Pura Vida Vulnerability Scanner

Pura Vida Vulnerability Scanner checks everything installed on your site, including plugins, themes and WordPress core, against the Wordfence Intelligence vulnerability database, audits your site’s security posture, and shows you exactly what is at risk and how to fix it.

It does not invent findings. It correlates your installed software and configuration against authoritative public sources (Wordfence Intelligence, CVE/MITRE, the WordPress.org update channel) and live checks of your own server.

Security overview

The dashboard opens with an at-a-glance status table covering:

• WordPress Version: OK / Warning
• Vulnerable Plugins: OK / Critical / High / Medium
• Missing Headers: Present / Missing / N/A (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
• SSL: Valid / Expiring soon / Expired / N/A (certificate expiry)
• DNS: OK / Issues / N/A
• Email Security: SPF and DMARC (DKIM is selector-specific)
• CDN/WAF: Detected / Not detected / N/A

What it does

• Inventories every installed plugin, theme and the WordPress core version.
• Matches each item and version against a continuously updated vulnerability feed.
• Shows severity (CVSS), the CVE identifier, a description and the recommended fix for every finding.
• Audits your configuration and lists prioritized hardening recommendations (2FA, updates, HTTPS, file editor, and more).
• Optional scheduled scans with email alerts when new critical/high issues appear.

Data sources

• Wordfence Intelligence Vulnerability Data Feed: free for personal and commercial use; includes CVE (MITRE) and CVSS information.
• CVE (MITRE Corporation): the canonical vulnerability identifiers.
• WordPress.org update channel: available core, plugin and theme updates.
• Live site checks performed by the plugin: HTTP headers, SSL, DNS, SPF/DMARC and CDN/WAF.

This product includes data that may be copyrighted by Defiant Inc. (Wordfence Intelligence) and by the MITRE Corporation (CVE®); their notices are displayed alongside the relevant findings.

Developed by Pura Vida Design Studio, Open Source Security & Website Tools (https://puravidadesignstudio.com/).

External services

This plugin connects to one external service to function: the Wordfence Intelligence Vulnerability Data Feed.

Wordfence Intelligence Vulnerability Data Feed (Defiant Inc.) This plugin downloads the public WordPress vulnerability database from Wordfence in order to match it against the plugins, themes and core version installed on your site.

• What is sent: your Wordfence Intelligence API key (in the request Authorization header) and your site’s URL (in the request User-Agent header), sent to https://www.wordfence.com/. The list of plugins and themes installed on your site is NOT transmitted; matching is performed locally on your own server.
• When it is sent: when you run a manual scan, and when a scheduled scan runs (about once per day). The downloaded database is cached locally for 24 hours so the service is contacted at most about once per day.
• Service terms: https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/
• Privacy policy: https://www.wordfence.com/privacy-policy/

The plugin also performs read-only checks against your own site for the Security Overview: a loopback HTTP request to your own home URL (to inspect response headers and detect a CDN/WAF) and DNS lookups for your own domain (to check DNS resolution and SPF/DMARC records). These query your own domain and public DNS only; no data is sent to any third party.