plugin-icon

ShieldScope – Site Security Scanner

لصاحبه Dhiren Patel·
A thorough WordPress security scanner that checks your entire site for vulnerabilities and misconfigurations — without slowing it down.
النسخة
1.3.1
آخر تحديث
Jul 1, 2026
ShieldScope – Site Security Scanner

ShieldScope – Site Security Scanner runs a deep, read-only security audit across your entire WordPress site and produces a clear report of issues grouped by severity: Critical, High, Medium, Low, and Info.

Most security scanners either freeze your admin panel while they run, or quietly hammer your server in the background. ShieldScope does neither. It runs in small, controlled steps with a built-in speed limit — so your site stays fast and responsive the whole time. If you switch to another browser tab, the scan automatically pauses and picks up exactly where it left off when you return.

Here is what ShieldScope checks:

WordPress Core Health

Checks that your WordPress installation is up to date and securely configured. Flags outdated versions, exposed debug settings, insecure table prefixes, and other common setup mistakes that attackers actively look for.

Core File Integrity

Verifies that every WordPress core file is exactly as it should be by comparing against official WordPress checksums. Flags any modified or unexpected files inside core WordPress folders — a common sign of a hacked or tampered site.

User Accounts

Reviews all administrator accounts for common weaknesses: a default “admin” username, too many admin accounts, weak or outdated password storage, empty passwords, and accounts whose login name is visible to the public.

Files & Folders

Scans your site’s file system for risky permissions, sensitive configuration files left publicly accessible, leftover backup files that should never be on a live server, and unexpected files in folders where only media should live.

Plugins

Flags plugins with pending security updates, plugins that are installed but inactive (a common attack surface), and plugins that appear to have been abandoned by their developers with no recent maintenance.

Themes

Flags themes with pending updates, extra inactive themes that add unnecessary risk, and checks whether your site has a proper active theme configured.

Malicious Code Patterns

Scans plugin and theme files for known malware signatures, hidden backdoors, and dangerous code patterns that attackers commonly plant on compromised WordPress sites.

SSL & HTTPS

Checks that your SSL certificate is valid and not about to expire, that your site uses a modern version of HTTPS encryption, that all pages load securely, and that visitors are always redirected from HTTP to HTTPS automatically.

Security Headers

Checks that your site sends the right security instructions to visitors’ browsers — protections that help prevent clickjacking, content-type attacks, and referrer leaks. Also checks whether your WordPress version number is being broadcast publicly, which gives attackers a head start.

Database Settings

Checks database-level security settings: whether open user registration is configured with too many permissions, whether your site URLs are consistent, and whether any administrator accounts were created recently without your knowledge.

Injection Vulnerabilities

Scans plugin and theme code for common vulnerability patterns including SQL injection, cross-site scripting (XSS), and other code weaknesses that attackers exploit to take control of WordPress sites or steal visitor data.

Access Control

Tests whether parts of your site that should require a login are actually protected. Looks for username leaks through public author pages, missing brute-force login protection, lack of two-factor authentication, and whether admin pages and API endpoints enforce proper access checks.

Server Configuration

Checks for server-level security issues: outdated PHP versions that no longer receive security patches, sensitive files accidentally left accessible to the public (such as environment config files or debug logs), and server settings that leak technical information to potential attackers.

Server-Side Request Forgery (SSRF)

Looks for code patterns in plugins and themes that could allow an attacker to trick your server into making unauthorised requests to other systems — both on the internet and inside your private network.

Vulnerable & Outdated Components

Checks your database software version, WordPress version, and installed plugins against known vulnerability records and end-of-support dates. Flags anything running on software that no longer receives security patches.

Vulnerability Database

Cross-references your installed plugins and themes against a known vulnerability database. A free WPScan API key (optional) enables live lookups for every plugin and theme on your site. Without a key, a built-in list of the most commonly exploited plugins is checked automatically — no setup needed.

ShieldScope never makes any changes to your site. It is strictly read-only. It scans, reports, and recommends — nothing else.

Third-Party Services

This plugin communicates with the following external services only while a scan is actively running. No data is sent on regular page loads.

WordPress.org Core Checksums API

During the Core Integrity check, the plugin fetches the official file checksums for your exact WordPress version and locale from the WordPress.org API. The only data sent is your WordPress version number and site locale (for example, en_US). No personal data, usernames, or site URLs are transmitted.

  • Service: https://api.wordpress.org/core/checksums/1.0/
  • Privacy policy: https://automattic.com/privacy/

WPScan Vulnerability Database (optional)

If you enter a WPScan API key in Settings, the Vulnerability Database check sends the slug and version number of each installed plugin and theme to wpscan.com to retrieve known vulnerability data. This feature is disabled by default and requires you to explicitly provide an API key. The free tier allows 25 requests per day; results are cached for 24 hours.

  • Service: https://wpscan.com/api/v3/
  • Privacy policy: https://automattic.com/privacy/
  • Terms of service: https://wpscan.com/terms/

Disclaimer

ShieldScope uses automated analysis to identify potential security issues. Findings should be reviewed before acting on them — particularly for plugins and themes, where a finding may require verification with the plugin or theme developer.

This plugin is designed to help website owners identify security risks on their own sites. It does not guarantee detection of every possible vulnerability.

All scanning is performed locally on your own server. No scan data, site content, or personal information is stored externally or shared with any third party. For questions, please use the support forum.

مجانيعلى الخطط المدفوعة
إذا أتممت بالتثبيت، فإنك توافق على شروط خدمة ووردبريس.كوم ووشروط إضافات الأطراف الثالثة.
تم اختباره حتى
WordPress 7.0
تتوفّر هذه الإضافة للتنزيل لتُستخدم في عملية التثبيت لديك.