Security Audit


Security Audit is a wrapper around a pair of third-party tools that can help you identify potential vulnerabilities in your site. It does not actually analyze the code of your site, nor does it correct any issues it finds; it simply compares what you’ve got with publicly-available information regarding security.

Specifically, Security Audit is a wrapper around PHPSecInfo and the WPScan Vulnerability Database API.

Once installed and activated, you’ll have ‘Security Audit’ as an option in the Tools menu. Navigate there and you’ll have tabs for PHPSec Info, Plugin Scanner, Theme Scanner, and WordPress Core Scanner. Click on a tab to initiate a scan of that part of your site. One completed you’ll get an overall summary as well as a breakdown of potential security issues.

“The three ‘scanner’ tabs look at the self-reported versions of your software and compare those versions to data in the vulnerabilities database. Resolved, open and undetermined issues will be displayed and color-coded to indicate the level of concern you should probably have.” This can be useful for determining if a given pending plugin update is a security fix or just bug/feature related; similarly it can also flag known issues with code that has not yet been updated — always good to know!

The PHPSecInfo tab reports information about your PHP configuration, done by calling the PHPSecInfo library bundled with this plugin. In many cases you may be unable to change your PHP configuration; it depends on the level of control you have over your hosting environment.


  1. Upload the security-audit directory to your plugins directory (typically wp-content/plugins)
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Visit Tools > Security Audit to assess your site


Why would I want to do this?

WordPress’ built-in update scanner is great for notifying you of available updates to WordPress and your plugins and themes. But it can’t tell you if there are security problems. There’s thus no mechanism for differentiating between critical security patch updates and more pedestrian bug/feature updates; It’s left up to individual developers to flag in their projects’ changelogs if a given update is security-related.

In addition, if there’s a plugin that has a security hole but has not yet been updated, there’s no convenient way to know about it without leaving your admin to use other tools or scour outside databases. This plugin simplifies this process by providing a convenient window into WPScan’s vulnerabilities database.

Furthermore, it helps flag potential issues with your PHP configuration, which can be useful in identifying potential attack vectors, choosing a security-conscious web host, or configuring your own hosting setup.

Where does the data come from?

This plugin uses tools developed and maintained by third-parties to perform its analysis, specifically PHPSecInfo and the WPScan Vulnerability Database. The developers of this plugin can neither endorse nor confirm the accuracy of those systems, and should not be contacted if you dispute any of their findings.


March 31, 2019
This plugin is awesome! It deserves to have more 5 star reviews. Not only does it show you any reported security vulnerabilities (past and present) in your core WordPress, plugins, and themes - it also quickly shows you any security issues with the underlying PHP configuration. As a consultant this is now one of the first plugins I install when I work on a customer's WordPress site. Kudos to the authors for this simple and highly useful plugin!
January 30, 2018
While I'm flagged as an author on this plugin, I didn't actually write any of it, someone on my team did. So of course I'm biased... but I think this is a solid little thing.
Read all 2 reviews

Contributors & Developers

“Security Audit” is open source software. The following people have contributed to this plugin.


Translate “Security Audit” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • Refactoring to utilize AJAX to decrease wait times.


  • Code reorganization and cleanup.


  • Initial public release.