Site Add-on Watchdog

Site Add-on Watchdog keeps an eye on your site’s plugins and warns you when:

• Your installed version is two or more minor releases behind the directory build.
• The official changelog mentions security or vulnerability fixes.
• (Optional) WPScan lists open CVEs for the plugin when you provide your own API key.

The plugin runs on a schedule you control—choose daily, weekly, a twenty-minute testing cadence, or rely on manual scans—and stores results locally. Nothing leaves your site unless you explicitly configure outgoing notifications.

Privacy first

• No plugin inventory or telemetry is ever sent off-site by default.
• Optional webhooks are opt-in and only post the detected risks.
• WPScan lookups only run when you add your personal API token.

Admin tools

• Dashboard page with the current risk list and manual scan button.
• Ignore list to suppress noisy plugins.
• Notification settings for email, Discord, Slack, Microsoft Teams, or a generic webhook.

Notifications

• Email: send to one or more recipients (comma separated).
• Discord: post to a channel via webhook.
• Slack: connect via an incoming webhook to post alerts into any workspace channel.
• Microsoft Teams: send adaptive card style notices through an incoming webhook connector.
• Generic webhook: post JSON payload to any endpoint you control, with optional HMAC signatures. Failed deliveries are logged and highlighted on the Watchdog admin screen so you can reconfigure or resend manually.

Troubleshooting

Scheduled scans are not running

Watchdog relies on WP-Cron to trigger scheduled scans and notifications. If you have set DISABLE_WP_CRON to true or your site receives very little traffic (so WP-Cron rarely runs), configure a system cron job to call either wp-cron.php or the plugin’s REST endpoint. The admin Delivery health panel lists the REST URL you can target; a typical example looks like this:

curl -X POST https://example.com/wp-json/site-add-on-watchdog/v1/cron

Testing-mode notifications also rely on this trigger, so be sure your cron job is running when validating delivery.

CLI Usage

Watchdog bundles a WP-CLI command so you can run scans outside of the WordPress admin. All examples below assume the command is executed from a shell where wp (WP-CLI) is available.

wp watchdog scan [--notify=<bool>]

• --notify (optional): Accepts true or false (defaults to true). When set to false, Watchdog will skip any configured email or webhook notifications and only record the scan locally.

Examples:

• Run a scan and send notifications (default): wp watchdog scan
• Run a scan silently (skip notifications): wp watchdog scan --notify=false

Recommended workflow: on CI/CD platforms, add a job step that boots your WordPress/WP-CLI container, runs pending database migrations if needed, and then calls wp watchdog scan --notify=false to verify the plugin state without spamming production channels. Promote to production by rerunning the same command with notifications enabled when you are ready to alert your team.

Development

The development repository is available on GitHub: https://github.com/happyloa/Site-Add-on-Watchdog. Clone it locally to review the source or run the test suite.