{"id":318718,"date":"2026-06-12T09:17:12","date_gmt":"2026-06-12T09:17:12","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/videowhisper-site-guard\/"},"modified":"2026-07-06T08:09:11","modified_gmt":"2026-07-06T08:09:11","slug":"videowhisper-security-audit","status":"publish","type":"plugin","link":"https:\/\/ug.wordpress.org\/plugins\/videowhisper-security-audit\/","author":1486178,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.2.1","stable_tag":"trunk","tested":"7.0","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"VideoWhisper Security Audit","header_author":"VideoWhisper.com","header_description":"AI-ready WordPress site health and security reports for admins, with read-only REST and MCP access.","assets_banners_color":"c4ccd7","last_updated":"2026-07-06 08:09:11","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/promptaur.com\/wordpress\/security-audit\/","header_author_uri":"https:\/\/videowhisper.com\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":107,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"0.1.0":{"tag":"0.1.0","author":"videowhisper","date":"2026-06-12 21:14:47"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3570541,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3570541,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3597407,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3570541,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.1.0"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[8533,242115,3654,600,151481],"plugin_category":[54],"plugin_contributors":[81698],"plugin_business_model":[],"class_list":["post-318718","plugin","type-plugin","status-publish","hentry","plugin_tags-audit","plugin_tags-mcp","plugin_tags-reports","plugin_tags-security","plugin_tags-site-health","plugin_category-security-and-spam-protection","plugin_contributors-videowhisper","plugin_committers-videowhisper"],"banners":{"banner":"https:\/\/ps.w.org\/videowhisper-security-audit\/assets\/banner-772x250.png?rev=3570541","banner_2x":"https:\/\/ps.w.org\/videowhisper-security-audit\/assets\/banner-1544x500.png?rev=3597407","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/videowhisper-security-audit\/assets\/icon-128x128.png?rev=3570541","icon_2x":"https:\/\/ps.w.org\/videowhisper-security-audit\/assets\/icon-256x256.png?rev=3570541","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>VideoWhisper Security Audit creates WordPress site health, exposure, vulnerability, integrity, readiness, and performance reports for site administrators. The plugin is designed to help administrators review site activity and configuration with AI agents or by using the built-in admin report.<\/p>\n\n<p>The free plugin is read-only. It reports findings and does not perform cleanup, quarantine, updates, file changes, role changes, or other remediation actions.<\/p>\n\n<p>Plugin homepage: https:\/\/promptaur.com\/wordpress\/security-audit\/<\/p>\n\n<p>Main features:<\/p>\n\n<ul>\n<li>Admin Scan tab with queued scan processing, live progress, per-task status, resume\/retry controls, scan date, report summary, and report findings.<\/li>\n<li>Configurable scan execution mode: queued scans by default, or legacy synchronous scans for small\/basic sites.<\/li>\n<li>Importance-based scan modes: full, critical\/high\/medium, and critical-only.<\/li>\n<li>Report filters for issues only or all check results, including passed informational checks when available.<\/li>\n<li>JSON and plain-text Markdown report output.<\/li>\n<li>Optional token-protected REST report endpoint.<\/li>\n<li>Optional token-protected MCP endpoint for read-only AI-agent reports.<\/li>\n<li>Optional WordPress 6.9+ Abilities for admin-only read-only security overview, vulnerability, exposure, integrity, readiness, performance risk, and Markdown audit reports.<\/li>\n<li>Optional exposure of those abilities through the official WordPress MCP Adapter when installed separately.<\/li>\n<li>Read-only integration with <a href=\"https:\/\/wordpress.org\/plugins\/videowhisper-site-manager\/\">VideoWhisper AI Site Manager - Using ChatGPT Claude Codex<\/a> when both plugins are active, including report reads and agent-friendly queued scan tools.<\/li>\n<li>Separate REST and MCP enable\/disable settings.<\/li>\n<li>Generated local tokens with rotation controls and last-used metadata.<\/li>\n<li>REST\/MCP per-minute rate limiting and optional exact IP allowlist.<\/li>\n<li>Admin scan cooldown, hourly scan limit, and separate agent scan cooldown.<\/li>\n<li>Category toggles for security, integrity, performance, readiness, commerce, community, and backup checks.<\/li>\n<li>Redacted AI report defaults, with optional exact version and path disclosure for MCP reports.<\/li>\n<li>Optional WPVulnerability API lookups for installed plugin vulnerability data.<\/li>\n<li>Disclaimers in the admin report and Agents tab about report limits, sensitive information, and third-party AI analysis.<\/li>\n<\/ul>\n\n<h4>Queued scans<\/h4>\n\n<p>Queued scanning is the default admin interface. It splits inventory, exposure, vulnerability, integrity, performance, and readiness checks into small AJAX-polled batches. This avoids browser, proxy, and PHP timeout issues on larger sites while showing progress and recent queue events. Failed tasks can be retried, and unfinished jobs can be resumed from the Scan tab.<\/p>\n\n<p>Administrators that prefer the original one-request scan flow can switch Scan execution to \"Synchronous legacy scan\" in Settings.<\/p>\n\n<h4>Local checks<\/h4>\n\n<p>Security Audit currently checks local WordPress signals including:<\/p>\n\n<ul>\n<li>Plugin and theme updates.<\/li>\n<li>Inactive plugins.<\/li>\n<li>Administrator account count.<\/li>\n<li>Expected WordPress database tables.<\/li>\n<li>Administrator role capabilities.<\/li>\n<li>Upload directory writability.<\/li>\n<li>Debug log file presence.<\/li>\n<li>Git metadata in the web root.<\/li>\n<li>XML-RPC availability.<\/li>\n<li>Common homepage security headers.<\/li>\n<li>Autoloaded option size.<\/li>\n<li>Expired transient count.<\/li>\n<li>WP-Cron disabled state.<\/li>\n<li>Permalink structure.<\/li>\n<li>Search engine visibility setting.<\/li>\n<li>Privacy Policy page presence.<\/li>\n<li>Basic WooCommerce page readiness when WooCommerce is active.<\/li>\n<li>Optional WPVulnerability plugin vulnerability lookups.<\/li>\n<\/ul>\n\n<h4>Agent and API reports<\/h4>\n\n<p>REST and MCP endpoints are disabled by default. When enabled, Security Audit automatically generates local tokens. Anyone with a valid token can read the selected report until the token is rotated, so treat tokens as sensitive secrets.<\/p>\n\n<p>The REST report endpoint supports:<\/p>\n\n<ul>\n<li><code>key<\/code>: generated REST token. A bearer token can also be used.<\/li>\n<li><code>mode<\/code>: <code>full<\/code>, <code>important<\/code>, <code>critical<\/code>, or <code>changed<\/code>.<\/li>\n<li><code>report<\/code>: <code>issues<\/code> or <code>all<\/code>.<\/li>\n<li><code>format<\/code>: omit for JSON, or use <code>markdown<\/code> for plain Markdown output.<\/li>\n<\/ul>\n\n<p>The MCP endpoint supports read-only tools for security summary, vulnerability, exposure, integrity, performance risk, readiness, and Markdown audit reports. Tool arguments include <code>mode<\/code> and <code>report<\/code>.<\/p>\n\n<p>When VideoWhisper AI Site Manager is active, Security Audit also registers agent tools for latest summary\/report reads, synchronous scan refreshes for small sites, scan task discovery, queued scan creation, queue batch processing, queue status polling, and retrying failed scan tasks.<\/p>\n\n<p>On WordPress 6.9+, administrators can also enable WordPress Abilities. These abilities are admin-only, read-only, and permission-checked with <code>manage_options<\/code> by default. They can optionally be marked public for the official WordPress MCP Adapter, which must be installed separately. Existing REST and MCP endpoints remain available and are not replaced.<\/p>\n\n<p>Some sites use an OAuth, firewall, or bearer-auth layer that consumes <code>Authorization: Bearer<\/code> before the Security Audit route receives the request. If standalone Codex MCP bearer setup returns <code>oauth_token_invalid<\/code> or a similar upstream bearer-auth error, use the MCP path-token URL shown on the Agents tab instead of the bearer URL.<\/p>\n\n<p>Endpoint protection controls include:<\/p>\n\n<ul>\n<li>REST\/MCP requests per minute per IP.<\/li>\n<li>Separate agent scan cooldown.<\/li>\n<li>Optional exact IPv4\/IPv6 allowlist.<\/li>\n<li>Token rotation.<\/li>\n<\/ul>\n\n<h4>Developer hooks<\/h4>\n\n<p>Security Audit exposes generic hooks that any plugin can use to extend scan data, reports, admin UI, and Site Manager integration:<\/p>\n\n<ul>\n<li><code>vwsa_latest_snapshot<\/code> filters the latest stored snapshot before reports use it.<\/li>\n<li><code>vwsa_scan_settings<\/code> filters normalized scan settings for a scan context.<\/li>\n<li><code>vwsa_scan_inventory<\/code> filters inventory data before findings are finalized.<\/li>\n<li><code>vwsa_scan_findings<\/code> filters findings before snapshot lifecycle metadata is saved.<\/li>\n<li><code>vwsa_snapshot_before_save<\/code> filters the completed snapshot before it is stored.<\/li>\n<li><code>vwsa_snapshot_saved<\/code> fires after a snapshot is stored.<\/li>\n<li><code>vwsa_report<\/code> filters built report output.<\/li>\n<li><code>vwsa_site_manager_integration<\/code> filters the Site Manager integration definition.<\/li>\n<li><code>vwsa_admin_tabs<\/code> filters admin tabs.<\/li>\n<li><code>vwsa_admin_render_tab<\/code> lets extensions render custom admin tabs.<\/li>\n<li><code>vwsa_admin_scan_panel_after<\/code> renders generic content after the scan panel.<\/li>\n<li><code>vwsa_admin_findings_before<\/code> renders content before findings.<\/li>\n<li><code>vwsa_admin_finding_card_start<\/code> renders content inside a finding card.<\/li>\n<li><code>vwsa_admin_finding_actions<\/code> filters per-finding action links.<\/li>\n<li><code>vwsa_admin_findings_after<\/code> renders content after findings.<\/li>\n<\/ul>\n\n<h4>Important limitations and disclaimers<\/h4>\n\n<p>Security Audit reports are informational only. Findings and AI-ready reports may be incomplete, inaccurate, outdated, or unsuitable for a specific site or legal situation.<\/p>\n\n<p>Security Audit does not provide legal advice, compliance certification, professional security advice, malware cleanup, incident response, or a guarantee that a site is secure. Administrators should verify findings and consult an experienced security, technical, or legal provider before making important changes.<\/p>\n\n<p>REST and MCP reports may expose sensitive operational information, including site configuration, component versions, possible vulnerabilities, paths, and other details. Enable agent endpoints only when you understand where the data will be sent and who can access the token.<\/p>\n\n<p>Third-party AI agents may produce incomplete, incorrect, unsafe, or unsuitable recommendations. Review all recommendations before acting and do not perform destructive changes without backups and appropriate professional review.<\/p>\n\n<p>This plugin is not a firewall, malware cleaner, legal compliance tool, vulnerability scanner guarantee, or replacement for backups, security monitoring, dedicated scanners, or experienced administrators.<\/p>\n\n<h4>External services<\/h4>\n\n<p>By default, Security Audit does not call external vulnerability services.<\/p>\n\n<p>If the administrator enables WPVulnerability lookups, the plugin sends installed plugin slugs to the public WPVulnerability API at <code>https:\/\/www.wpvulnerability.net\/<\/code> to retrieve vulnerability data. No API key is required for normal component lookups. Responses are cached locally. See:<\/p>\n\n<ul>\n<li>https:\/\/www.wpvulnerability.com\/<\/li>\n<li>https:\/\/docs.wpvulnerability.com\/<\/li>\n<li>https:\/\/www.wpvulnerability.com\/privacy\/<\/li>\n<li>https:\/\/www.wpvulnerability.com\/license\/<\/li>\n<\/ul>\n\n<p>During scans, Security Audit may also make a local HTTP HEAD request to the site's own homepage URL to inspect response headers. This request is sent to the configured site URL, not to a third-party vulnerability service.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin folder to <code>\/wp-content\/plugins\/<\/code> or install it from the WordPress plugin screen.<\/li>\n<li>Activate VideoWhisper Security Audit.<\/li>\n<li>Go to Tools &gt; Security Audit.<\/li>\n<li>Run a scan and review findings.<\/li>\n<li>Open the Settings tab to configure categories, default scan\/report mode, scan limits, and optional WPVulnerability lookups.<\/li>\n<li>Open the Agents tab to enable REST\/MCP endpoints, rotate tokens, view endpoint URLs, and copy setup instructions if you want read-only external report access.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20plugin%20change%20my%20site%3F\"><h3>Does this plugin change my site?<\/h3><\/dt>\n<dd><p>No. It stores scan reports and scan queue state, but it does not perform cleanup, quarantine, updates, file edits, role changes, or remediation.<\/p><\/dd>\n<dt id=\"is%20this%20a%20firewall%20or%20malware%20scanner%3F\"><h3>Is this a firewall or malware scanner?<\/h3><\/dt>\n<dd><p>No. Security Audit checks health, exposure, vulnerability, integrity, performance, and readiness signals. It does not claim to detect or remove all malware, block attacks, or guarantee that a site is secure.<\/p><\/dd>\n<dt id=\"does%20the%20plugin%20send%20data%20to%20external%20services%3F\"><h3>Does the plugin send data to external services?<\/h3><\/dt>\n<dd><p>Only if you enable WPVulnerability lookups. That optional feature sends installed plugin slugs to WPVulnerability and caches results locally.<\/p>\n\n<p>The plugin may also request your own homepage URL during scans to inspect response headers.<\/p><\/dd>\n<dt id=\"are%20rest%20and%20mcp%20endpoints%20enabled%20by%20default%3F\"><h3>Are REST and MCP endpoints enabled by default?<\/h3><\/dt>\n<dd><p>No. REST and MCP report endpoints are disabled by default and must be enabled by an administrator from the Agents tab.<\/p><\/dd>\n<dt id=\"is%20the%20mcp%20endpoint%20public%3F\"><h3>Is the MCP endpoint public?<\/h3><\/dt>\n<dd><p>The MCP endpoint can be reachable by URL when enabled, but report access requires the generated Security Audit MCP token. Anyone with the token URL or bearer token can read the selected redacted report until you rotate the token.<\/p>\n\n<p>The Agents tab also supports a per-minute endpoint rate limit and an optional IP allowlist for REST\/MCP access.<\/p>\n\n<p>For Codex, the bearer-token setup is preferred when the WordPress site does not intercept bearer headers. If another auth layer handles bearer headers first, copy the path-token MCP URL from the Agents tab and add it with <code>codex mcp add &lt;name&gt; --url &lt;path-token-url&gt;<\/code>.<\/p><\/dd>\n<dt id=\"what%20is%20the%20difference%20between%20issues%20and%20all%20reports%3F\"><h3>What is the difference between issues and all reports?<\/h3><\/dt>\n<dd><p>Issues reports hide passed informational checks and show current reportable findings. All reports include informational passed checks when available, such as a WPVulnerability lookup that returned no affected vulnerability for the installed plugin version.<\/p><\/dd>\n<dt id=\"can%20ai%20agents%20safely%20fix%20findings%3F\"><h3>Can AI agents safely fix findings?<\/h3><\/dt>\n<dd><p>The free plugin exposes reports and scan refresh tools, but no cleanup or remediation actions. AI recommendations may be incomplete, inaccurate, unsafe, or unsuitable for your site. Review all recommendations carefully and consult an experienced provider before taking important action.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>Added queued scan processing as the default admin scan interface with AJAX polling, per-task progress, resume, retry, and recent job events.<\/li>\n<li>Added a Settings option to use the legacy synchronous scan flow for small\/basic sites.<\/li>\n<li>Added free Site Manager tools for scan task discovery, synchronous report refreshes, queued scan creation, bounded queue processing, queue status polling, and retries.<\/li>\n<li>Documented generic extension hooks for scan data, reports, admin UI, and Site Manager integration.<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Added optional WordPress 6.9+ Abilities for admin-only read-only security overview, vulnerability, exposure, integrity, readiness, performance risk, and Markdown audit reports.<\/li>\n<li>Added settings to register abilities and expose them through the separately installed official WordPress MCP Adapter while preserving existing REST and MCP endpoints.<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Synchronized plugin version metadata and updated WordPress.org support requirements.<\/li>\n<li>Added generic admin extension hooks for third-party tabs and finding actions.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Added generic scan\/report extension hooks and read-only <a href=\"https:\/\/wordpress.org\/plugins\/videowhisper-site-manager\/\">VideoWhisper AI Site Manager - Using ChatGPT Claude Codex<\/a> integration.<\/li>\n<\/ul>\n\n<h4>0.1.0<\/h4>\n\n<ul>\n<li>Initial MVP with admin reports, local checks, optional WPVulnerability lookups, token-protected REST JSON\/Markdown reports, token-protected MCP reports, scan limits, endpoint rate limits, IP allowlist, and read-only AI-agent setup instructions.<\/li>\n<\/ul>","raw_excerpt":"AI-ready WordPress site health and security reports for administrators, with queued scans and optional read-only REST\/MCP access.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/318718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=318718"}],"author":[{"embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/videowhisper"}],"wp:attachment":[{"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=318718"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=318718"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=318718"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=318718"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=318718"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ug.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=318718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}