=== Pura Vida Vulnerability Scanner ===
Contributors: trgomez
Tags: security, vulnerability, scanner, malware, hardening
Requires at least: 5.6
Tested up to: 7.0
Requires PHP: 7.2
Stable tag: 1.0.9
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Scan your plugins, themes and WordPress core against trusted vulnerability databases and get a clear, prioritized security overview.

== Description ==

Pura Vida Vulnerability Scanner checks everything installed on your site, including plugins, themes and WordPress core, against the **Wordfence Intelligence** vulnerability database, audits your site's security posture, and shows you exactly what is at risk and how to fix it.

It does not invent findings. It correlates your installed software and configuration against authoritative public sources (Wordfence Intelligence, CVE/MITRE, the WordPress.org update channel) and live checks of your own server.

**Security overview**

The dashboard opens with an at-a-glance status table covering:

* WordPress Version: OK / Warning
* Vulnerable Plugins: OK / Critical / High / Medium
* Missing Headers: Present / Missing / N/A (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
* SSL: Valid / Expiring soon / Expired / N/A (certificate expiry)
* DNS: OK / Issues / N/A
* Email Security: SPF and DMARC (DKIM is selector-specific)
* CDN/WAF: Detected / Not detected / N/A

**What it does**

* Inventories every installed plugin, theme and the WordPress core version.
* Matches each item and version against a continuously updated vulnerability feed.
* Shows severity (CVSS), the CVE identifier, a description and the recommended fix for every finding.
* Audits your configuration and lists prioritized hardening recommendations (2FA, updates, HTTPS, file editor, and more).
* Optional scheduled scans with email alerts when new critical/high issues appear.

**Data sources**

* Wordfence Intelligence Vulnerability Data Feed: free for personal and commercial use; includes CVE (MITRE) and CVSS information.
* CVE (MITRE Corporation): the canonical vulnerability identifiers.
* WordPress.org update channel: available core, plugin and theme updates.
* Live site checks performed by the plugin: HTTP headers, SSL, DNS, SPF/DMARC and CDN/WAF.

This product includes data that may be copyrighted by Defiant Inc. (Wordfence Intelligence) and by the MITRE Corporation (CVE®); their notices are displayed alongside the relevant findings.

Developed by Pura Vida Design Studio, Open Source Security & Website Tools (https://puravidadesignstudio.com/).

== Installation ==

1. Upload the `pura-vida-vulnerability-scanner` folder to `/wp-content/plugins/`, or install the ZIP via **Plugins → Add New → Upload Plugin**.
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Go to **Pura Vida Vulnerability Scanner → Settings** and paste a free Wordfence Intelligence API key (create one at your Wordfence account → Integrations).
4. Open **Pura Vida Vulnerability Scanner** and click **Scan now**.

== Frequently Asked Questions ==

= Do I need a paid account anywhere? =
No. The Wordfence Intelligence feed is free for personal and commercial use. You only need to generate a free API key.

= Why do some rows show N/A? =
Your host may block loopback HTTP requests or disable PHP's DNS/OpenSSL functions. Those checks are skipped safely while everything else still works.

= Why isn't DKIM checked automatically? =
DKIM records live at a selector-specific hostname that varies per mail provider and can't be reliably guessed. Pura Vida Vulnerability Scanner checks SPF and DMARC, which are deterministic.

= Does the plugin send my site data anywhere? =
It downloads the public vulnerability feed and matches it locally on your server. Your list of installed plugins is not transmitted.

= How often is the data updated? =
The feed is cached locally and refreshed on your chosen schedule (daily by default), so scans are fast and stay within the provider's rate limits.

== External services ==

This plugin connects to one external service to function: the Wordfence Intelligence Vulnerability Data Feed.

**Wordfence Intelligence Vulnerability Data Feed (Defiant Inc.)**
This plugin downloads the public WordPress vulnerability database from Wordfence in order to match it against the plugins, themes and core version installed on your site.

* What is sent: your Wordfence Intelligence API key (in the request Authorization header) and your site's URL (in the request User-Agent header), sent to https://www.wordfence.com/. The list of plugins and themes installed on your site is NOT transmitted; matching is performed locally on your own server.
* When it is sent: when you run a manual scan, and when a scheduled scan runs (about once per day). The downloaded database is cached locally for 24 hours so the service is contacted at most about once per day.
* Service terms: https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/
* Privacy policy: https://www.wordfence.com/privacy-policy/

The plugin also performs read-only checks against your own site for the Security Overview: a loopback HTTP request to your own home URL (to inspect response headers and detect a CDN/WAF) and DNS lookups for your own domain (to check DNS resolution and SPF/DMARC records). These query your own domain and public DNS only; no data is sent to any third party.

== Changelog ==

= 1.0.9 =
* Removed Plugin URI so it no longer duplicates the Author URI.

= 1.0.8 =
* Renamed plugin to Pura Vida Vulnerability Scanner; updated slug/text domain, Plugin URI and contributors per WordPress.org pre-review.

= 1.0.7 =
* Set Tested up to 7.0 (the current WordPress release).

= 1.0.6 =
* Set Tested up to 6.8 (a current, released WordPress version).

= 1.0.5 =
* Fixed: set the Tested up to header to a version the Plugin Check recognizes as released.

= 1.0.4 =
* Fixed: resolved all Plugin Check findings (Tested up to header, Domain Path, prefixed view variables, removed discouraged functions, justified socket/close and per-field sanitization).

= 1.0.3 =
* Added: External services disclosure (required for WordPress.org listing).

= 1.0.2 =
* Fixed: status overview table header labels now align with their columns.

= 1.0.1 =
* Fixed: status overview table now renders with full styling (asset cache busting).
* Improved: manual scans re-use the cached vulnerability database, so repeated scans no longer hit the provider's daily download limit.
* Improved: clearer messaging about the once-per-day database caching behavior.

= 1.0.0 =
* Initial release: vulnerability scanning for plugins, themes and core; security overview table; configuration recommendations; scheduled scans and email alerts.

== Upgrade Notice ==

= 1.0.1 =
Fixes the security overview table styling and avoids the feed rate limit on repeated scans.