CompatShield Site Auditor gives WordPress site owners and agencies a full picture of their site's security posture in one scan. Unlike basic security plugins, it audits every layer — environment, plugins, themes, users, files, and database — and produces a single weighted score out of 100 with a per-category breakdown.
What it checks
Environment & Hardening
- PHP version (flags below 8.2)
- WordPress core version
- WP_DEBUG exposure
- XML-RPC enabled
- wp-config.php file permissions
- Database table prefix (flags default wp_)
- Directory listing enabled
- .htaccess integrity
- HTTPS enforcement
-
readme.html / license.txt version leakage
Plugin & Theme Intelligence
-
Lists all installed plugins (active and inactive)
- Hits WordPress.org API for last updated date and install count
- Flags plugins not updated in 6, 12, or 24 months
- Flags plugins removed from the WordPress.org directory
-
Flags abandoned themes
User & Access Audit
-
Lists all administrator accounts
- Flags the default "admin" username still in use
- Detects dormant admin accounts (no login in 90+ days)
- Checks for two-factor authentication plugins
-
Flags non-admin users with elevated capabilities (manage_options, install_plugins, etc.)
File Integrity & Backdoor Detection
-
Hashes WordPress core files against official checksums
- Flags modified core files
- Scans theme and plugin files for dangerous PHP patterns: eval(base64_decode), gzinflate, str_rot13, shell_exec, exec, system, preg_replace with /e modifier
- Flags PHP files inside /uploads/ directory
- Flags .git directory exposure
- Detects suspicious WordPress cron jobs
-
Flags PHP files modified in the last 7 or 30 days
Database Security
-
Checks for publicly accessible phpMyAdmin
- Scans published posts for injected content (hidden links, base64 blobs, external iframes)
-
Scans wp_options autoloaded data for malicious PHP patterns and oversized entries
Security Score
-
Weighted score out of 100 (Environment 25, Plugins 20, Headers 20, Users 15, Database 10, Themes 10)
- Per-category score breakdown with issue count
- Historical score tracking with week-over-week change
Who is this for?
- WordPress site owners who want to know their security posture
- Freelancers and developers managing client sites
- Agencies auditing multiple client sites
All of the scanning and reporting features described above are fully
included in this free plugin — nothing here is time-limited or
feature-gated. CompatShield may offer separate, optional products in
the future (such as a multi-site management dashboard); any such
product would be a distinct, separately-installed plugin or service,
not a restriction on this one.
Privacy
This plugin makes outbound requests to:
- WordPress.org API (api.wordpress.org) — to retrieve plugin and theme metadata
- Your own site's URL — to check phpMyAdmin exposure and security headers
No data is sent to third-party servers by the free version.