CSGaku Site State Check

CSGaku Site State Check is a lightweight plugin for reviewing basic WordPress site status from the admin area.

The plugin is designed for administrators and developers who want to check important maintenance and security-related signals on demand. It does not automatically repair, delete, or change site settings. It presents the current state so the site administrator can decide what to review next.

CSGaku Site State Check does not use external API communication or external vulnerability database lookups for its checks. It uses information available within the WordPress site and server environment.

The plugin can run on PHP 7.4 or later, but PHP 8.2 or later is recommended.

Design principles:

• No external API or external service communication for normal checks
• No automatic repair
• No automatic deletion
• No automatic setting changes
• No direct display of secret values or full file contents
• Results organized by status and severity
• Latest result, simple local history, and CSV export support

Main checks include:

• PHP version
• WordPress version
• Site URL and home URL
• SSL status
• Sitemap
• Debug settings
• wp-config.php
• .htaccess
• index.php
• wp-admin, wp-content, and wp-includes
• Public access protection for debug.log
• PHP execution prevention setting in uploads
• wp-config.php structure and location
• SALT constants
• Administrator user count
• Presence of the admin username
• Older administrator accounts
• Application passwords
• Search engine visibility setting
• XML-RPC status
• Core, plugin, and theme update status
• Inactive plugins
• Unused theme candidates
• 444 and 555 permissions under wp-content
• uploads/YYYY/.htaccess and uploads/YYYY/MM/.htaccess

About obfuscation-related checks:

CSGaku Site State Check can review index.php for patterns that are sometimes associated with obfuscation, such as base64, eval, gzinflate, long Base64-like strings, hex escapes, and chr concatenation. If such patterns are found, they are shown as items to review. They are not treated as final proof of malicious code by themselves.

About permissions:

The plugin checks 444 and 555 permissions under wp-content. These permissions may be intentional in some environments, but they can also affect updates, deletion, and maintenance work. When such items are found under themes, the plugin can note that they may be intentional depending on the environment.

About uploads security:

The plugin checks whether uploads/.htaccess contains PHP execution prevention rules, and it also checks for .htaccess files under uploads year/month folders. If relevant .htaccess files are found in those locations, they are shown for review without displaying file contents.

About CSV export:

The latest result can be exported as CSV with a UTF-8 BOM for compatibility with spreadsheet applications. To reduce CSV formula injection risk, values starting with dangerous leading characters are escaped before export.

Important limitations:

• This plugin is a confirmation tool.
• It does not provide malware cleanup.
• It does not provide automatic remediation.
• It does not provide complete vulnerability assessment.
• It does not guarantee detection of all issues.
• Final review and response should be handled by the site administrator.