Description
CompatShield Site Auditor gives WordPress site owners and agencies a full picture of their site’s security posture in one scan. Unlike basic security plugins, it audits every layer — environment, plugins, themes, users, files, and database — and produces a single weighted score out of 100 with a per-category breakdown.
What it checks
Environment & Hardening
* PHP version (flags below 8.2)
* WordPress core version
* WP_DEBUG exposure
* XML-RPC enabled
* wp-config.php file permissions
* Database table prefix (flags default wp_)
* Directory listing enabled
* .htaccess integrity
* HTTPS enforcement
* readme.html / license.txt version leakage
Plugin & Theme Intelligence
* Lists all installed plugins (active and inactive)
* Hits WordPress.org API for last updated date and install count
* Flags plugins not updated in 6, 12, or 24 months
* Flags plugins removed from the WordPress.org directory
* Flags abandoned themes
User & Access Audit
* Lists all administrator accounts
* Flags the default “admin” username still in use
* Detects dormant admin accounts (no login in 90+ days)
* Checks for two-factor authentication plugins
* Flags non-admin users with elevated capabilities (manage_options, install_plugins, etc.)
File Integrity & Backdoor Detection
* Hashes WordPress core files against official checksums
* Flags modified core files
* Scans theme and plugin files for dangerous PHP patterns: eval(base64_decode), gzinflate, str_rot13, shell_exec, exec, system, preg_replace with /e modifier
* Flags PHP files inside /uploads/ directory
* Flags .git directory exposure
* Detects suspicious WordPress cron jobs
* Flags PHP files modified in the last 7 or 30 days
Database Security
* Checks for publicly accessible phpMyAdmin
* Scans published posts for injected content (hidden links, base64 blobs, external iframes)
* Scans wp_options autoloaded data for malicious PHP patterns and oversized entries
Security Score
* Weighted score out of 100 (Environment 25, Plugins 20, Headers 20, Users 15, Database 10, Themes 10)
* Per-category score breakdown with issue count
* Historical score tracking with week-over-week change
Who is this for?
- WordPress site owners who want to know their security posture
- Freelancers and developers managing client sites
- Agencies auditing multiple client sites
All of the scanning and reporting features described above are fully
included in this free plugin — nothing here is time-limited or
feature-gated. CompatShield may offer separate, optional products in
the future (such as a multi-site management dashboard); any such
product would be a distinct, separately-installed plugin or service,
not a restriction on this one.
Privacy
This plugin makes outbound requests to:
* WordPress.org API (api.wordpress.org) — to retrieve plugin and theme metadata
* Your own site’s URL — to check phpMyAdmin exposure and security headers
No data is sent to third-party servers by the free version.
Screenshots
Installation
- Upload the plugin files to
/wp-content/plugins/compatshield-site-auditor/, or install the plugin through the WordPress Plugins screen directly. - Activate the plugin through the Plugins screen in WordPress.
- Navigate to Security Audit in the WordPress admin sidebar.
- Click Run Security Scan to perform your first scan.
FAQ
-
Does this plugin affect site performance?
-
Scans only run when you click “Run Security Scan” — nothing happens in the background on the free tier. The scan touches the local filesystem and database, so run it during off-peak hours on large sites.
-
Why does my score say 0/100?
-
A score of 0 means the combined deductions from your findings exceeded 100 points. This happens on sites with multiple critical and high issues simultaneously (e.g. missing all security headers plus no 2FA plus WP_DEBUG enabled). Fix the findings listed and re-run the scan.
-
Is my data sent anywhere?
-
The free version only contacts WordPress.org to fetch plugin/theme metadata. No scan results, site data, or personal information is sent to CompatShield or any third party.
-
Will this plugin fix issues automatically?
-
No. CompatShield Site Auditor is a read-only scanner. It tells you what’s wrong — it doesn’t make changes to your site.
-
Can I use this on a multisite installation?
-
Yes. The plugin supports WordPress Multisite and can be network-activated.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“CompatShield WP Site Auditor” is open source software. The following people have contributed to this plugin.
Contributors
Translate “CompatShield WP Site Auditor” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
0.1.0
- Initial release
- Environment & hardening scanner (10 checks)
- Plugin & theme intelligence with WordPress.org API integration
- User & access audit with dormant account detection
- File integrity scanner with malware pattern detection
- Database security scanner
- Weighted security score with per-category breakdown
- Historical score tracking
- Security headers audit