ShieldScope – Site Security Scanner
ShieldScope – Site Security Scanner runs a deep, read-only security audit across your entire WordPress site and produces a clear report of issues grouped by severity: Critical, High, Medium, Low, and Info.
Most security scanners either freeze your admin panel while they run, or quietly hammer your server in the background. ShieldScope does neither. It runs in small, controlled steps with a built-in speed limit — so your site stays fast and responsive the whole time. If you switch to another browser tab, the scan automatically pauses and picks up exactly where it left off when you return.
Here is what ShieldScope checks:
WordPress Core Health
Checks that your WordPress installation is up to date and securely configured. Flags outdated versions, exposed debug settings, insecure table prefixes, and other common setup mistakes that attackers actively look for.
Core File Integrity
Verifies that every WordPress core file is exactly as it should be by comparing against official WordPress checksums. Flags any modified or unexpected files inside core WordPress folders — a common sign of a hacked or tampered site.
User Accounts
Reviews all administrator accounts for common weaknesses: a default “admin” username, too many admin accounts, weak or outdated password storage, empty passwords, and accounts whose login name is visible to the public.
Files & Folders
Scans your site’s file system for risky permissions, sensitive configuration files left publicly accessible, leftover backup files that should never be on a live server, and unexpected files in folders where only media should live.
Plugins
Flags plugins with pending security updates, plugins that are installed but inactive (a common attack surface), and plugins that appear to have been abandoned by their developers with no recent maintenance.
Themes
Flags themes with pending updates, extra inactive themes that add unnecessary risk, and checks whether your site has a proper active theme configured.
Malicious Code Patterns
Scans plugin and theme files for known malware signatures, hidden backdoors, and dangerous code patterns that attackers commonly plant on compromised WordPress sites.
SSL & HTTPS
Checks that your SSL certificate is valid and not about to expire, that your site uses a modern version of HTTPS encryption, that all pages load securely, and that visitors are always redirected from HTTP to HTTPS automatically.
Security Headers
Checks that your site sends the right security instructions to visitors’ browsers — protections that help prevent clickjacking, content-type attacks, and referrer leaks. Also checks whether your WordPress version number is being broadcast publicly, which gives attackers a head start.
Database Settings
Checks database-level security settings: whether open user registration is configured with too many permissions, whether your site URLs are consistent, and whether any administrator accounts were created recently without your knowledge.
Injection Vulnerabilities
Scans plugin and theme code for common vulnerability patterns including SQL injection, cross-site scripting (XSS), and other code weaknesses that attackers exploit to take control of WordPress sites or steal visitor data.
Access Control
Tests whether parts of your site that should require a login are actually protected. Looks for username leaks through public author pages, missing brute-force login protection, lack of two-factor authentication, and whether admin pages and API endpoints enforce proper access checks.
Server Configuration
Checks for server-level security issues: outdated PHP versions that no longer receive security patches, sensitive files accidentally left accessible to the public (such as environment config files or debug logs), and server settings that leak technical information to potential attackers.
Server-Side Request Forgery (SSRF)
Looks for code patterns in plugins and themes that could allow an attacker to trick your server into making unauthorised requests to other systems — both on the internet and inside your private network.
Vulnerable & Outdated Components
Checks your database software version, WordPress version, and installed plugins against known vulnerability records and end-of-support dates. Flags anything running on software that no longer receives security patches.
Vulnerability Database
Cross-references your installed plugins and themes against a known vulnerability database. A free WPScan API key (optional) enables live lookups for every plugin and theme on your site. Without a key, a built-in list of the most commonly exploited plugins is checked automatically — no setup needed.
ShieldScope never makes any changes to your site. It is strictly read-only. It scans, reports, and recommends — nothing else.
Third-Party Services
This plugin communicates with the following external services only while a scan is actively running. No data is sent on regular page loads.
WordPress.org Core Checksums API
During the Core Integrity check, the plugin fetches the official file checksums for your exact WordPress version and locale from the WordPress.org API. The only data sent is your WordPress version number and site locale (for example, en_US). No personal data, usernames, or site URLs are transmitted.
- Service: https://api.wordpress.org/core/checksums/1.0/
- Privacy policy: https://automattic.com/privacy/
WPScan Vulnerability Database (optional)
If you enter a WPScan API key in Settings, the Vulnerability Database check sends the slug and version number of each installed plugin and theme to wpscan.com to retrieve known vulnerability data. This feature is disabled by default and requires you to explicitly provide an API key. The free tier allows 25 requests per day; results are cached for 24 hours.
- Service: https://wpscan.com/api/v3/
- Privacy policy: https://automattic.com/privacy/
- Terms of service: https://wpscan.com/terms/
Disclaimer
ShieldScope uses automated analysis to identify potential security issues. Findings should be reviewed before acting on them — particularly for plugins and themes, where a finding may require verification with the plugin or theme developer.
This plugin is designed to help website owners identify security risks on their own sites. It does not guarantee detection of every possible vulnerability.
All scanning is performed locally on your own server. No scan data, site content, or personal information is stored externally or shared with any third party. For questions, please use the support forum.
