=== Pentesterr Security Agent === Contributors: pentesterr Tags: security, malware, monitoring, vulnerability, firewall, scan, hacked, brute force, plugin updates Requires at least: 5.6 Tested up to: 6.5 Requires PHP: 7.4 Stable tag: 1.0.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Real-time WordPress security monitoring powered by Pentesterr. Detects vulnerabilities, file changes, brute force attacks, and more. == Description == **Pentesterr Security Agent** connects your WordPress site to the [Pentesterr](https://pentesterr.com) security platform for continuous, automated security monitoring. Unlike one-off scanners, Pentesterr lives inside your site and reports back daily (or more frequently) with a comprehensive security health report. You get alerted the moment something changes. = What it monitors = * **Plugin & theme vulnerabilities** — Checks all installed plugins and themes against a live CVE database and alerts you when a new vulnerability is discovered. * **Outdated software** — Tracks WordPress core, plugin, and theme update availability. * **File integrity** — Creates a cryptographic baseline of WordPress core files and alerts you if any are modified (a key indicator of malware injection). * **Brute force attacks** — Counts failed login attempts and alerts you when a spike is detected. * **Security configuration** — Checks for debug mode, file editing, XML-RPC, default table prefix, exposed version numbers, and more. * **User accounts** — Monitors for new administrator accounts and risky usernames. * **PHP files in uploads** — Detects PHP files in the uploads directory (a common malware hiding spot). * **SSL certificate expiry** — Alerts you 30 days, 14 days, and on the day of expiry. * **Suspicious cron jobs** — Flags unknown WP-Cron jobs that may have been added by malware. * **Database health** — Reports on table prefix, orphaned data, and database version. = Security score = Every report generates a security score from 0–100 based on all findings. Track your score over time in the Pentesterr dashboard. = How it works = 1. Install and activate the plugin. 2. Create a free account at [pentesterr.com](https://pentesterr.com). 3. Add your site in the Pentesterr dashboard to get an API key. 4. Enter the API key in the plugin settings. 5. The plugin sends a daily security report to Pentesterr, which analyses it, generates alerts, and displays everything in your dashboard. = Privacy = This plugin collects **only security-relevant metadata**: plugin/theme names and versions, WordPress and PHP versions, security configuration flags, file integrity hashes, and anonymised login event counts. It **never** collects passwords, post content, customer data, or personally identifiable information. Full privacy policy: [pentesterr.com/privacy](https://pentesterr.com/privacy) == Installation == 1. Upload the `pentesterr-agent` folder to `/wp-content/plugins/`. 2. Activate the plugin through the **Plugins** menu in WordPress. 3. Go to **Pentesterr** in the admin sidebar. 4. Enter your API key (get one free at [pentesterr.com](https://pentesterr.com)). 5. Click **Save Settings**, then **Run Report Now** to send your first report. == Frequently Asked Questions == = Do I need a Pentesterr account? = Yes. A free account gives you access to the dashboard, alerts, and report history. Sign up at [pentesterr.com](https://pentesterr.com). = Does this plugin slow down my site? = No. The data collection runs as a background WP-Cron job, not on visitor requests. The only real-time hooks are lightweight event counters (e.g. counting failed logins). = Is my data secure in transit? = Yes. All data is transmitted over HTTPS using TLS. Your API key is stored in the WordPress options table and never exposed publicly. = Can I run a report manually? = Yes. Go to **Pentesterr** in the admin sidebar and click **Run Report Now**. = What happens if my site has no internet access? = The plugin will log an error and retry on the next scheduled run. == Changelog == = 1.0.0 = * Initial release. * Full security data collection engine. * File integrity monitoring with baseline comparison. * Real-time event monitoring (failed logins, role changes, plugin events). * WordPress admin UI with security score cards and manual trigger. * WP-Cron scheduling for daily/twice-daily/hourly reports. == Upgrade Notice == = 1.0.0 = Initial release.