Security Audit

Security Audit is a wrapper around a pair of third-party tools that can help you identify potential vulnerabilities in your site. It does not actually analyze the code of your site, nor does it correct any issues it finds; it simply compares what you’ve got with publicly-available information regarding security.

Specifically, Security Audit is a wrapper around PHPSecInfo and the WPScan Vulnerability Database API.

Once installed and activated, you’ll have ‘Security Audit’ as an option in the Tools menu. Navigate there and you’ll have tabs for PHPSec Info, Plugin Scanner, Theme Scanner, and WordPress Core Scanner. Click on a tab to initiate a scan of that part of your site. One completed you’ll get an overall summary as well as a breakdown of potential security issues.

“The three ‘scanner’ tabs look at the self-reported versions of your software and compare those versions to data in the vulnerabilities database. Resolved, open and undetermined issues will be displayed and color-coded to indicate the level of concern you should probably have.” This can be useful for determining if a given pending plugin update is a security fix or just bug/feature related; similarly it can also flag known issues with code that has not yet been updated — always good to know!

The PHPSecInfo tab reports information about your PHP configuration, done by calling the PHPSecInfo library bundled with this plugin. In many cases you may be unable to change your PHP configuration; it depends on the level of control you have over your hosting environment.