VideoWhisper Security Audit

VideoWhisper Security Audit creates WordPress site health, exposure, vulnerability, integrity, readiness, and performance reports for site administrators. The plugin is designed to help administrators review site activity and configuration with AI agents or by using the built-in admin report.

The free plugin is read-only. It reports findings and does not perform cleanup, quarantine, updates, file changes, role changes, or other remediation actions.

Main features:

• Admin Scan tab with scan mode selector, cooldown-aware Run Scan button, scan date, report summary, and report findings.
• Importance-based scan modes: full, critical/high/medium, and critical-only.
• Report filters for issues only or all check results, including passed informational checks when available.
• JSON and plain-text Markdown report output.
• Optional token-protected REST report endpoint.
• Optional token-protected MCP endpoint for read-only AI-agent reports.
• Separate REST and MCP enable/disable settings.
• Generated local tokens with rotation controls and last-used metadata.
• REST/MCP per-minute rate limiting and optional exact IP allowlist.
• Admin scan cooldown, hourly scan limit, and separate agent scan cooldown.
• Category toggles for security, integrity, performance, readiness, commerce, community, and backup checks.
• Redacted AI report defaults, with optional exact version and path disclosure for MCP reports.
• Optional WPVulnerability API lookups for installed plugin vulnerability data.
• Disclaimers in the admin report and Agents tab about report limits, sensitive information, and third-party AI analysis.

Local checks

Security Audit currently checks local WordPress signals including:

• Plugin and theme updates.
• Inactive plugins.
• Administrator account count.
• Expected WordPress database tables.
• Administrator role capabilities.
• Upload directory writability.
• Debug log file presence.
• Git metadata in the web root.
• XML-RPC availability.
• Common homepage security headers.
• Autoloaded option size.
• Expired transient count.
• WP-Cron disabled state.
• Permalink structure.
• Search engine visibility setting.
• Privacy Policy page presence.
• Basic WooCommerce page readiness when WooCommerce is active.
• Optional WPVulnerability plugin vulnerability lookups.

Agent and API reports

REST and MCP endpoints are disabled by default. When enabled, Security Audit automatically generates local tokens. Anyone with a valid token can read the selected report until the token is rotated, so treat tokens as sensitive secrets.

The REST report endpoint supports:

• key: generated REST token. A bearer token can also be used.
• mode: full, important, critical, or changed.
• report: issues or all.
• format: omit for JSON, or use markdown for plain Markdown output.

The MCP endpoint supports read-only tools for security summary, vulnerability, exposure, integrity, performance risk, readiness, and Markdown audit reports. Tool arguments include mode and report.

Endpoint protection controls include:

• REST/MCP requests per minute per IP.
• Separate agent scan cooldown.
• Optional exact IPv4/IPv6 allowlist.
• Token rotation.

Important limitations and disclaimers

Security Audit reports are informational only. Findings and AI-ready reports may be incomplete, inaccurate, outdated, or unsuitable for a specific site or legal situation.

Security Audit does not provide legal advice, compliance certification, professional security advice, malware cleanup, incident response, or a guarantee that a site is secure. Administrators should verify findings and consult an experienced security, technical, or legal provider before making important changes.

REST and MCP reports may expose sensitive operational information, including site configuration, component versions, possible vulnerabilities, paths, and other details. Enable agent endpoints only when you understand where the data will be sent and who can access the token.

Third-party AI agents may produce incomplete, incorrect, unsafe, or unsuitable recommendations. Review all recommendations before acting and do not perform destructive changes without backups and appropriate professional review.

This plugin is not a firewall, malware cleaner, legal compliance tool, vulnerability scanner guarantee, or replacement for backups, security monitoring, dedicated scanners, or experienced administrators.

External services

By default, Security Audit does not call external vulnerability services.

If the administrator enables WPVulnerability lookups, the plugin sends installed plugin slugs to the public WPVulnerability API at https://www.wpvulnerability.net/ to retrieve vulnerability data. No API key is required for normal component lookups. Responses are cached locally. See:

• https://www.wpvulnerability.com/
• https://docs.wpvulnerability.com/
• https://www.wpvulnerability.com/privacy/
• https://www.wpvulnerability.com/license/

During scans, Security Audit may also make a local HTTP HEAD request to the site’s own homepage URL to inspect response headers. This request is sent to the configured site URL, not to a third-party vulnerability service.