Blueternal BOLT Security Toolkit

No. BOLT works entirely through PHP and the WordPress filesystem API — the same permissions your site already runs under.

No. BOLT can detect many server and WordPress security issues, automate some changes that are reachable from plugin context, and guide the rest. It cannot honestly replace root or sudo from inside WordPress. Some fixes are always one-click, some are host-dependent, some are manual only, and some would require a future companion agent or external integration.

The free tier covers 31 checks across PHP and database versions, PHP resource limits, local PHP override effectiveness, OPcache, dangerous PHP functions, directory listing, loopback request health, WP-Cron health, uploads permissions and executable files, WP_DEBUG, wp-config.php permissions, DISALLOW_FILE_EDIT, database prefix, XML-RPC, REST API, application passwords, user registration, default admin username, administrator account sprawl, debug log exposure, readme file exposure, public backup or dump artifact exposure, HTTPS, HSTS, and core/plugin/theme update status. Pro adds server-side domain/IP reputation scanning, WordPress core file integrity monitoring, suspicious PHP malware-pattern detection, and vulnerability intelligence for WordPress core, plugins, and themes. Free displays vulnerability status and CVE IDs when advisory findings are present; Pro shows the full advisory detail.

BOLT separates chained risk into three layers. Attack Paths are realistic compromise chains where multiple findings combine into a practical risk. Near Misses are partial chains where one important condition exists, but another required condition is missing. Amplifiers are findings that do not create an attack path by themselves, but increase the impact of a real path. For example, writable wp-config.php is not treated as remote compromise by itself. Alone, it appears as a near miss because it could support persistence if a write-capable foothold appears later. Combined with a real write-capable compromise path, it appears as a persistence amplifier.

BOLT Pro can verify WordPress core files against official checksum data and detect unexpected files inside wp-admin and wp-includes. If the checksum service is temporarily unavailable, the integrity checks fall back to a warning instead of failing the whole scan.

BOLT Pro can scan PHP files in plugins, themes, mu-plugins, and uploads for suspicious combinations of malware-like patterns such as obfuscation, hidden iframe payloads, encoded blobs, and dangerous execution chains. The scan is heuristic and should be treated as an investigation starting point rather than definitive malware attribution.

BOLT Pro can query a configurable advisory feed and compare installed WordPress core, plugin, and theme versions against known affected version ranges. Successful responses are cached locally for 6 hours, and the last good cache is reused if the endpoint is temporarily unavailable.

Auto-fixes write the correct configuration change directly where WordPress has a safe capability path, such as wp-config.php, .htaccess, or an mu-plugin. BOLT logs fix metadata in the database, but it does not store backup copies of config or code files. Undo is available only for files BOLT creates itself, such as its XML-RPC and REST API mu-plugin files. Changes to existing files should be reviewed before applying and rolled back through your host backup or version control if needed. BOLT distinguishes between fixes that are verified immediately, fixes that are pending the next request, and fixes that are manual only on the current host. BOLT does not auto-write disable_functions; PHP treats that as system-level configuration that must be changed in php.ini, PHP-FPM pool config, LiteSpeed/PHP selector, or a hosting control panel. Uploads execution blocking is one-click only when the current stack is Apache/LiteSpeed-style and can use an uploads .htaccess rule. REST API restriction uses an mu-plugin instead of a blanket web-server block so logged-in WordPress requests and detected routes selected in the allowlist manager can keep working. Developers can also extend the allowlist with bolt_rest_api_allowed_public_routes. Nginx/PHP-FPM and FastCGI-only stacks receive manual server-rule guidance where server rules are required.

BOLT does not store rollback copies of config files, code files, public artifacts, or executable uploads. It stores fix history metadata in the WordPress database and relies on your normal host backup, staging workflow, or version control for rollback of existing files.

Yes, when PDF attachment is enabled. Free reports use BOLT branding and one recipient. BOLT uses dompdf if WordPress already loads it; otherwise it attaches a built-in plain PDF report. BOLT Pro adds multiple recipients and custom report branding.

BOLT Pro is distributed separately from WordPress.org. The Pro add-on validates its license against the Blueternal Solutions platform and caches successful responses locally.

BOLT records authentication events, password resets, user creation and role changes, plugin and theme activation/update activity, WordPress core updates, and BOLT-native events such as scans, reports, alerts, and auto-fixes. Free shows the last 7 days. BOLT Pro shows the full retained timeline. Failed-login entries show whether the attempted login maps to an existing account; matched accounts link to recent successful and failed login history with source IPs where available.

BOLT can save one known-good scan as the active baseline, compare each new scan against that approved state, and summarize new failures, new warnings, resolved issues, improvements, and detail-level finding changes since the baseline. The Baseline tab also lets you run a fresh scan or reset the active baseline after host/runtime changes so drift markers and safe-fix eligibility are recalculated immediately. BOLT Pro adds multiple named baseline snapshots.

The Hardening tab groups BOLT's supported one-click protections into one place. It shows what this host can fix automatically right now, offers one safe hardening action, and includes a manual hardening checklist pulled from the latest scan.

BOLT Pro can optionally send a compact redacted JSON payload of actionable fail/warn findings for interpretation. Without a saved OpenAI API key, the request goes to the Blueternal Solutions BOLT API after hosted BOLT AI consent is enabled in AI Settings. With a saved key or BOLT_OPENAI_API_KEY, the request goes directly to OpenAI from the site. Free installs show the AI Security Briefing panel but cannot generate a briefing or configure AI Settings. BOLT does not send raw files, full database contents, or arbitrary page content. The Overview tab AI Security Briefing is explicit and manual; it does not generate anything automatically on page load.

Current plan details are listed at blueternalsolutions.com/bolt-pro.