Title: VideoWhisper Security Audit
Author: videowhisper
Published: <strong>June 12, 2026</strong>
Last modified: July 6, 2026

---

Search plugins

![](https://ps.w.org/videowhisper-security-audit/assets/banner-772x250.png?rev=3570541)

![](https://ps.w.org/videowhisper-security-audit/assets/icon-256x256.png?rev=3570541)

# VideoWhisper Security Audit

 By [videowhisper](https://profiles.wordpress.org/videowhisper/)

[Download](https://downloads.wordpress.org/plugin/videowhisper-security-audit.zip)

 * [Details](https://pcd.wordpress.org/plugins/videowhisper-security-audit/#description)
 * [Reviews](https://pcd.wordpress.org/plugins/videowhisper-security-audit/#reviews)
 *  [Installation](https://pcd.wordpress.org/plugins/videowhisper-security-audit/#installation)
 * [Development](https://pcd.wordpress.org/plugins/videowhisper-security-audit/#developers)

 [Support](https://wordpress.org/support/plugin/videowhisper-security-audit/)

## Description

VideoWhisper Security Audit creates WordPress site health, exposure, vulnerability,
integrity, readiness, and performance reports for site administrators. The plugin
is designed to help administrators review site activity and configuration with AI
agents or by using the built-in admin report.

The free plugin is read-only. It reports findings and does not perform cleanup, 
quarantine, updates, file changes, role changes, or other remediation actions.

Plugin homepage: https://promptaur.com/wordpress/security-audit/

Main features:

 * Admin Scan tab with queued scan processing, live progress, per-task status, resume/
   retry controls, scan date, report summary, and report findings.
 * Configurable scan execution mode: queued scans by default, or legacy synchronous
   scans for small/basic sites.
 * Importance-based scan modes: full, critical/high/medium, and critical-only.
 * Report filters for issues only or all check results, including passed informational
   checks when available.
 * JSON and plain-text Markdown report output.
 * Optional token-protected REST report endpoint.
 * Optional token-protected MCP endpoint for read-only AI-agent reports.
 * Optional WordPress 6.9+ Abilities for admin-only read-only security overview,
   vulnerability, exposure, integrity, readiness, performance risk, and Markdown
   audit reports.
 * Optional exposure of those abilities through the official WordPress MCP Adapter
   when installed separately.
 * Read-only integration with [VideoWhisper AI Site Manager – Using ChatGPT Claude Codex](https://wordpress.org/plugins/videowhisper-site-manager/)
   when both plugins are active, including report reads and agent-friendly queued
   scan tools.
 * Separate REST and MCP enable/disable settings.
 * Generated local tokens with rotation controls and last-used metadata.
 * REST/MCP per-minute rate limiting and optional exact IP allowlist.
 * Admin scan cooldown, hourly scan limit, and separate agent scan cooldown.
 * Category toggles for security, integrity, performance, readiness, commerce, community,
   and backup checks.
 * Redacted AI report defaults, with optional exact version and path disclosure 
   for MCP reports.
 * Optional WPVulnerability API lookups for installed plugin vulnerability data.
 * Disclaimers in the admin report and Agents tab about report limits, sensitive
   information, and third-party AI analysis.

#### Queued scans

Queued scanning is the default admin interface. It splits inventory, exposure, vulnerability,
integrity, performance, and readiness checks into small AJAX-polled batches. This
avoids browser, proxy, and PHP timeout issues on larger sites while showing progress
and recent queue events. Failed tasks can be retried, and unfinished jobs can be
resumed from the Scan tab.

Administrators that prefer the original one-request scan flow can switch Scan execution
to “Synchronous legacy scan” in Settings.

#### Local checks

Security Audit currently checks local WordPress signals including:

 * Plugin and theme updates.
 * Inactive plugins.
 * Administrator account count.
 * Expected WordPress database tables.
 * Administrator role capabilities.
 * Upload directory writability.
 * Debug log file presence.
 * Git metadata in the web root.
 * XML-RPC availability.
 * Common homepage security headers.
 * Autoloaded option size.
 * Expired transient count.
 * WP-Cron disabled state.
 * Permalink structure.
 * Search engine visibility setting.
 * Privacy Policy page presence.
 * Basic WooCommerce page readiness when WooCommerce is active.
 * Optional WPVulnerability plugin vulnerability lookups.

#### Agent and API reports

REST and MCP endpoints are disabled by default. When enabled, Security Audit automatically
generates local tokens. Anyone with a valid token can read the selected report until
the token is rotated, so treat tokens as sensitive secrets.

The REST report endpoint supports:

 * `key`: generated REST token. A bearer token can also be used.
 * `mode`: `full`, `important`, `critical`, or `changed`.
 * `report`: `issues` or `all`.
 * `format`: omit for JSON, or use `markdown` for plain Markdown output.

The MCP endpoint supports read-only tools for security summary, vulnerability, exposure,
integrity, performance risk, readiness, and Markdown audit reports. Tool arguments
include `mode` and `report`.

When VideoWhisper AI Site Manager is active, Security Audit also registers agent
tools for latest summary/report reads, synchronous scan refreshes for small sites,
scan task discovery, queued scan creation, queue batch processing, queue status 
polling, and retrying failed scan tasks.

On WordPress 6.9+, administrators can also enable WordPress Abilities. These abilities
are admin-only, read-only, and permission-checked with `manage_options` by default.
They can optionally be marked public for the official WordPress MCP Adapter, which
must be installed separately. Existing REST and MCP endpoints remain available and
are not replaced.

Some sites use an OAuth, firewall, or bearer-auth layer that consumes `Authorization:
Bearer` before the Security Audit route receives the request. If standalone Codex
MCP bearer setup returns `oauth_token_invalid` or a similar upstream bearer-auth
error, use the MCP path-token URL shown on the Agents tab instead of the bearer 
URL.

Endpoint protection controls include:

 * REST/MCP requests per minute per IP.
 * Separate agent scan cooldown.
 * Optional exact IPv4/IPv6 allowlist.
 * Token rotation.

#### Developer hooks

Security Audit exposes generic hooks that any plugin can use to extend scan data,
reports, admin UI, and Site Manager integration:

 * `vwsa_latest_snapshot` filters the latest stored snapshot before reports use 
   it.
 * `vwsa_scan_settings` filters normalized scan settings for a scan context.
 * `vwsa_scan_inventory` filters inventory data before findings are finalized.
 * `vwsa_scan_findings` filters findings before snapshot lifecycle metadata is saved.
 * `vwsa_snapshot_before_save` filters the completed snapshot before it is stored.
 * `vwsa_snapshot_saved` fires after a snapshot is stored.
 * `vwsa_report` filters built report output.
 * `vwsa_site_manager_integration` filters the Site Manager integration definition.
 * `vwsa_admin_tabs` filters admin tabs.
 * `vwsa_admin_render_tab` lets extensions render custom admin tabs.
 * `vwsa_admin_scan_panel_after` renders generic content after the scan panel.
 * `vwsa_admin_findings_before` renders content before findings.
 * `vwsa_admin_finding_card_start` renders content inside a finding card.
 * `vwsa_admin_finding_actions` filters per-finding action links.
 * `vwsa_admin_findings_after` renders content after findings.

#### Important limitations and disclaimers

Security Audit reports are informational only. Findings and AI-ready reports may
be incomplete, inaccurate, outdated, or unsuitable for a specific site or legal 
situation.

Security Audit does not provide legal advice, compliance certification, professional
security advice, malware cleanup, incident response, or a guarantee that a site 
is secure. Administrators should verify findings and consult an experienced security,
technical, or legal provider before making important changes.

REST and MCP reports may expose sensitive operational information, including site
configuration, component versions, possible vulnerabilities, paths, and other details.
Enable agent endpoints only when you understand where the data will be sent and 
who can access the token.

Third-party AI agents may produce incomplete, incorrect, unsafe, or unsuitable recommendations.
Review all recommendations before acting and do not perform destructive changes 
without backups and appropriate professional review.

This plugin is not a firewall, malware cleaner, legal compliance tool, vulnerability
scanner guarantee, or replacement for backups, security monitoring, dedicated scanners,
or experienced administrators.

#### External services

By default, Security Audit does not call external vulnerability services.

If the administrator enables WPVulnerability lookups, the plugin sends installed
plugin slugs to the public WPVulnerability API at `https://www.wpvulnerability.net/`
to retrieve vulnerability data. No API key is required for normal component lookups.
Responses are cached locally. See:

 * https://www.wpvulnerability.com/
 * https://docs.wpvulnerability.com/
 * https://www.wpvulnerability.com/privacy/
 * https://www.wpvulnerability.com/license/

During scans, Security Audit may also make a local HTTP HEAD request to the site’s
own homepage URL to inspect response headers. This request is sent to the configured
site URL, not to a third-party vulnerability service.

## Installation

 1. Upload the plugin folder to `/wp-content/plugins/` or install it from the WordPress
    plugin screen.
 2. Activate VideoWhisper Security Audit.
 3. Go to Tools > Security Audit.
 4. Run a scan and review findings.
 5. Open the Settings tab to configure categories, default scan/report mode, scan limits,
    and optional WPVulnerability lookups.
 6. Open the Agents tab to enable REST/MCP endpoints, rotate tokens, view endpoint 
    URLs, and copy setup instructions if you want read-only external report access.

## FAQ

### Does this plugin change my site?

No. It stores scan reports and scan queue state, but it does not perform cleanup,
quarantine, updates, file edits, role changes, or remediation.

### Is this a firewall or malware scanner?

No. Security Audit checks health, exposure, vulnerability, integrity, performance,
and readiness signals. It does not claim to detect or remove all malware, block 
attacks, or guarantee that a site is secure.

### Does the plugin send data to external services?

Only if you enable WPVulnerability lookups. That optional feature sends installed
plugin slugs to WPVulnerability and caches results locally.

The plugin may also request your own homepage URL during scans to inspect response
headers.

### Are REST and MCP endpoints enabled by default?

No. REST and MCP report endpoints are disabled by default and must be enabled by
an administrator from the Agents tab.

### Is the MCP endpoint public?

The MCP endpoint can be reachable by URL when enabled, but report access requires
the generated Security Audit MCP token. Anyone with the token URL or bearer token
can read the selected redacted report until you rotate the token.

The Agents tab also supports a per-minute endpoint rate limit and an optional IP
allowlist for REST/MCP access.

For Codex, the bearer-token setup is preferred when the WordPress site does not 
intercept bearer headers. If another auth layer handles bearer headers first, copy
the path-token MCP URL from the Agents tab and add it with `codex mcp add <name>--
url <path-token-url>`.

### What is the difference between issues and all reports?

Issues reports hide passed informational checks and show current reportable findings.
All reports include informational passed checks when available, such as a WPVulnerability
lookup that returned no affected vulnerability for the installed plugin version.

### Can AI agents safely fix findings?

The free plugin exposes reports and scan refresh tools, but no cleanup or remediation
actions. AI recommendations may be incomplete, inaccurate, unsafe, or unsuitable
for your site. Review all recommendations carefully and consult an experienced provider
before taking important action.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“VideoWhisper Security Audit” is open source software. The following people have
contributed to this plugin.

Contributors

 *   [ videowhisper ](https://profiles.wordpress.org/videowhisper/)

[Translate “VideoWhisper Security Audit” into your language.](https://translate.wordpress.org/projects/wp-plugins/videowhisper-security-audit)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/videowhisper-security-audit/),
check out the [SVN repository](https://plugins.svn.wordpress.org/videowhisper-security-audit/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/videowhisper-security-audit/)
by [RSS](https://plugins.trac.wordpress.org/log/videowhisper-security-audit/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.2.0

 * Added queued scan processing as the default admin scan interface with AJAX polling,
   per-task progress, resume, retry, and recent job events.
 * Added a Settings option to use the legacy synchronous scan flow for small/basic
   sites.
 * Added free Site Manager tools for scan task discovery, synchronous report refreshes,
   queued scan creation, bounded queue processing, queue status polling, and retries.
 * Documented generic extension hooks for scan data, reports, admin UI, and Site
   Manager integration.

#### 1.1.0

 * Added optional WordPress 6.9+ Abilities for admin-only read-only security overview,
   vulnerability, exposure, integrity, readiness, performance risk, and Markdown
   audit reports.
 * Added settings to register abilities and expose them through the separately installed
   official WordPress MCP Adapter while preserving existing REST and MCP endpoints.

#### 1.0.1

 * Synchronized plugin version metadata and updated WordPress.org support requirements.
 * Added generic admin extension hooks for third-party tabs and finding actions.

#### 1.0.0

 * Added generic scan/report extension hooks and read-only [VideoWhisper AI Site Manager – Using ChatGPT Claude Codex](https://wordpress.org/plugins/videowhisper-site-manager/)
   integration.

#### 0.1.0

 * Initial MVP with admin reports, local checks, optional WPVulnerability lookups,
   token-protected REST JSON/Markdown reports, token-protected MCP reports, scan
   limits, endpoint rate limits, IP allowlist, and read-only AI-agent setup instructions.

## Meta

 *  Version **1.2.1**
 *  Last updated **2 days ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.0 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/videowhisper-security-audit/)
 * Tags
 * [audit](https://pcd.wordpress.org/plugins/tags/audit/)[mcp](https://pcd.wordpress.org/plugins/tags/mcp/)
   [reports](https://pcd.wordpress.org/plugins/tags/reports/)[security](https://pcd.wordpress.org/plugins/tags/security/)
   [site health](https://pcd.wordpress.org/plugins/tags/site-health/)
 *  [Advanced View](https://pcd.wordpress.org/plugins/videowhisper-security-audit/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/videowhisper-security-audit/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/videowhisper-security-audit/reviews/)

## Contributors

 *   [ videowhisper ](https://profiles.wordpress.org/videowhisper/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/videowhisper-security-audit/)