Title: Steel Security & Hardening – Site Audit Tools Author: sweetwatermedia Published: April 28, 2026 Last modified: April 28, 2026 --- Search plugins ![](https://ps.w.org/steel-security/assets/banner-772x250.png?rev=3517816) ![](https://ps.w.org/steel-security/assets/icon-256x256.png?rev=3517818) # Steel Security & Hardening – Site Audit Tools By [sweetwatermedia](https://profiles.wordpress.org/sweetwatermedia/) [Download](https://downloads.wordpress.org/plugin/steel-security.1.0.4.zip) * [Details](https://wordpress.org/plugins/steel-security/#description) * [Reviews](https://wordpress.org/plugins/steel-security/#reviews) * [Installation](https://wordpress.org/plugins/steel-security/#installation) * [Development](https://wordpress.org/plugins/steel-security/#developers) [Support](https://wordpress.org/support/plugin/steel-security/) ## Description Steel Security & Hardening – Site Audit Tools focuses on practical security hygiene for WordPress administrators. The free plugin provides: * on-demand security scans * risk summaries grouped by severity and category * checks for common WordPress hardening gaps * checks for exposed root-level artifacts such as `.env`, SQL dumps, `phpinfo` files, and backup archives * a quarantine vault for operator-reviewed file isolation * uploads PHP execution blocking on supported server environments * manual guidance when automatic server hardening is not safely supported This plugin is positioned as an auditing and hardening tool. It helps surface risk and apply selected preventive controls, but it does not promise malware removal, incident response, or complete server protection. #### Included checks The scan currently looks for items such as: * PHP error display exposure * `WP_DEBUG` and `debug.log` exposure * XML-RPC availability * author and REST user enumeration exposure * theme/plugin file editor availability * WordPress generator meta output * comments enabled by default * uploads PHP execution hardening status * root-level sensitive files and archives #### Server-aware behavior This plugin only auto-applies server config changes where it can do so in a scoped and reversible way. * Apache and LiteSpeed: uploads PHP blocking is managed through a Steel Security- marked `.htaccess` block * IIS: uploads PHP blocking is managed through a Steel Security-marked `web.config` section * Nginx and unsupported environments: Steel Security provides manual guidance instead of claiming automatic protection #### Pro companion This plugin can work with a separate Pro companion plugin that adds features such as scheduled scans, scan history, reports, and managed server-level controls such as directory listing protection and baseline security headers. The free plugin remains usable on its own. ## Installation 1. Upload the plugin files to the `/wp-content/plugins/steel-security` directory, or install the plugin through the WordPress plugins screen. 2. Activate the plugin through the ‘Plugins’ screen in WordPress. 3. Open `Steel Security` in wp-admin to review the dashboard, run a scan, and configure hardening controls. ## FAQ ### Does this plugin make remote calls? The free plugin does not rely on a third-party service for core scanning or hardening, and it does not require remote API calls for its free feature set. ### Does this plugin remove malware automatically? No. This plugin is designed to audit, surface risk, and help with selective hardening and operator-reviewed quarantine workflows. It should not be described as an automatic malware removal tool. ### Will this plugin edit my server configuration? Only for specific controls where the plugin can write a clearly delimited, reversible block on supported servers. Unsupported environments receive manual guidance instead. ### What happens on uninstall? The plugin removes its stored scan data, settings, and hardening rollback metadata. Quarantine payloads are intentionally preserved so operators can review and handle them manually. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Steel Security & Hardening – Site Audit Tools” is open source software. The following people have contributed to this plugin. Contributors * [ sweetwatermedia ](https://profiles.wordpress.org/sweetwatermedia/) [Translate “Steel Security & Hardening – Site Audit Tools” into your language.](https://translate.wordpress.org/projects/wp-plugins/steel-security) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/steel-security/), check out the [SVN repository](https://plugins.svn.wordpress.org/steel-security/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/steel-security/) by [RSS](https://plugins.trac.wordpress.org/log/steel-security/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.0.4 * refreshed the free plugin release package for the latest WordPress.org submission #### 1.0.3 * finalized the WordPress.org review follow-up fixes, removed dormant Pro-only local hardening code from Free, moved rollback metadata out of uploads, and refreshed the release package #### 1.0.2 * rebuilt the free plugin package after final WordPress.org review fixes and packaging updates #### 1.0.1 * clarified advisory-only handling for `DISALLOW_FILE_MODS` and excluded it from hardening posture scoring * moved managed directory listing and baseline security headers fully into the Pro companion plugin * replaced hardening-page Pro placeholders with a contextual upgrade section * moved admin-page JavaScript to enqueued assets and tightened WordPress.org review compliance #### 1.0.0 * finalized WordPress.org-compliant free plugin naming and packaging * aligned Pro package naming to Steel Security Pro for clearer installs * refreshed the Steel Security logo asset in the admin header #### 0.1.2 * narrowed backup archive detection to avoid false positives from plugin files in backup-related paths * improved first-scan dashboard messaging so new installs prompt for a scan instead of showing a misleading high-risk empty state * improved action button labels and tooltips for quarantine workflows * tightened uninstall cleanup for Free and Pro-owned data and rollback metadata #### 0.1.1 * refreshed release packaging * improved dashboard and scan presentation ## Meta * Version **1.0.4** * Last updated **2 weeks ago** * Active installations **Fewer than 10** * WordPress version ** 6.4 or higher ** * Tested up to **6.9.4** * PHP version ** 8.0 or higher ** * Tags * [audit](https://wordpress.org/plugins/tags/audit/)[hardening](https://wordpress.org/plugins/tags/hardening/) [scanner](https://wordpress.org/plugins/tags/scanner/)[security](https://wordpress.org/plugins/tags/security/) * [Advanced View](https://wordpress.org/plugins/steel-security/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/steel-security/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/steel-security/reviews/) ## Contributors * [ sweetwatermedia ](https://profiles.wordpress.org/sweetwatermedia/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/steel-security/)