practices in its static analysis. All identified entry points (7 AJAX handlers) correctly implement nonce and capability checks, indicating a robust defense against unauthorized access. Furthermore, all output appears to be properly escaped, mitigating the risk of cross-site scripting (XSS) vulnerabilities. The absence of dangerous functions, file operations, and critical taint flows further strengthens its security profile.",[241,244],{"reason":242,"points":243},"SQL queries without prepared statements",10,{"reason":245,"points":79},"External HTTP requests","2026-03-17T07:16:29.249Z",{"wat":248,"direct":257},{"assetPaths":249,"generatorPatterns":252,"scriptPaths":253,"versionParams":254},[250,251],"\u002Fwp-content\u002Fplugins\u002Fboonrisk-site-security-check-report\u002Fassets\u002Fcss\u002Fboonrisk-admin.css","\u002Fwp-content\u002Fplugins\u002Fboonrisk-site-security-check-report\u002Fassets\u002Fjs\u002Fboonrisk-admin.js",[],[],[255,256],"boonrisk-site-security-check-report\u002Fassets\u002Fcss\u002Fboonrisk-admin.css?ver=","boonrisk-site-security-check-report\u002Fassets\u002Fjs\u002Fboonrisk-admin.js?ver=",{"cssClasses":258,"htmlComments":259,"htmlAttributes":269,"restEndpoints":270,"jsGlobals":271,"shortcodeOutput":273},[],[260,261,262,263,264,265,266,267,268],"\u003C!-- BoonRisk Admin Menu -->","\u003C!-- BoonRisk Dashboard Page -->","\u003C!-- BoonRisk Local Assessment Page -->","\u003C!-- BoonRisk Data & Monitoring Page -->","\u003C!-- BoonRisk Settings Page -->","\u003C!-- BoonRisk Security Report Page -->","\u003C!-- BoonRisk Connect Page -->","\u003C!-- BoonRisk App Dashboard Page -->","\u003C!-- BoonRisk Reports Archive Page -->",[],[],[272],"boonrisk_ajax_object",[],{"error":167,"url":275,"statusCode":276,"statusMessage":277,"message":277},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fboonrisk-site-security-check-report\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":32,"versions":279},[280],{"version":6,"download_url":24,"svn_tag_url":281,"released_at":26,"has_diff":165,"diff_files_changed":282,"diff_lines":26,"trac_diff_url":26,"vulnerabilities":283,"is_current":167},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fboonrisk-site-security-check-report\u002Ftags\u002F1.0.2\u002F",[],[]]