Lockora Security Audit

Lockora Security Audit helps site owners and agencies review a WordPress site’s security posture from the admin area.

Current prototype features include:

• Manual security scans.
• Weighted security score out of 100.
• WordPress core file integrity checks using official checksums.
• WordPress authentication key and salt checks, with an explicit action to generate missing salts.
• Must-use plugin directory presence checks.
• PHP version status using WordPress.org Serve Happy data.
• HTTPS and HTTP security header checks.
• WordPress core, plugin, and theme update posture checks.
• Administrator account posture checks for default usernames, excess admins, inactive admins, user ID 1 exposure, and an admin username/email inventory.
• Optional known vulnerability matching with a configured Wordfence Intelligence API key.
• Optional WordPress 7 AI client reports through the site’s configured AI Connector.
• Reversible hardening toggles for XML-RPC, REST user routes, generator tag output, and basic security headers.

External Services

Lockora Security Audit may connect to external services only when the administrator runs a scan or generates an AI client report.

WordPress.org APIs:
* Used for WordPress core checksums, PHP version support status, and WordPress core/plugin/theme update data.
* Data sent: the site’s WordPress version and locale for core checksums and PHP compatibility; WordPress itself may send installed plugin and theme slugs/versions to WordPress.org when update data is refreshed.
* WordPress.org terms: https://wordpress.org/about/terms/
* WordPress.org privacy policy: https://wordpress.org/about/privacy/

Wordfence Intelligence:
* Optional.
* Used only when a Wordfence Intelligence API key is configured and an administrator runs a scan that includes vulnerability matching.
* Used to retrieve vulnerability data and match it locally against installed WordPress core, plugin, and theme versions.
* Data sent: the configured Wordfence Intelligence API key is sent in an Authorization header when requesting the vulnerability feed. Installed software details are not sent by this plugin to the Wordfence Intelligence endpoint; matching is performed locally after the feed is retrieved.
* Wordfence Intelligence terms: https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/
* Wordfence privacy policy: https://www.wordfence.com/privacy-policy/

WordPress AI Client / Connectors:
* Optional.
* Used only when the administrator clicks Generate Client Report.
* Data sent: sanitized scan findings, score, counts, and recommendations needed to generate a client-facing report. The plugin is designed not to send passwords, salts, API keys, raw logs, full user lists, or file contents.
* The configured AI provider is controlled by the site owner’s WordPress Connector settings.
* Terms and privacy policy: these depend on the AI provider configured by the site owner in WordPress. Site owners should review the selected provider’s terms and privacy policy before enabling AI reports.