[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXY0xGHv-FX2u4eQTget94IwEW7OHKbsPFNhd3RLS9oQ":3,"$f5t2NFOUDGJidt-2Fjjko0hp_4F_TVrqJD5jpsYrnDJ4":218,"$f1sRczN5XjzKo4y77WGgSyGIMoeW2xTyvdnja1CYGCu8":222},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":30,"crawl_stats":26,"alternatives":35,"analysis":132,"fingerprints":192},"sudowp-radar","SudoWP Radar","1.0.1","sudowp","https:\u002F\u002Fprofiles.wordpress.org\u002Fsudowp\u002F","\u003Cp>SudoWP Radar is a runtime security auditor for the WordPress 6.9 Abilities API. It scans every registered ability across all active plugins and themes, applying a rule engine that detects the vulnerability patterns most likely to be exploited in production.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What it audits:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Open and weak permissions\u003C\u002Fstrong> — abilities with no permission_callback, or one that allows any authenticated user through.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Missing or loose input schemas\u003C\u002Fstrong> — abilities that accept unconstrained string inputs, creating potential injection vectors for path traversal, SSRF, and similar attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST overexposure\u003C\u002Fstrong> — abilities marked show_in_rest with no or open permission control, accessible to unauthenticated callers.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>MCP overexposure\u003C\u002Fstrong> — abilities marked meta.mcp.public = true with a weak or null permission callback are directly callable by any connected AI agent. Flagged as CRITICAL.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Orphaned callbacks\u003C\u002Fstrong> — execute_callbacks that reference functions no longer loaded, often left behind by deactivated plugins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Namespace collisions\u003C\u002Fstrong> — duplicate ability names where the last registration silently overwrites the first, potentially downgrading the permission model.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>How it works:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>SudoWP Radar reads the live abilities registry after all plugins and themes have loaded. It applies static rules to each ability and returns a structured findings report with severity ratings (Critical, High, Medium, Low) and actionable remediation guidance. A risk score from 0-100 summarises the overall exposure of the site.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security model:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Requires the \u003Ccode>radar_run_audit\u003C\u002Fcode> capability (granted to site administrators by default).\u003C\u002Fli>\n\u003Cli>All audit requests are nonce-gated. No public-facing endpoints.\u003C\u002Fli>\n\u003Cli>Audit findings are stored in user meta, not global options.\u003C\u002Fli>\n\u003Cli>Rate-limited to one audit per 30 seconds per user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Optional premium extension (SudoWP Pro):\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>The free plugin is a fully functional standalone security auditor. An optional premium add-on extends it with SudoWP Vulnerability Dataset matching (CVE references, CVSS scores, patch guidance), scheduled audits with email alerts, multi-site dashboard aggregation, and report export. None of these are required to use the core auditing features.\u003C\u002Fp>\n\u003Cp>SudoWP Radar is a complement to static analysis tools. It audits the live, runtime state of your site — what is actually registered and executing — not just what is declared in code.\u003C\u002Fp>\n\u003Ch3>Premium Extension Filters\u003C\u002Fh3>\n\u003Cp>SudoWP Radar exposes four WordPress filters so a premium plugin can extend\u003Cbr \u002F>\nthe audit engine without modifying core plugin files.\u003C\u002Fp>\n\u003Ch4>radar_dataset_enabled\u003C\u002Fh4>\n\u003Cp>Controls whether dataset lookups run during an audit. Return true to activate.\u003C\u002Fp>\n\u003Cp>Parameters:\u003Cbr \u002F>\n    $enabled (bool) — default false.\u003Cbr \u002F>\n  Returns:\u003Cbr \u002F>\n    bool\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'radar_dataset_enabled', function ( bool $enabled ): bool {\n    return true; \u002F\u002F Enable dataset lookups.\n} );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>radar_dataset_findings\u003C\u002Fh4>\n\u003Cp>Inject Finding objects from a vulnerability dataset for a specific ability.\u003Cbr \u002F>\nCalled once per ability during an audit. Non-Finding return values are stripped.\u003C\u002Fp>\n\u003Cp>Parameters:\u003Cbr \u002F>\n    $findings (array)  — current Finding[] for this ability, default [].\u003Cbr \u002F>\n    $ability  (array)  — ability data array from Scanner (name, meta, callbacks, etc.).\u003Cbr \u002F>\n  Returns:\u003Cbr \u002F>\n    Finding[]\u003C\u002Fp>\n\u003Cp>Note: register with accepted_args=2 to receive both parameters.\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter(\n    'radar_dataset_findings',\n    function ( array $findings, array $ability ): array {\n        if ( str_starts_with( $ability['name'], 'my-plugin\u002F' ) ) {\n            $findings[] = new \\SudoWP\\Radar\\Finding(\n                ability_name:   $ability['name'],\n                severity:       \\SudoWP\\Radar\\Finding::SEVERITY_CRITICAL,\n                vuln_class:     \\SudoWP\\Radar\\Finding::VULN_DATASET_MATCH,\n                message:        'Known vulnerable ability pattern detected (CVE-2026-1234).',\n                recommendation: 'Update my-plugin to version 2.1.0 or later.',\n                is_premium:     true,\n            );\n        }\n        return $findings;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>radar_dataset_status\u003C\u002Fh4>\n\u003Cp>Override the dataset status array displayed in the admin UI.\u003C\u002Fp>\n\u003Cp>Parameters:\u003Cbr \u002F>\n    $status (array) — default status with keys:\u003Cbr \u002F>\n      enabled       (bool)        — false in free version.\u003Cbr \u002F>\n      label         (string)      — UI display string.\u003Cbr \u002F>\n      last_updated  (string|null) — ISO 8601 date or null.\u003Cbr \u002F>\n      total_entries (int)         — 0 in free version.\u003Cbr \u002F>\n  Returns:\u003Cbr \u002F>\n    array (same shape as input)\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'radar_dataset_status', function ( array $status ): array {\n    return [\n        'enabled'       => true,\n        'label'         => 'SudoWP Vulnerability Dataset: Connected. 4,821 entries.',\n        'last_updated'  => '2026-03-08',\n        'total_entries' => 4821,\n    ];\n} );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>radar_audit_findings\u003C\u002Fh4>\n\u003Cp>Modify the complete findings array after all rules and dataset lookups have run.\u003Cbr \u002F>\nUse this to add cross-ability findings, re-score existing findings, or suppress\u003Cbr \u002F>\nfalse positives. Called once per full audit run.\u003C\u002Fp>\n\u003Cp>Parameters:\u003Cbr \u002F>\n    $findings  (array) — complete Finding[] from the full audit.\u003Cbr \u002F>\n    $abilities (array) — all ability data arrays scanned during this audit.\u003Cbr \u002F>\n  Returns:\u003Cbr \u002F>\n    Finding[]\u003C\u002Fp>\n\u003Cp>Note: register with accepted_args=2 to receive both parameters.\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter(\n    'radar_audit_findings',\n    function ( array $findings, array $abilities ): array {\n        \u002F\u002F Example: promote medium findings to high for a high-risk site.\n        return array_map( function ( $finding ) {\n            if ( $finding->severity === \\SudoWP\\Radar\\Finding::SEVERITY_MEDIUM ) {\n                return new \\SudoWP\\Radar\\Finding(\n                    ability_name:   $finding->ability_name,\n                    severity:       \\SudoWP\\Radar\\Finding::SEVERITY_HIGH,\n                    vuln_class:     $finding->vuln_class,\n                    message:        $finding->message,\n                    recommendation: $finding->recommendation,\n                    context:        $finding->context,\n                    is_premium:     $finding->is_premium,\n                );\n            }\n            return $finding;\n        }, $findings );\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Security auditor for the WordPress Abilities API. Scans registered abilities for permission, schema, and exposure risks.",0,84,"2026-03-23T22:36:00.000Z","6.9.4","6.9","8.1",[18,19,20,21,22],"abilities-api","audit","permissions","scanner","security","https:\u002F\u002Fsudowp.com\u002Fradar","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsudowp-radar.1.0.1.zip",100,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},1,30,94,"2026-05-20T09:04:49.187Z",[36,54,70,88,111],{"slug":37,"name":38,"version":39,"author":40,"author_profile":41,"description":42,"short_description":43,"active_installs":44,"downloaded":45,"rating":11,"num_ratings":11,"last_updated":46,"tested_up_to":14,"requires_at_least":47,"requires_php":48,"tags":49,"homepage":52,"download_link":53,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"mjp-security-plugin","MJP Security Tools","2.0.0","zackdesign","https:\u002F\u002Fprofiles.wordpress.org\u002Fzackdesign\u002F","\u003Cp>MJP Security Tools is a focused hardening plugin that does four things well:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>XSS Database Scanner\u003C\u002Fstrong> — scans every table for \u003Ccode>\u003Cscript>\u003C\u002Fcode>, \u003Ccode>\u003Ciframe>\u003C\u002Fcode>, \u003Ccode>onclick\u003C\u002Fcode>, \u003Ccode>javascript:\u003C\u002Fcode> and other injection patterns\u003C\u002Fli>\n\u003Cli>\u003Cstrong>POST Request Log\u003C\u002Fstrong> — records all POST data (passwords masked) with IP, user agent, and URL for CSRF\u002Faudit detection\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Failed Login Log\u003C\u002Fstrong> — tracks every failed login attempt with username, IP, and timestamp\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Permission Checker\u003C\u002Fstrong> — verifies WordPress root files and directories have safe permissions, checks for missing \u003Ccode>index.html\u003C\u002Fcode> files and SVN working copies\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>What this plugin does NOT do\u003C\u002Fstrong> (because WordPress core already handles it):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>SSL enforcement — use \u003Ccode>FORCE_SSL_ADMIN\u003C\u002Fcode> or let WordPress 5.7+ auto-redirect\u003C\u002Fli>\n\u003Cli>Password strength — WordPress core enforces strong passwords since 4.3\u003C\u002Fli>\n\u003Cli>Login rate limiting — use a dedicated plugin like Limit Login Attempts Reloaded\u003C\u002Fli>\n\u003Cli>Version number hiding — marginal benefit, not worth the complexity\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Upgrading from v1.x:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The admin page has moved from jQuery UI tabs to native WordPress nav tabs\u003C\u002Fli>\n\u003Cli>SSL forcing, password enforcement, login throttling, version hiding, admin username changing, database prefix randomization, password reset, and .htaccess generation have been removed — WordPress core and dedicated security plugins handle these better\u003C\u002Fli>\n\u003Cli>PHP sessions replaced with WP transients for flash messages\u003C\u002Fli>\n\u003Cli>Log data is now stored as JSON instead of serialized PHP\u003C\u002Fli>\n\u003Cli>The Javacrypt client-side crypt(3) script has been removed\u003C\u002Fli>\n\u003C\u002Ful>\n","Lightweight WordPress hardening — XSS database scanner, POST request logging, failed login logging, and file permission checker.",10,2895,"2026-02-23T10:51:00.000Z","6.0","7.4",[19,50,20,22,51],"login","xss","https:\u002F\u002Fzackdesign.biz\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmjp-security-plugin.2.0.0.zip",{"slug":55,"name":56,"version":57,"author":58,"author_profile":59,"description":60,"short_description":61,"active_installs":11,"downloaded":62,"rating":11,"num_ratings":11,"last_updated":63,"tested_up_to":14,"requires_at_least":47,"requires_php":48,"tags":64,"homepage":68,"download_link":69,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"resilience-compliance-manager","Resilience Compliance Manager","1.2.12","bean1352","https:\u002F\u002Fprofiles.wordpress.org\u002Fbean1352\u002F","\u003Cp>If you sell a WordPress plugin or theme to anyone in the EU, the EU Cyber Resilience Act (Regulation 2024\u002F2847) applies to you. It does not matter where you are based or whether your product is free. Agencies distributing custom plugins or themes to EU clients are also in scope.\u003C\u002Fp>\n\u003Cp>From September 11, 2026, you need a documented vulnerability reporting process, the required security documents, and a way to monitor your products for known vulnerabilities. ResilienceWP is built for WordPress developers — plugin developers, theme developers, and agencies — to cover all of that in one place.\u003C\u002Fp>\n\u003Cp>Non-compliance carries fines up to EUR 15 million or 2.5% of global annual turnover. Authorities can also force non-compliant products off the EU market.\u003C\u002Fp>\n\u003Cp>The free plan covers the paperwork side of compliance: checklist, five document templates, and the CRA education guide. Paid plans add automated vulnerability scanning, email alerts, the Incident Center for ENISA notification management, and downloadable compliance reports, all directly inside your WordPress admin. Pro plans also include webhook integrations for CI\u002FCD pipelines and external tools — get real-time notifications when scans complete or vulnerabilities are found.\u003C\u002Fp>\n\u003Cp>For pricing, documentation, and more details visit \u003Ca href=\"https:\u002F\u002Fwww.resiliencewp.com\" rel=\"nofollow ugc\">resiliencewp.com\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>Compliance Checklist (Free)\u003C\u002Fh4>\n\u003Cp>26 actionable items, each mapped to a specific CRA article. Five categories cover everything the regulation requires:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Risk Assessment: documenting threats, attack surfaces, and mitigations\u003C\u002Fli>\n\u003Cli>Secure Development: secure defaults, no known exploitable vulnerabilities at release\u003C\u002Fli>\n\u003Cli>Vulnerability Handling: disclosure policy, coordinated reporting, user notification\u003C\u002Fli>\n\u003Cli>Required Documentation: SBOM, Declaration of Conformity, technical file\u003C\u002Fli>\n\u003Cli>Post-Market Obligations: ongoing monitoring, security updates, end-of-life policy\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Every item has a plain-English explanation of what it means and why it matters. Check items off as you complete them. Progress saves automatically.\u003C\u002Fp>\n\u003Ch4>Document Generator (Free)\u003C\u002Fh4>\n\u003Cp>Generate the five documents the CRA requires before you can legally place a product on the EU market:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Vulnerability Disclosure Policy (Article 13(6)): your public process for receiving and handling security reports from researchers\u003C\u002Fli>\n\u003Cli>Incident Response Plan: your internal procedure when a vulnerability is discovered or actively exploited\u003C\u002Fli>\n\u003Cli>EU Declaration of Conformity: the formal self-declaration that your product meets CRA essential requirements\u003C\u002Fli>\n\u003Cli>Software Bill of Materials (SBOM) (Article 13): a structured inventory of your plugin’s components, dependencies, and third-party libraries\u003C\u002Fli>\n\u003Cli>security.txt: the machine-readable contact file security researchers use to reach you, placed at \u002F.well-known\u002Fsecurity.txt\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Fill in your plugin name, contact details, and a few specifics. Download in text or markdown format. No starting from scratch, no lawyer needed for the first draft.\u003C\u002Fp>\n\u003Ch4>CRA Education Centre (Free)\u003C\u002Fh4>\n\u003Cp>An article-by-article breakdown of Regulation (EU) 2024\u002F2847, written for developers rather than legal teams. Understand what each obligation actually requires: what counts as “active exploitation,” what an SBOM needs to contain, what the 24-hour reporting window really means.\u003C\u002Fp>\n\u003Ch4>Vulnerability Scanner (Basic and Pro)\u003C\u002Fh4>\n\u003Cp>Connect your account to ResilienceWP and it monitors your plugins against the WPScan vulnerability database on a regular schedule. Weekly on Basic, daily on Pro.\u003C\u002Fp>\n\u003Cp>You can monitor any plugin by its WordPress.org slug, not just the plugins currently installed on your site. If your plugin depends on WooCommerce, ACF, or any other third-party plugin, you can add those slugs directly and track vulnerabilities in your dependencies. Plugins can also be added directly from your installed plugins list.\u003C\u002Fp>\n\u003Cp>The moment a new vulnerability is found, you get an email with the severity rating, CVE ID, affected version range, and fix version if one is available. Back in your WordPress admin, vulnerabilities are grouped by plugin and sorted by date discovered, so you can see at a glance which plugins have open issues and how old they are.\u003C\u002Fp>\n\u003Cp>Each vulnerability card shows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Severity (Critical \u002F High \u002F Medium \u002F Low \u002F Info) with colour coding\u003C\u002Fli>\n\u003Cli>CVE identifier linked directly to the NVD entry\u003C\u002Fli>\n\u003Cli>The fix version (or “no fix available yet”)\u003C\u002Fli>\n\u003Cli>An action hint: whether to update, acknowledge, or open an incident\u003C\u002Fli>\n\u003Cli>A button to report the incident directly to the Incident Center\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Status tracking lets you mark vulnerabilities as Open, Acknowledged, In Progress, Resolved, or False Positive. Export the full vulnerability list as CSV for your compliance records.\u003C\u002Fp>\n\u003Ch4>Incident Center (Basic and Pro)\u003C\u002Fh4>\n\u003Cp>When a vulnerability in your plugin is being actively exploited, the CRA requires you to notify ENISA within 24 hours. The Incident Center tracks that deadline from the moment you log first awareness and guides you through the complete regulatory workflow.\u003C\u002Fp>\n\u003Cp>Creating a new incident logs the discovery timestamp and starts all three countdown timers simultaneously:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Early Warning: due within 24 hours of first awareness\u003C\u002Fli>\n\u003Cli>Vulnerability Notification: due within 72 hours, with full technical details\u003C\u002Fli>\n\u003Cli>Final Report: due within 14 days, including root cause and remediation steps\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>The case view shows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Live countdown timers for each notification deadline, turning amber at 6 hours and red when overdue\u003C\u002Fli>\n\u003Cli>A completeness score on your incident report so you know exactly what information is still missing\u003C\u002Fli>\n\u003Cli>A “Where to Submit” section with direct links to ENISA’s reporting portal, the EU CSIRT network directory, and the CVE Programme at MITRE\u003C\u002Fli>\n\u003Cli>A full audit log recording every action taken, every field updated, and every notification submitted\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>On Pro, you can export the full incident case including all notifications and the complete audit log, formatted for submission to regulators or for your compliance archive.\u003C\u002Fp>\n\u003Ch4>Dashboard and Compliance Score\u003C\u002Fh4>\n\u003Cp>The dashboard gives you a live compliance score (0-100) with a transparent breakdown:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>-15 points per open critical vulnerability\u003C\u002Fli>\n\u003Cli>-7 points per open high vulnerability\u003C\u002Fli>\n\u003Cli>-3 points per open medium vulnerability\u003C\u002Fli>\n\u003Cli>-20 points per overdue incident (past the 24-hour ENISA deadline)\u003C\u002Fli>\n\u003Cli>-5 points per active open incident\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>It is not a vanity metric. It is a working indicator of where you stand against your CRA obligations at any point in time, with the exact deductions shown so you know what to fix first.\u003C\u002Fp>\n\u003Ch4>Compliance Reports and SBOM Export (Basic and Pro)\u003C\u002Fh4>\n\u003Cp>Generate a PDF compliance report for auditors or regulators covering your vulnerability history, resolution timeline, and document status. Export your Software Bill of Materials in standard format, as required by CRA Article 13.\u003C\u002Fp>\n\u003Ch4>Webhook Integrations (Pro)\u003C\u002Fh4>\n\u003Cp>Connect ResilienceWP to your CI\u002FCD pipeline, Slack, or any external tool with webhook callbacks. Configure webhook endpoints in Settings and receive real-time HTTP POST notifications with HMAC-SHA256 signed payloads when:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A scheduled or manual scan completes\u003C\u002Fli>\n\u003Cli>A new vulnerability is found in one of your monitored plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Each webhook delivery is logged with status codes and response data, so you can debug integration issues directly from your WordPress admin. Manage up to 5 webhook endpoints per account, toggle them on and off, and filter by event type.\u003C\u002Fp>\n\u003Ch4>Who needs to comply\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Commercial plugin developers: selling to EU customers through any channel (your site, Envato, direct) makes you the manufacturer under the CRA\u003C\u002Fli>\n\u003Cli>WordPress agencies: distributing custom-built plugins to EU clients, even for a single client, counts as placing a product on the market\u003C\u002Fli>\n\u003Cli>Freemium developers: having a free version does not exempt you; any commercial activity tied to the product brings you in scope\u003C\u002Fli>\n\u003Cli>Theme developers: themes with shortcodes, API integrations, or custom post types may qualify as “products with digital elements”\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Key dates\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>10 December 2024: CRA entered into force. Transition period began.\u003C\u002Fli>\n\u003Cli>11 September 2026: Vulnerability and incident reporting obligations apply.\u003C\u002Fli>\n\u003Cli>11 December 2027: Full CRA application. All requirements in effect.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Source Code\u003C\u002Fh4>\n\u003Cp>The admin dashboard is built with React and compiled using Vite. The uncompiled source is included in the plugin ZIP under admin\u002Fsrc\u002F. To rebuild from source:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Install Node.js 20+ and pnpm 10+\u003C\u002Fli>\n\u003Cli>Run \u003Ccode>pnpm install\u003C\u002Fcode> in the plugin directory\u003C\u002Fli>\n\u003Cli>Run \u003Ccode>pnpm build\u003C\u002Fcode> to recompile the admin dashboard\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>External Services\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>ResilienceWP API\u003C\u002Fstrong> (https:\u002F\u002Fapi.resiliencewp.com)\u003Cbr \u002F>\nUsed for API key verification, vulnerability scanning, incident management, and report generation. Data sent: API key, WordPress site URL, plugin slugs and versions.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.resiliencewp.com\u002Fterms\" rel=\"nofollow ugc\">Terms of Service\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwww.resiliencewp.com\u002Fprivacy\" rel=\"nofollow ugc\">Privacy Policy\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>WPScan\u003C\u002Fstrong> (via ResilienceWP API)\u003Cbr \u002F>\nPlugin vulnerability data is sourced from the WPScan database. Plugin slugs are sent through the ResilienceWP API. No personal data is sent from your WordPress installation directly to WPScan.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fterms\" rel=\"nofollow ugc\">WPScan Terms\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwpscan.com\u002Fprivacy\" rel=\"nofollow ugc\">WPScan Privacy Policy\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Paddle\u003C\u002Fstrong> (payments)\u003Cbr \u002F>\nSubscription payments are processed by Paddle as merchant of record. Payment data is handled entirely by Paddle and never passes through our servers.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.paddle.com\u002Flegal\u002Fterms\" rel=\"nofollow ugc\">Paddle Terms\u003C\u002Fa> | \u003Ca href=\"https:\u002F\u002Fwww.paddle.com\u002Flegal\u002Fprivacy\" rel=\"nofollow ugc\">Paddle Privacy\u003C\u002Fa>\u003C\u002Fp>\n","CRA compliance for WordPress developers. Checklist, document generator, vulnerability scanner, and incident reporting for the 2026 EU deadline.",645,"2026-03-11T17:21:00.000Z",[19,65,66,22,67],"compliance","gdpr","vulnerability-scanner","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresilience-compliance-manager.1.2.12.zip",{"slug":71,"name":72,"version":73,"author":74,"author_profile":75,"description":76,"short_description":77,"active_installs":11,"downloaded":78,"rating":11,"num_ratings":11,"last_updated":79,"tested_up_to":80,"requires_at_least":81,"requires_php":82,"tags":83,"homepage":86,"download_link":87,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"sajjetti-audit","Sajjetti – AI Audit","1.0.0","Sajjetti","https:\u002F\u002Fprofiles.wordpress.org\u002Fsajjetti\u002F","\u003Cp>Sajjetti – AI Audit is a security-first code scanner for WordPress plugins and themes.\u003Cbr \u002F>\nIt performs static analysis of PHP, HTML, CSS, and JS files to detect vulnerabilities,\u003Cbr \u002F>\nperformance issues, and coding standard problems before they become real risks.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Privacy by design\u003C\u002Fstrong>\u003Cbr \u002F>\n– Nothing runs automatically; all scans are triggered manually by the site owner.\u003Cbr \u002F>\n– Files are analyzed statically — never executed.\u003Cbr \u002F>\n– Remote analysis is disabled by default. No code leaves your site until you explicitly enable “Allow remote analysis” in Settings.\u003Cbr \u002F>\n– When enabled, selected file contents are sent securely over HTTPS to the Sajjetti API. Analysis data is temporary and discarded after results are returned.\u003Cbr \u002F>\n– Complies with WordPress.org privacy and consent guidelines.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What it helps you find\u003C\u002Fstrong>\u003Cbr \u002F>\n– Security: unescaped output, missing nonces and capability checks, unsafe file operations, risky SQL patterns, and other common vulnerabilities.\u003Cbr \u002F>\n– Performance: expensive loops, heavy queries, oversized assets, and inefficient patterns that slow down page loads.\u003Cbr \u002F>\n– Code quality and compatibility: deprecated APIs, version-specific pitfalls, and conflicts with WordPress coding standards.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Optional AI assistance\u003C\u002Fstrong>\u003Cbr \u002F>\nWhen remote analysis is enabled, the Sajjetti API provides AI-powered suggestions with context-specific recommendations.\u003Cbr \u002F>\nResults are presented with file-by-file drill-down, risk levels, and actionable insights. Human review is always recommended before making changes.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Detects vulnerabilities, warnings, and performance issues\u003C\u002Fli>\n\u003Cli>Provides optional AI-assisted analysis with actionable suggestions\u003C\u002Fli>\n\u003Cli>Offers file-by-file drill-down and detailed reports\u003C\u002Fli>\n\u003Cli>Built with a security-first design, including VIP-compliant validation and sanitization\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security Considerations\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>All scans are user-initiated; nothing runs automatically.\u003C\u002Fli>\n\u003Cli>File contents are analyzed statically (never executed).\u003C\u002Fli>\n\u003Cli>REST endpoints require capability checks and nonces.\u003C\u002Fli>\n\u003Cli>All external requests use HTTPS with nonce and referer validation.\u003C\u002Fli>\n\u003Cli>Uninstall removes plugin data (options and tables) cleanly.\u003C\u002Fli>\n\u003Cli>All user-facing strings are escaped and translatable.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Pricing and API Access\u003C\u002Fh3>\n\u003Cp>The plugin includes a small allowance of free scans.\u003Cbr \u002F>\nAdditional scans require an API key, available through a paid subscription.\u003C\u002Fp>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>When you initiate a scan with remote analysis enabled, this plugin may transmit selected file contents (Base64-encoded PHP, HTML, CSS, and JS), limited file metadata (filename, relative path, size, cryptographic hash such as SHA-256), your site IP address and URL (for license validation), and your Sajjetti API username to the Sajjetti API for static analysis. No WordPress user account data, passwords, or database content is transmitted or stored. Temporary analysis data is deleted after results are returned. For details, see the included privacy.md file.\u003C\u002Fp>\n\u003Cp>Remote analysis is disabled by default. Scans cannot start until the site owner explicitly enables Allow remote analysis in Settings.\u003C\u002Fp>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Cp>This plugin connects to the Sajjetti Hub API (https:\u002F\u002Fsajjetti.ai) to validate license status,\u003Cbr \u002F>\nmanage usage limits, upload code snippets for analysis, and fetch audit results.\u003C\u002Fp>\n\u003Cp>Data sent:\u003Cbr \u002F>\n– License key and username when validating or checking usage.\u003Cbr \u002F>\n– Website URL and IP address when validating usage.\u003Cbr \u002F>\n– Selected PHP\u002FJS\u002FCSS source files when submitting for auditing.\u003C\u002Fp>\n\u003Cp>Data returned:\u003Cbr \u002F>\n– License type and remaining file quota.\u003Cbr \u002F>\n– Audit results (security, performance, and code quality insights).\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Legal & Privacy:\u003C\u002Fstrong>\u003Cbr \u002F>\n– Terms of Service: https:\u002F\u002Fsajjetti.ai\u002Fterms-of-service\u002F\u003Cbr \u002F>\n– Privacy Policy: https:\u002F\u002Fsajjetti.ai\u002Fprivacy-policy\u002F\u003C\u002Fp>\n","AI-assisted theme and plugin scanner for security, performance, and best practices. Provides clear, actionable insights.",214,"2025-10-09T15:23:00.000Z","6.8.5","6.6","8.0",[19,84,85,21,22],"code-analysis","performance","https:\u002F\u002Fsajjetti.ai\u002Faudit","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsajjetti-audit.1.0.0.zip",{"slug":89,"name":90,"version":91,"author":92,"author_profile":93,"description":94,"short_description":95,"active_installs":96,"downloaded":97,"rating":33,"num_ratings":98,"last_updated":99,"tested_up_to":14,"requires_at_least":100,"requires_php":101,"tags":102,"homepage":106,"download_link":107,"security_score":108,"vuln_count":109,"unpatched_count":11,"last_vuln_date":110,"fetched_at":27},"wordfence","Wordfence Security – Firewall, Malware Scan, and Login Security","8.1.4","Mark Maunder","https:\u002F\u002Fprofiles.wordpress.org\u002Fmmaunder\u002F","\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002Fi4ZN2TwlaBE?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>THE MOST POPULAR WORDPRESS FIREWALL & SECURITY SCANNER\u003C\u002Fh4>\n\u003Cp>WordPress security requires a team of dedicated analysts researching the latest malware variants and WordPress exploits, turning them into firewall rules and malware signatures, and releasing those to customers in real-time.\u003C\u002Fp>\n\u003Cp>Choose the right protection for you: \u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fproducts\u002Fpricing\u002F\" rel=\"nofollow ugc\">Wordfence Free, Premium, Care or Response\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Wordfence is widely acknowledged as the number one WordPress security research team in the World. Our plugin provides a comprehensive suite of security features, and our team’s research is what powers our plugin and provides the level of security that we are known for.\u003C\u002Fp>\n\u003Cp>At Wordfence, WordPress security isn’t a division of our business – WordPress security is all we do. We employ a global 24-hour dedicated incident response team that provides our priority customers with a 1 hour response time for any security incident.\u003C\u002Fp>\n\u003Cp>The sun never sets on our global security team and we run a sophisticated threat intelligence platform to aggregate, analyze and produce ground breaking security research on the newest security threats.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Wordfence Security includes an endpoint firewall, malware scanner, robust login security features, live traffic views, and more.\u003C\u002Fstrong> Our \u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002F\" rel=\"nofollow ugc\">Threat Defense Feed\u003C\u002Fa> arms Wordfence with the newest firewall rules, malware signatures, and malicious IP addresses it needs to keep your website safe.\u003C\u002Fp>\n\u003Cp>Rounded out by 2FA and a suite of additional features, Wordfence is the most comprehensive WordPress security solution available.\u003C\u002Fp>\n\u003Ch3>🔥 WORDPRESS FIREWALL\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ffirewall\u002F\" rel=\"nofollow ugc\">Web Application Firewall\u003C\u002Fa>\u003C\u002Fstrong> identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-time firewall rule and malware signature [Premium]\u003C\u002Fstrong> updates via the Threat Defense Feed (free version is delayed by 30 days).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Fblocking\u002F\" rel=\"nofollow ugc\">Real-time IP Blocklist\u003C\u002Fa> [Premium]\u003C\u002Fstrong> blocks all requests from the most malicious IPs, protecting your site while reducing load.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Protects your site at the endpoint\u003C\u002Fstrong>, enabling deep integration with WordPress. Unlike cloud alternatives, it does not break encryption, cannot be bypassed and cannot leak data.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Fscan\u002F\" rel=\"nofollow ugc\">Integrated malware scanner\u003C\u002Fa>\u003C\u002Fstrong> blocks requests that include malicious code or content.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ffirewall\u002Fbrute-force\u002F\" rel=\"nofollow ugc\">Protection from brute force\u003C\u002Fa>\u003C\u002Fstrong> attacks by limiting login attempts.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📡 WORDPRESS SECURITY SCANNER\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Malware scanner\u003C\u002Fstrong> checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-time malware signature updates [Premium]\u003C\u002Fstrong> via the Threat Defense Feed (free version is delayed by 30 days).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compares with WordPress.org repository\u003C\u002Fstrong> your core files, themes and plugins, checking their integrity and reporting any changes to you.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Repair WordPress core, theme, and plugin files\u003C\u002Fstrong> that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Malware Removal Tools\u003C\u002Fstrong> “Delete File” and “Delete All Deletable Files” options allow for efficient malware removal. Remember to investigate the scan results and backup files first!\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Checks your site for known security vulnerabilities\u003C\u002Fstrong> and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Checks your content safety\u003C\u002Fstrong> by scanning file contents, posts and comments for dangerous URLs and suspicious content.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Checks to see if your site or IP have been blocklisted [Premium]\u003C\u002Fstrong> for malicious activity, generating spam or other security issues.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔒 LOGIN SECURITY\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ftools\u002Ftwo-factor-authentication\u002F\" rel=\"nofollow ugc\">Two-factor authentication (2FA)\u003C\u002Fa>\u003C\u002Fstrong>, one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Flogin-security\u002F\" rel=\"nofollow ugc\">Login Page CAPTCHA\u003C\u002Fa>\u003C\u002Fstrong> stops bots from logging in.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Flogin-security\u002F#woocommerce-and-custom-integrations\" rel=\"nofollow ugc\">2FA for WooCommerce and custom integrations\u003C\u002Fa>\u003C\u002Fstrong> allow for 2FA to be setup on custom account pages\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC\u003C\u002Fstrong> options including disabling or adding 2FA.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Password Security:\u003C\u002Fstrong> Block logins for administrators using known compromised passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>📋 SECURITY AUDIT LOG [Premium]\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Faudit-log\" rel=\"nofollow ugc\">The Audit Log\u003C\u002Fa>\u003C\u002Fstrong> monitors all changes and actions in security-sensitive areas of the site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remote tamper-proof data storage\u003C\u002Fstrong> via Wordfence Central.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Monitor events and actions\u003C\u002Fstrong> ranging  from user creation and editing to plugin\u002Ftheme installation and updates to post and page changes.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Configurable\u003C\u002Fstrong> to log all events or significant events only, which includes all authentication, site configuration, and site functionality events.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🌐 WORDFENCE CENTRAL\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fproducts\u002Fwordfence-central\u002F\" rel=\"nofollow ugc\">Wordfence Central\u003C\u002Fa>\u003C\u002Fstrong> is a powerful and efficient way to manage the security for multiple sites in one place.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Centralized management:\u003C\u002Fstrong> Efficiently assess the security status of all your websites in one view. View detailed security findings without leaving Wordfence Central.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Powerful templates\u003C\u002Fstrong> make configuring Wordfence a breeze.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Highly configurable alerts\u003C\u002Fstrong> can be delivered via email, SMS or Slack. Improve the signal to noise ratio by leveraging severity level options and a daily digest option.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Track and alert on important security events\u003C\u002Fstrong> including administrator logins, breached password usage and surges in attack activity.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Free to use\u003C\u002Fstrong> for unlimited sites.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🛠️ SECURITY TOOLS\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Ftools\u002Flive-traffic\u002F\" rel=\"nofollow ugc\">Live Traffic\u003C\u002Fa>\u003C\u002Fstrong> monitors visits and hack attempts not shown in other analytics packages in real time; including origin, their IP address, the time of day and time spent on your site.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Block attackers by IP\u003C\u002Fstrong> or build advanced rules based on IP Range, Hostname, User Agent and Referrer.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fhelp\u002Fblocking\u002Fcountry-blocking\u002F\" rel=\"nofollow ugc\">Country blocking\u003C\u002Fa>\u003C\u002Fstrong> available with Wordfence Premium.\u003C\u002Fli>\n\u003C\u002Ful>\n","Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.",5000000,407330579,4861,"2025-12-20T21:06:00.000Z","4.7","7.0",[103,104,105,21,22],"2fa","firewall","malware","https:\u002F\u002Fwww.wordfence.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordfence.8.1.4.zip",96,12,"2022-09-06 00:00:00",{"slug":112,"name":113,"version":114,"author":115,"author_profile":116,"description":117,"short_description":118,"active_installs":119,"downloaded":120,"rating":121,"num_ratings":122,"last_updated":123,"tested_up_to":14,"requires_at_least":100,"requires_php":101,"tags":124,"homepage":127,"download_link":128,"security_score":129,"vuln_count":130,"unpatched_count":11,"last_vuln_date":131,"fetched_at":27},"sg-security","Security Optimizer – The All-In-One Protection Plugin","1.6.0","SiteGround","https:\u002F\u002Fprofiles.wordpress.org\u002Fsiteground\u002F","\u003Cp>\u003Cstrong>Bulletproof your website security in a few clicks against a range of security breaches, including brute-force attacks, malware threats and bots, with our free WordPress security plugin – Security Optimizer.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Proactively monitor your site’s security to detect any suspicious activity and take immediate actions to protect your site and prevent further damage with these essential features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Enable \u003Cstrong>2FA (Two-Factor Authentication)\u003C\u002Fstrong> for an extra layer of website security\u003C\u002Fli>\n\u003Cli>Set \u003Cstrong>Limit Login Attempts\u003C\u002Fstrong> to deter malicious login attempts and brute-force attacks\u003C\u002Fli>\n\u003Cli>Change your default login URL to \u003Cstrong>Custom Login URL\u003C\u002Fstrong> to avoid attacks\u003C\u002Fli>\n\u003Cli>Activate \u003Cstrong>Advanced XSS Protection\u003C\u002Fstrong> to fortify your website against malicious attacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lock and Protect System Folders\u003C\u002Fstrong> to ensure no unauthorized or malicious scripts can be executed in your system folders\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Themes & Plugins Editor\u003C\u002Fstrong> to safeguard your website from unauthorized access via the WordPress editor\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide WordPress Version\u003C\u002Fstrong> effortlessly, keeping it hidden from prying eyes\u003C\u002Fli>\n\u003Cli>Use \u003Cstrong>Activity Log\u003C\u002Fstrong> to monitor your site and quickly prevent malicious actions\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Post-Hack Actions\u003C\u002Fstrong> to take immediate actions and prevent further damages\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Developed by the website security experts at \u003Ca href=\"https:\u002F\u002Fwww.siteground.com\u002Fwordpress-plugins\u002Fsiteground-security\" rel=\"nofollow ugc\">SiteGround\u003C\u002Fa> and trusted by over 900,000 webmasters for its robust security shield and ease of use to safeguard WordPress applications from possible attacks on any hosting platform.\u003C\u002Fp>\n\u003Ch4>AWARDS:\u003C\u002Fh4>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.templatemonster.com\u002Fawards\u002Fwinners-2022\u002F\" rel=\"nofollow ugc\">Monster Awards 2022\u003C\u002Fa>: Best WordPress Security Plugin 🥇\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fwww.templatemonster.com\u002Fawards\u002Fwinners-2021\u002F\" rel=\"nofollow ugc\">Monster Awards 2021\u003C\u002Fa>: Best WordPress Security Plugin 🥇\u003C\u002Fp>\n\u003Ch4>Plugin Video\u003C\u002Fh4>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FFOheCz7sm9A?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch4>Plugin Tutorial\u003C\u002Fh4>\n\u003Cp>Unveil the vast array of features and unleash the full potential of our security plugin in our \u003Ca href=\"https:\u002F\u002Fwww.siteground.com\u002Ftutorials\u002Fwordpress\u002Fsg-security\u002F\" rel=\"nofollow ugc\">Security Optimizer Tutorial\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>SITE PROTECTION FEATURES\u003C\u002Fh3>\n\u003Cp>Safeguard your WordPress application using our powerful site security toolset. Our comprehensive features are specifically designed to strengthen your website’s defenses against malware, exploits, and various malicious activities. With these tools at your disposal, you can ensure the utmost bot, malware and brute force protection for your website:\u003C\u002Fp>\n\u003Ch4>Lock and Protect System Folders\u003C\u002Fh4>\n\u003Cp>Ensure the maximum security for your application’s system folders by preventing the execution of any unauthorized or malicious scripts. The Lock and Protect System Folders feature acts as a powerful shield against potential threats.\u003C\u002Fp>\n\u003Ch4>Hide WordPress Version\u003C\u002Fh4>\n\u003Cp>Protect your website from mass attacks by hiding the WordPress version, which helps to mitigate version-specific vulnerabilities.\u003C\u002Fp>\n\u003Ch4>Disable Themes & Plugins Editor\u003C\u002Fh4>\n\u003Cp>Enhance the security of your WordPress admin area by disabling the Themes & Plugins Editor, preventing potential coding errors and unauthorized access through the editor.\u003C\u002Fp>\n\u003Ch4>Disable XML-RPC\u003C\u002Fh4>\n\u003Cp>Mitigate potential security risks by disabling the XML-RPC protocol, which has been exploited in various attacks. Please note that disabling XML-RPC will restrict WordPress from communicating with third-party systems. We recommend enabling this feature unless you have a specific need for it.\u003C\u002Fp>\n\u003Ch4>Disable RSS and ATOM Feeds\u003C\u002Fh4>\n\u003Cp>Prevent content scraping and specific attacks on your site by disabling RSS and ATOM feeds. Unless you have readers accessing your site via RSS readers, it is recommended to keep this feature enabled.\u003C\u002Fp>\n\u003Ch4>Advanced XSS Protection\u003C\u002Fh4>\n\u003Cp>Add an extra layer of website security against cross-site scripting (XSS) attacks by enabling Advanced XSS Protection, bolstering the overall security of your website.\u003C\u002Fp>\n\u003Ch4>Delete Default Readme.html\u003C\u002Fh4>\n\u003Cp>Eliminate potential vulnerabilities by deleting the default readme.txt file, which contains information about your website. By removing this file, you reduce the risk of your site being listed in vulnerable sites targeted by hackers.\u003C\u002Fp>\n\u003Ch3>Login Security\u003C\u002Fh3>\n\u003Ch4>Custom Login Url\u003C\u002Fh4>\n\u003Cp>Personalize your login URL to thwart potential attacks and create a strong entry point. Bid farewell to the default login URL and embrace a bespoke path of your choosing. Additionally, you have the freedom to modify the default sign-up URL as well.\u003C\u002Fp>\n\u003Ch4>Login Access\u003C\u002Fh4>\n\u003Cp>Restrict login page access to specific IP addresses or IP ranges, effectively thwarting malicious login attempts and deterring brute force attacks.\u003C\u002Fp>\n\u003Ch4>2FA (Two-Factor Authentication)\u003C\u002Fh4>\n\u003Cp>Immerse your website in an impenetrable shield of security with 2FA. This formidable feature demands that all admin users furnish a unique token, generated exclusively through the Google Authentication application, during the login process.\u003C\u002Fp>\n\u003Ch4>Disable Common Usernames\u003C\u002Fh4>\n\u003Cp>Don’t fall victim to predictable security breaches! The use of common usernames, such as ‘admin,’ poses a significant threat to the integrity of your website. Activate this option to disable the creation of common usernames. If any weak usernames already exist, we’ll prompt you to provide new, stronger alternatives.\u003C\u002Fp>\n\u003Ch4>Limit Login Attempts\u003C\u002Fh4>\n\u003Cp>Maintain control over unauthorized access attempts with Limit Login Attempts. Set a specific threshold for the number of login failures users can endure before consequences arise. After reaching the limit, the IP address associated with the unsuccessful login attempts will be blocked for one hour. Persistent failures will result in longer restrictions, starting with 24 hours and escalating to a week.\u003C\u002Fp>\n\u003Ch3>ACTIVITY MONITORING\u003C\u002Fh3>\n\u003Cp>Monitor your website and login page for unauthorized visitors and brute force attempts to prevent malicious actions\u003C\u002Fp>\n\u003Ch4>Activity Log\u003C\u002Fh4>\n\u003Cp>The Activity Log page provides you with a comprehensive view of the activities performed by registered, unknown, and blocked visitors. It allows you to closely monitor any suspicious behavior and take appropriate actions in case of a compromised user, plugin, or hacking attempt. You can leverage the quick tools available to swiftly block future attempts.\u003C\u002Fp>\n\u003Ch4>Weekly Security Reports\u003C\u002Fh4>\n\u003Cp>Receive a weekly traffic summary for your website directly to your inbox. This \u003Cstrong>Weekly Security Report\u003C\u002Fstrong> compiles data on both bot and human traffic, along with details about blocked login and visit attempts to proactively monitor traffic and promptly identify suspicious activity.\u003C\u002Fp>\n\u003Ch3>POST-HACK ACTIONS\u003C\u002Fh3>\n\u003Cp>Take immediate measures to protect your website if you suspect a compromise and prevent further damage. Here, you’ll find convenient solutions to address the situation effectively:\u003C\u002Fp>\n\u003Ch4>Reinstall All Free Plugins\u003C\u002Fh4>\n\u003Cp>In the event of a hack, utilizing the Reinstall All Free Plugins feature can help mitigate potential harm. This action reinstalls all of your free plugins, reducing the likelihood of additional exploits or the reuse of malicious code.\u003C\u002Fp>\n\u003Ch4>Log Out All Users\u003C\u002Fh4>\n\u003Cp>To prevent any further unauthorized activities by users or attackers, you can choose to log out all users instantly using the Log Out All Users feature.\u003C\u002Fp>\n\u003Ch4>Force Password Reset\u003C\u002Fh4>\n\u003Cp>By enforcing a password reset, you can ensure that all users are prompted to change their passwords during their next login. This not only strengthens the security of their accounts but also immediately logs out all currently logged-in users.\u003C\u002Fp>\n\u003Ch3>Requirements\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>WordPress 4.7\u003C\u002Fli>\n\u003Cli>PHP 7.0\u003C\u002Fli>\n\u003Cli>Working .htaccess file\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Data Collection\u003C\u002Fh3>\n\u003Cp>Collection of technical data is optional and is \u003Ca href=\"https:\u002F\u002Fwww.siteground.com\u002Fkb\u002Fwhat-information-wp-plugins-collect\" rel=\"nofollow ugc\">listed here\u003C\u002Fa>. This data is collected only for technical analysis, improvements and the possibility to contact the plugin user in case urgent issues need to be fixed (for example a critical security release that needs to be communicated to site owners). The plugin user can manage their preferences within the WP admin to control the collection of technical data. We advise opting in for this data collection, as it can enhance the plugin’s performance. You may find more information on data collection in our \u003Ca href=\"https:\u002F\u002Fwww.siteground.com\u002Fviewtos\u002Fsiteground_plugins_privacy_notice\" rel=\"nofollow ugc\">Plugins Privacy Notice\u003C\u002Fa>.\u003C\u002Fp>\n","Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.",1000000,32328818,90,153,"2026-03-31T11:35:00.000Z",[104,50,125,22,126],"malware-scanner","web-application-firewall","https:\u002F\u002Fsiteground.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsg-security.1.6.0.zip",86,5,"2025-11-30 00:00:00",{"attackSurface":133,"codeSignals":177,"taintFlows":187,"riskAssessment":188,"analyzedAt":191},{"hooks":134,"ajaxHandlers":167,"restRoutes":174,"shortcodes":175,"cronEvents":176,"entryPointCount":31,"unprotectedCount":11},[135,141,145,150,153,159,164],{"type":136,"name":137,"callback":138,"file":139,"line":140},"action","wp_abilities_api_categories_init","register_category","includes\u002Fclass-radar-abilities.php",13,{"type":136,"name":142,"callback":143,"file":139,"line":144},"wp_abilities_api_init","register",14,{"type":136,"name":146,"callback":147,"file":148,"line":149},"admin_menu","register_menu","includes\u002Fclass-radar-admin.php",11,{"type":136,"name":151,"callback":152,"file":148,"line":109},"admin_enqueue_scripts","enqueue_assets",{"type":154,"name":155,"callback":156,"priority":44,"file":157,"line":158},"filter","user_has_cap","grant_to_admin","includes\u002Fclass-radar-capabilities.php",18,{"type":136,"name":160,"callback":161,"file":162,"line":163},"admin_notices","closure","sudowp-radar.php",28,{"type":136,"name":165,"callback":161,"file":162,"line":166},"plugins_loaded",61,[168],{"action":169,"nopriv":170,"callback":171,"hasNonce":172,"hasCapCheck":172,"file":173,"line":140},"radar_run_audit",false,"handle_run_audit",true,"includes\u002Fclass-radar-ajax.php",[],[],[],{"dangerousFunctions":178,"sqlUsage":179,"outputEscaping":182,"fileOperations":11,"externalRequests":11,"nonceChecks":31,"capabilityChecks":185,"bundledLibraries":186},[],{"prepared":180,"raw":11,"locations":181},2,[],{"escaped":183,"rawEcho":11,"locations":184},20,[],6,[],[],{"summary":189,"deductions":190},"The sudowp-radar plugin v1.0.1 exhibits a strong security posture based on the provided static analysis.  All identified entry points, including the single AJAX handler, are protected with appropriate checks. The code adheres to secure development practices by exclusively using prepared statements for all SQL queries and properly escaping all output, eliminating common vulnerabilities related to data manipulation and display.  Furthermore, the absence of dangerous functions, file operations, and external HTTP requests minimizes the attack surface significantly. The plugin also demonstrates good practice by incorporating nonce checks and capability checks, which are crucial for securing WordPress functionalities.  \n\nThe vulnerability history for sudowp-radar is clean, with no recorded CVEs. This suggests a proactive approach to security by the developers or that the plugin has not been a target for exploitation.  While the absence of taint analysis flows is noted, it is not necessarily a weakness given the limited attack surface and the other security measures in place.  Overall, this plugin appears to be developed with security in mind, with a low risk profile. However, ongoing monitoring for future vulnerabilities and maintaining up-to-date practices is always recommended for any software.",[],"2026-04-16T14:20:03.412Z",{"wat":193,"direct":202},{"assetPaths":194,"generatorPatterns":197,"scriptPaths":198,"versionParams":199},[195,196],"\u002Fwp-content\u002Fplugins\u002Fsudowp-radar\u002Fassets\u002Fcss\u002Fradar-admin.css","\u002Fwp-content\u002Fplugins\u002Fsudowp-radar\u002Fassets\u002Fjs\u002Fradar-admin.js",[],[196],[200,201],"sudowp-radar\u002Fassets\u002Fcss\u002Fradar-admin.css?ver=","sudowp-radar\u002Fassets\u002Fjs\u002Fradar-admin.js?ver=",{"cssClasses":203,"htmlComments":209,"htmlAttributes":210,"restEndpoints":213,"jsGlobals":215,"shortcodeOutput":217},[204,205,206,207,208],"radar-wrap","radar-dataset-status","radar-premium","radar-free","radar-cached-notice",[],[211,212],"id=\"radar-run-audit\"","id=\"radar-results\"",[214],"\u002Fwp-json\u002Fsudowp-radar\u002Fv1\u002Faudit",[216],"SudoWPRadar",[],{"error":172,"url":219,"statusCode":220,"statusMessage":221,"message":221},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fsudowp-radar\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":31,"versions":223},[224],{"version":6,"download_url":24,"svn_tag_url":225,"released_at":26,"has_diff":170,"diff_files_changed":226,"diff_lines":26,"trac_diff_url":26,"vulnerabilities":227,"is_current":172},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fsudowp-radar\u002Ftags\u002F1.0.1\u002F",[],[]]