AI-Ready Security & Health Reports for WordPress

The free Security Audit plugin generates site health, exposure, vulnerability, integrity, readiness, and performance reports for your WordPress site. Review them in the admin dashboard, or let Claude, ChatGPT, or Codex read them through secure, read-only REST and MCP endpoints. You use your own AI subscription — no API key required.

Download Free on WordPress.org Contact

Read-only by design

The free plugin reports findings only. It does not perform cleanup, quarantine, updates, file edits, role changes, or any remediation — so AI agents can safely review your site without making changes.

Free Plugin

Admin Scan tab with scan modes — full, critical/high/medium, critical-only
Site health, exposure, vulnerability, integrity, readiness & performance checks
JSON and plain-text Markdown report output
Issues-only or all-results report filters
Optional token-protected REST report endpoint
Optional token-protected read-only MCP endpoint for AI agents
Optional WPVulnerability API lookups for installed plugins
Per-minute rate limiting, IP allowlist, token rotation, scan cooldowns
Read-only integration with VideoWhisper Site Manager when both are active
Redacted AI report defaults to protect sensitive details

Pro Add-on In development

Scheduled AI security reports — delivered by email and MCP
Continuous vulnerability alerts for installed components
Real-time anomaly alerts via webhook
Multi-site security dashboard
Expanded checks and deeper agent reporting
Pro is under active development. Contact us to be notified at launch.

What It Checks

Security Audit reviews local WordPress signals and turns them into clear, AI-readable findings:

Plugin & theme updates
Inactive plugins
Administrator account count
Expected database tables
Administrator role capabilities
Upload directory writability
Debug log file presence
Git metadata in web root
XML-RPC availability
Homepage security headers
Autoloaded option size & expired transients
WP-Cron disabled state
Permalink & search-engine visibility
Privacy Policy page presence
WooCommerce page readiness

Agent & API Reports

REST and MCP endpoints are disabled by default. When enabled, the plugin generates local tokens you can rotate at any time. The MCP endpoint exposes read-only tools for security summary, vulnerability, exposure, integrity, performance risk, readiness, and Markdown audit reports — so an agent can review your site without touching it.

REST report endpoint
Token-protected JSON or Markdown reports. Choose scan mode (full, important, critical, changed) and report scope (issues or all).
MCP endpoint
Read-only tools for AI agents to pull security, vulnerability, exposure, integrity, performance, readiness, and audit reports.

Works With

Claude.ai
Web and mobile. Connect via MCP in Claude settings.
Claude Desktop
macOS and Windows app. Full MCP support.
Claude CLI / Codex
Terminal-based access for developers and automation.
ChatGPT
Read the REST report via Custom GPT actions.

Informational only

Security Audit is not a firewall, malware cleaner, vulnerability-scan guarantee, or replacement for backups, monitoring, dedicated scanners, or experienced administrators. Findings and AI-generated recommendations may be incomplete or inaccurate — review them and consult an experienced security provider before making important changes. REST/MCP reports may expose sensitive operational details, so enable agent endpoints only when you understand where the data is sent and who holds the token.

Download Free on WordPress.org All WordPress AI Plugins