Blueternal BOLT Security Toolkit

Blueternal BOLT Security Toolkit (BOLT) scans your WordPress site and hosting environment for security issues, surfaces plain-English findings in wp-admin, and gives you step-by-step fix instructions for every check.

BOLT is designed for the gap between generic WordPress security plugins and full server access: it helps site owners, agencies, and hosting teams see what is actually misconfigured on the current host, which issues matter most, and which ones BOLT can safely fix from WordPress plugin context.

Free features:

• 31-point security scan across Server Environment, WordPress Core, Authentication, Site Exposure, Security Headers, Updates, and Writable Directories
• Checks PHP version, MySQL version, OPcache, dangerous PHP functions, directory listing, PHP override effectiveness, loopback request health, WP-Cron health, WP_DEBUG, wp-config.php permissions, DISALLOW_FILE_EDIT, database prefix, XML-RPC, REST API exposure, application passwords, user registration, default admin username, administrator account sprawl, debug log exposure, readme.html exposure, public backup or dump artifacts, HTTPS, HSTS, core/plugin/theme updates, uploads permissions, and executable files in uploads
• Server/PHP profile detection for Apache, Apache with PHP-FPM/FastCGI, LiteSpeed/LSAPI, Nginx with PHP-FPM, IIS, and unknown/shared-host stacks
• “How to fix” accordion with manual instructions for every check
• Recommendations summary of all failing and warning items
• Host-aware action states so supported fixes show as actionable and unsupported ones stay manual
• Dedicated Hardening tab with supported one-click hardening actions and manual priorities
• One-click auto-fixes for WP_DEBUG, File Editor, Directory Listing, HSTS, executable files in uploads, XML-RPC, and REST API restriction when the current host supports them
• One-click removal for public readme.html exposure and public backup, dump, environment, installer, and diagnostic artifacts
• Persistent fix history with grouped sessions and full undo for all BOLT-applied changes, including restoring original wp-config.php and .htaccess content
• REST public-route allowlist manager for intentional unauthenticated REST endpoints
• Application Password Governance inventory with stale, unused, and administrator-owned API credential review
• Attack Path Analysis: identifies realistic compromise chains based on your current configuration and shows the fastest way to break them
• Near-Miss Detection: highlights conditions that are close to forming an attack path before they become exploitable
• AI Security Briefing panel is visible in the Overview tab; generation and AI Settings require BOLT Pro
• Weekly scheduled scan reports by email
• Optional BOLT-branded PDF attachment on scheduled scan emails using dompdf when available, with a built-in plain PDF fallback
• Reports tab status panel showing whether the BOLT WP-Cron event is registered, when it will run next, the last delivery/PDF status, and a manual test-send button
• Email only when new issues appear
• Alerts tab shows the Slack and generic webhook controls; delivery and test alerts require BOLT Pro
• Activity tab with the last 7 days of security timeline entries for logins, user changes, software changes, scans, reports, alerts, and auto-fixes
• Baseline drift detection with one active baseline, save/update/clear baseline actions, regressions since the approved scan, and finding-level before/after value diffs
• Vulnerability Intelligence rows can show pass/fail status and CVE IDs when advisory findings are present; full advisory detail requires BOLT Pro
• Accepted Risk Register with owner, reason, expiration date, reopen controls, and action-queue suppression for documented unresolved findings

Available through the separate BOLT Pro add-on/service (learn more at blueternalsolutions.com/bolt-pro):

BOLT Pro adds more coverage and less manual work through hosted checks, automation, and reporting controls.

• Domain/IP reputation scan through the BOLT platform endpoint, with normalized results from Spamhaus DBL, SURBL, URIBL, Spamhaus ZEN, SpamCop, and SORBS
• On-demand reputation re-checks from the Reputation tab
• WordPress core file integrity monitoring against official checksums
• Unexpected-file detection inside wp-admin and wp-includes
• PHP malware-pattern scanning across plugins, themes, mu-plugins, and uploads, with Malware Triage Center support for hash-based expected-file decisions
• Vulnerability intelligence for WordPress core, plugins, and themes through a configurable BOLT advisory feed
• Full vulnerability advisory detail, including affected version range, CVSS score, and patch link when supplied by the advisory feed
• AI Security Briefings and AI Settings
• Daily and monthly scheduled scan cadences
• Multiple report recipients and custom report branding
• Slack and generic webhook alerts, including critical-only and baseline-regression-only filters
• Full Activity timeline
• Named baseline snapshots

External Services

BOLT only sends data to an external service when the corresponding feature is configured or explicitly used by an administrator.

Blueternal Solutions

When a site has BOLT Pro active and an administrator generates the AI Security Briefing without saving their own OpenAI API key, BOLT sends a compact, redacted JSON payload of selected fail/warn scan findings to the Blueternal Solutions BOLT API for hosted analysis. Free installs show the AI panel but cannot generate briefings. The payload can include finding labels, statuses, severities, messages, recommendations, remediation guide URLs, limited environment notes, baseline drift summaries, a payload hash, plugin version, site/home URL, and a random install identifier used for service quota. It does not send raw files, database contents, passwords, secret keys, or arbitrary page content.

The hosted AI service uses Blueternal Solutions server-side credentials and may process the redacted payload through an AI provider to return the structured briefing. The separate BOLT Pro add-on/service may also contact Blueternal Solutions endpoints for license validation, reputation checks, vulnerability intelligence, and upgrade pages. Depending on the Pro feature used, requests may include the site URL, plugin version, license key, domain, IP address, and installed WordPress core/plugin/theme version metadata needed to return the requested service response.

Service endpoint: https://blueternalsolutions.com Terms: https://blueternalsolutions.com/bolt-terms-of-service/ Privacy policy: https://blueternalsolutions.com/bolt-privacy-policy/

OpenAI

If BOLT Pro is active and an administrator saves an OpenAI API key in BOLT settings or defines BOLT_OPENAI_API_KEY, the AI Security Briefing sends the compact, redacted JSON payload directly from the site to OpenAI instead of using the hosted BOLT service. The payload can include finding labels, statuses, severities, messages, recommendations, remediation guide URLs, limited environment notes, and baseline drift summaries. It does not send raw files, database contents, passwords, secret keys, or arbitrary page content.

Service endpoint: https://api.openai.com Terms: https://openai.com/policies/terms-of-use/ Privacy policy: https://openai.com/policies/privacy-policy/

Google Safe Browsing

If BOLT Pro is active and an administrator saves a Google Safe Browsing API key, the Browser Blocklist reputation check sends the site’s home URL and domain URL to the Google Safe Browsing Lookup API v4 when a reputation check runs. This is used only to determine whether the site is flagged for malware, phishing, unwanted software, or potentially harmful applications. The request also includes the saved API key, a BOLT client identifier, and the plugin version. BOLT does not send scan findings, files, database contents, passwords, license keys, or arbitrary page content to Google Safe Browsing.

Service endpoint: https://safebrowsing.googleapis.com/v4/threatMatches:find Terms: https://developers.google.com/terms Privacy policy: https://policies.google.com/privacy

Slack

If BOLT Pro is active and an administrator saves a Slack incoming webhook URL in BOLT Alerts, scheduled alerts or the manual test alert send alert text to the configured Slack webhook. The payload can include the site name, site URL, BOLT admin URL, scan score, score label, score delta, baseline score delta, issue count, issue labels, issue severities, issue statuses, issue messages, baseline drift summaries, capture time, and whether the alert is a test. It does not send raw files, database contents, passwords, secret keys, license keys, or arbitrary page content.

Service endpoint: the Slack incoming webhook URL configured by the administrator, usually https://hooks.slack.com/services/... Webhook documentation: https://api.slack.com/incoming-webhooks Terms: https://slack.com/terms-of-service/api Privacy policy: https://slack.com/privacy-policy

Generic Webhook

If BOLT Pro is active and an administrator saves a generic webhook URL in BOLT Alerts, scheduled alerts or the manual test alert send a JSON alert payload to the exact URL configured by that administrator. The payload can include the site name, site URL, BOLT admin URL, scan score, score label, score delta, critical-only and baseline-only alert flags, baseline score delta, issue count, issue labels, issue severities, issue statuses, issue messages, recommendations, baseline drift summaries, capture time, and whether the alert is a test. It does not send raw files, database contents, passwords, secret keys, license keys, or arbitrary page content.

Service endpoint: the generic webhook URL configured by the administrator. Terms and privacy policy: determined by the administrator-configured destination service.