Title: Pura Vida Vulnerability Scanner
Author: trgomez
Published: <strong>June 15, 2026</strong>
Last modified: June 15, 2026

---

Search plugins

![](https://ps.w.org/pura-vida-vulnerability-scanner/assets/banner-772x250.png?rev
=3572401)

![](https://ps.w.org/pura-vida-vulnerability-scanner/assets/icon-256x256.png?rev
=3572395)

# Pura Vida Vulnerability Scanner

 By [trgomez](https://profiles.wordpress.org/trgomez/)

[Download](https://downloads.wordpress.org/plugin/pura-vida-vulnerability-scanner.1.0.9.zip)

 * [Details](https://wordpress.org/plugins/pura-vida-vulnerability-scanner/#description)
 * [Reviews](https://wordpress.org/plugins/pura-vida-vulnerability-scanner/#reviews)
 *  [Installation](https://wordpress.org/plugins/pura-vida-vulnerability-scanner/#installation)
 * [Development](https://wordpress.org/plugins/pura-vida-vulnerability-scanner/#developers)

 [Support](https://wordpress.org/support/plugin/pura-vida-vulnerability-scanner/)

## Description

Pura Vida Vulnerability Scanner checks everything installed on your site, including
plugins, themes and WordPress core, against the **Wordfence Intelligence** vulnerability
database, audits your site’s security posture, and shows you exactly what is at 
risk and how to fix it.

It does not invent findings. It correlates your installed software and configuration
against authoritative public sources (Wordfence Intelligence, CVE/MITRE, the WordPress.
org update channel) and live checks of your own server.

**Security overview**

The dashboard opens with an at-a-glance status table covering:

 * WordPress Version: OK / Warning
 * Vulnerable Plugins: OK / Critical / High / Medium
 * Missing Headers: Present / Missing / N/A (HSTS, CSP, X-Frame-Options, X-Content-
   Type-Options, Referrer-Policy)
 * SSL: Valid / Expiring soon / Expired / N/A (certificate expiry)
 * DNS: OK / Issues / N/A
 * Email Security: SPF and DMARC (DKIM is selector-specific)
 * CDN/WAF: Detected / Not detected / N/A

**What it does**

 * Inventories every installed plugin, theme and the WordPress core version.
 * Matches each item and version against a continuously updated vulnerability feed.
 * Shows severity (CVSS), the CVE identifier, a description and the recommended 
   fix for every finding.
 * Audits your configuration and lists prioritized hardening recommendations (2FA,
   updates, HTTPS, file editor, and more).
 * Optional scheduled scans with email alerts when new critical/high issues appear.

**Data sources**

 * Wordfence Intelligence Vulnerability Data Feed: free for personal and commercial
   use; includes CVE (MITRE) and CVSS information.
 * CVE (MITRE Corporation): the canonical vulnerability identifiers.
 * WordPress.org update channel: available core, plugin and theme updates.
 * Live site checks performed by the plugin: HTTP headers, SSL, DNS, SPF/DMARC and
   CDN/WAF.

This product includes data that may be copyrighted by Defiant Inc. (Wordfence Intelligence)
and by the MITRE Corporation (CVE®); their notices are displayed alongside the relevant
findings.

Developed by Pura Vida Design Studio, Open Source Security & Website Tools (https://
puravidadesignstudio.com/).

### External services

This plugin connects to one external service to function: the Wordfence Intelligence
Vulnerability Data Feed.

**Wordfence Intelligence Vulnerability Data Feed (Defiant Inc.)**
 This plugin downloads
the public WordPress vulnerability database from Wordfence in order to match it 
against the plugins, themes and core version installed on your site.

 * What is sent: your Wordfence Intelligence API key (in the request Authorization
   header) and your site’s URL (in the request User-Agent header), sent to https://
   www.wordfence.com/. The list of plugins and themes installed on your site is 
   NOT transmitted; matching is performed locally on your own server.
 * When it is sent: when you run a manual scan, and when a scheduled scan runs (
   about once per day). The downloaded database is cached locally for 24 hours so
   the service is contacted at most about once per day.
 * Service terms: https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/
 * Privacy policy: https://www.wordfence.com/privacy-policy/

The plugin also performs read-only checks against your own site for the Security
Overview: a loopback HTTP request to your own home URL (to inspect response headers
and detect a CDN/WAF) and DNS lookups for your own domain (to check DNS resolution
and SPF/DMARC records). These query your own domain and public DNS only; no data
is sent to any third party.

## Installation

 1. Upload the `pura-vida-vulnerability-scanner` folder to `/wp-content/plugins/`, 
    or install the ZIP via **Plugins  Add New  Upload Plugin**.
 2. Activate the plugin through the **Plugins** menu in WordPress.
 3. Go to **Pura Vida Vulnerability Scanner  Settings** and paste a free Wordfence 
    Intelligence API key (create one at your Wordfence account  Integrations).
 4. Open **Pura Vida Vulnerability Scanner** and click **Scan now**.

## FAQ

### Do I need a paid account anywhere?

No. The Wordfence Intelligence feed is free for personal and commercial use. You
only need to generate a free API key.

### Why do some rows show N/A?

Your host may block loopback HTTP requests or disable PHP’s DNS/OpenSSL functions.
Those checks are skipped safely while everything else still works.

### Why isn’t DKIM checked automatically?

DKIM records live at a selector-specific hostname that varies per mail provider 
and can’t be reliably guessed. Pura Vida Vulnerability Scanner checks SPF and DMARC,
which are deterministic.

### Does the plugin send my site data anywhere?

It downloads the public vulnerability feed and matches it locally on your server.
Your list of installed plugins is not transmitted.

### How often is the data updated?

The feed is cached locally and refreshed on your chosen schedule (daily by default),
so scans are fast and stay within the provider’s rate limits.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Pura Vida Vulnerability Scanner” is open source software. The following people 
have contributed to this plugin.

Contributors

 *   [ trgomez ](https://profiles.wordpress.org/trgomez/)

[Translate “Pura Vida Vulnerability Scanner” into your language.](https://translate.wordpress.org/projects/wp-plugins/pura-vida-vulnerability-scanner)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/pura-vida-vulnerability-scanner/),
check out the [SVN repository](https://plugins.svn.wordpress.org/pura-vida-vulnerability-scanner/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/pura-vida-vulnerability-scanner/)
by [RSS](https://plugins.trac.wordpress.org/log/pura-vida-vulnerability-scanner/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.9

 * Removed Plugin URI so it no longer duplicates the Author URI.

#### 1.0.8

 * Renamed plugin to Pura Vida Vulnerability Scanner; updated slug/text domain, 
   Plugin URI and contributors per WordPress.org pre-review.

#### 1.0.7

 * Set Tested up to 7.0 (the current WordPress release).

#### 1.0.6

 * Set Tested up to 6.8 (a current, released WordPress version).

#### 1.0.5

 * Fixed: set the Tested up to header to a version the Plugin Check recognizes as
   released.

#### 1.0.4

 * Fixed: resolved all Plugin Check findings (Tested up to header, Domain Path, 
   prefixed view variables, removed discouraged functions, justified socket/close
   and per-field sanitization).

#### 1.0.3

 * Added: External services disclosure (required for WordPress.org listing).

#### 1.0.2

 * Fixed: status overview table header labels now align with their columns.

#### 1.0.1

 * Fixed: status overview table now renders with full styling (asset cache busting).
 * Improved: manual scans re-use the cached vulnerability database, so repeated 
   scans no longer hit the provider’s daily download limit.
 * Improved: clearer messaging about the once-per-day database caching behavior.

#### 1.0.0

 * Initial release: vulnerability scanning for plugins, themes and core; security
   overview table; configuration recommendations; scheduled scans and email alerts.

## Meta

 *  Version **1.0.9**
 *  Last updated **5 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.6 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.2 or higher **
 * Tags
 * [hardening](https://wordpress.org/plugins/tags/hardening/)[malware](https://wordpress.org/plugins/tags/malware/)
   [scanner](https://wordpress.org/plugins/tags/scanner/)[security](https://wordpress.org/plugins/tags/security/)
   [vulnerability](https://wordpress.org/plugins/tags/vulnerability/)
 *  [Advanced View](https://wordpress.org/plugins/pura-vida-vulnerability-scanner/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/pura-vida-vulnerability-scanner/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/pura-vida-vulnerability-scanner/reviews/)

## Contributors

 *   [ trgomez ](https://profiles.wordpress.org/trgomez/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/pura-vida-vulnerability-scanner/)