All Modules PRO

Security Audit

Four read-only WordPress security inspections that surface privilege creep, tampered plugin files, and exposed REST endpoints — before an attacker finds them.

  • 4 Security Checks
  • 0 Database Writes
  • Read-Only Architecture

What This Module Does

WordPress security issues rarely appear overnight. They accumulate: a user gets granted an extra capability "temporarily," a plugin file gets modified to fix a bug, an API endpoint goes public by accident. The Security Audit module surfaces all four categories with completely read-only checks — giving you a clear picture of your WordPress site's security posture without making any changes or sending any data off-server.

Features at a Glance

WordPress User & Role Audit

Lists every WordPress user account grouped by role, along with any non-standard capabilities assigned directly to the account. Flags non-administrator users holding dangerous capabilities like unfiltered_html, edit_plugins, install_plugins, or update_core.

WordPress Plugin Checksum Verifier

Compares the hash of every installed WordPress plugin file against the official WordPress.org checksum API. Any file modified since release is flagged with the exact filename, expected hash, and actual hash — catching both accidental modifications and malicious tampering.

REST API Route Inspector

Lists every registered WordPress REST API route alongside its permission callback. Routes with __return_true or __return_false permission callbacks are flagged as potentially open to unauthenticated access.

Capability Escalation Flags

Identifies WordPress users or roles where capabilities have been directly modified outside of the standard role hierarchy — a common indicator of either a compromised account or an accidental permission grant never cleaned up.

Why It Matters

  • Detect modified WordPress plugin files before a security incident reveals them for you
  • Identify WordPress user accounts with dangerous capabilities they shouldn't have
  • Audit WordPress REST API exposure without writing custom code or using Postman
  • Include WordPress security findings in client reports to demonstrate proactive monitoring
  • Satisfy basic security audit requirements for compliance-conscious WordPress clients

Frequently Asked Questions

Does the WordPress Plugin Checksum Verifier connect to external servers?

Yes — it queries the WordPress.org Plugins API at api.wordpress.org to retrieve official checksums for each installed plugin. The request includes only the plugin slug and version — no site data is transmitted.

Will it flag legitimate customisations to WordPress plugin files?

Yes. Any modification to a WordPress plugin file — regardless of intent — will be flagged. The recommended approach is always to use child themes, filters, and hooks for customisation rather than editing plugin files directly.

What WordPress plugins can be verified by the Checksum Verifier?

Only plugins distributed through the official WordPress.org repository have checksums available. Premium plugins purchased from third-party vendors are noted as skipped — no checksum data exists for them at WordPress.org.

Is this a complete WordPress security audit?

No. The Security Audit module surfaces four specific categories of WordPress security indicators. It is not a replacement for a professional penetration test, a WAF, or a malware scanner.

Know Your WordPress Security Posture Before Someone Else Does

WordPress privilege creep, file tampering, and API exposure — surfaced completely read-only, with zero risk.

Get Full Pro Access

Security Audit is included in every Pro plan alongside all seventeen diagnostic modules.

View Pro Pricing →

Get Pro Now

Try the Free Lite Version

Download Lite to get started with the nine core WordPress diagnostic modules — completely free.

Compare Lite vs Pro →

Download Lite — Free