Vulnerability Scanner
Many WordPress compromises happen because a patched vulnerability sits unaddressed for weeks. Recommended workflow for finding, prioritising, and fixing known CVEs in plugins, themes, and core.
Recommended workflow
Go to SiteFort → Vulnerabilities.
The Vulnerability Scanner checks installed plugins, themes, and WordPress core against a database of known CVEs. It is not a general update reminder. It specifically highlights components with confirmed security exposure, which is a different and more urgent category than outdated-but-not-vulnerable software.
Run this check as part of your regular maintenance routine, not only when something feels wrong:
- Click Check Now to run an immediate check.
- Review Critical and High issues first.
- Update affected plugins, themes, or WordPress core.
- Delete plugins and themes you are not actively using, vulnerable or not.
- For abandoned components with no available patch, plan a replacement.
- Run another check after updates to confirm findings are resolved.
The single most effective habit
Remove plugins and themes you are not using. Inactive code still sits on the server and can still carry a known vulnerability. A deactivated plugin does not protect you from an exploit that targets it directly. If you installed it to test something and never activated it properly, delete it.
Responding by severity
The scanner groups findings by severity. Use severity as your triage order, not the order findings appear on screen.
| Severity | When to act | What to do |
|---|---|---|
| Critical | Immediately | Update, disable, or remove the affected component now. Check the Audit Log and Traffic Log for signs of exploitation around the same time period. Do not wait for a maintenance window. |
| High | Same day | Update or remove the affected component. Review firewall and audit logs for suspicious activity. If an update is not yet available, consider disabling the component until a patch is released. |
| Medium | Next maintenance window | Update the affected component during your normal update cycle. Do not carry Medium findings unresolved for more than a week or two. |
| Low | Normal update cycle | Fix during routine updates. Do not ignore indefinitely. Low severity today can be reclassified higher as exploitability is better understood. |
When you cannot update immediately
Sometimes a patch is not yet available, the update breaks something on the site, or the component is business-critical and cannot be removed without a planned migration. These situations require a temporary compensating approach while the permanent fix is arranged.
| Situation | Recommended approach |
|---|---|
| No patch available for a Critical or High CVE | Disable the component if the site can function without it. If it cannot be disabled, use Firewall rules to restrict access to the affected endpoint while planning a replacement. Document the exception: severity, affected version, business owner, compensating control, and target fix date. |
| Update is available but breaks the site | Test the update on a staging environment, resolve the conflict, then apply to production. Do not delay indefinitely because a staging conflict exists. |
| Plugin is abandoned with no maintained alternative yet | Restrict public access to the plugin's functionality using Firewall rules where possible. Plan a replacement and treat finding resolution as a project milestone, not a background task. |
| Client site managed by an agency | Flag the finding to the client immediately for Critical and High. Include severity, affected component, and recommended action in written communication. Do not resolve silently without client awareness. |
Unresolved Critical and High findings stay visible on the SiteFort Dashboard. This is intentional. They affect overall site risk posture until they are fixed or the component is removed.