Server Scout
·
Helps server administrators discover and manage all WordPress installations on the same server from a single dashboard.
Server Scout is a tool for server administrators who manage multiple WordPress sites on the same server. Instead of logging into each site one by one, Scout gives you a single dashboard where you can see every WordPress installation on the server and quickly access them.
What it does
- Recursively scans a directory of your choice (e.g.
/var/www) for all WordPress installations. - Displays each site’s name, URL, WordPress version, and database prefix.
- Lists all administrator users for each site (username + email).
- Generates a secure, one-time, 5-minute login link so you can jump straight into any site’s admin area without needing the password.
Who is it for?
- VPS / dedicated server owners managing multiple client or personal WordPress sites.
- Developers running several local or staging environments on one machine.
- Agencies with a fleet of sites on a single server.
How login links work
- Click Generate Login Link next to any admin user.
- A cryptographically signed, one-time token is stored in that site’s database (valid for 5 minutes).
- The generated link goes through WordPress’s standard
admin-ajax.phpendpoint — not a direct PHP file — and includes a nonce for request verification. - Opening the link logs you directly into that site’s admin dashboard.
- The token is deleted immediately on first use — it cannot be used twice.
Security
- Requires the
manage_optionscapability (Administrator) to use the plugin. - All form submissions are protected with WordPress nonces.
- Login links use
wp_ajax_nopriv_(WordPress AJAX), include a nonce, and go throughadmin-ajax.php. - Tokens are HMAC-signed with WordPress’s built-in
secure_authsalt — cannot be forged. - Scan paths are validated with
realpath()before use. - All database queries use prepared statements.
- The standard
wp_loginaction is fired on login so security plugins (login limiters, audit logs) are notified.
Important: This plugin is intended for server administrators only. Do not install it on shared hosting environments where you do not control all sites on the server.