CompatShield Site Auditor gives WordPress site owners and agencies a full picture of their site’s security posture in one scan. Unlike basic security plugins, it audits every layer — environment, plugins, themes, users, files, and database — and produces a single weighted score out of 100 with a per-category breakdown.
What it checks
Environment & Hardening * PHP version (flags below 8.2) * WordPress core version * WP_DEBUG exposure * XML-RPC enabled * wp-config.php file permissions * Database table prefix (flags default wp_) * Directory listing enabled * .htaccess integrity * HTTPS enforcement * readme.html / license.txt version leakage
Plugin & Theme Intelligence * Lists all installed plugins (active and inactive) * Hits WordPress.org API for last updated date and install count * Flags plugins not updated in 6, 12, or 24 months * Flags plugins removed from the WordPress.org directory * Flags abandoned themes
User & Access Audit * Lists all administrator accounts * Flags the default “admin” username still in use * Detects dormant admin accounts (no login in 90+ days) * Checks for two-factor authentication plugins * Flags non-admin users with elevated capabilities (manage_options, install_plugins, etc.)
File Integrity & Backdoor Detection * Hashes WordPress core files against official checksums * Flags modified core files * Scans theme and plugin files for dangerous PHP patterns: eval(base64_decode), gzinflate, str_rot13, shell_exec, exec, system, preg_replace with /e modifier * Flags PHP files inside /uploads/ directory * Flags .git directory exposure * Detects suspicious WordPress cron jobs * Flags PHP files modified in the last 7 or 30 days
Database Security * Checks for publicly accessible phpMyAdmin * Scans published posts for injected content (hidden links, base64 blobs, external iframes) * Scans wp_options autoloaded data for malicious PHP patterns and oversized entries
Security Score * Weighted score out of 100 (Environment 25, Plugins 20, Headers 20, Users 15, Database 10, Themes 10) * Per-category score breakdown with issue count * Historical score tracking with week-over-week change
Who is this for?
- WordPress site owners who want to know their security posture
- Freelancers and developers managing client sites
- Agencies auditing multiple client sites
All of the scanning and reporting features described above are fully included in this free plugin — nothing here is time-limited or feature-gated. CompatShield may offer separate, optional products in the future (such as a multi-site management dashboard); any such product would be a distinct, separately-installed plugin or service, not a restriction on this one.
Privacy
This plugin makes outbound requests to: * WordPress.org API (api.wordpress.org) — to retrieve plugin and theme metadata * Your own site’s URL — to check phpMyAdmin exposure and security headers
No data is sent to third-party servers by the free version.