=== VideoWhisper Security Audit ===
Contributors: videowhisper
Tags: security, site-health, mcp, audit, reports
Requires at least: 6.0
Tested up to: 7.0
Stable tag: 0.1.0
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

AI-ready WordPress site health and security reports for administrators, with optional read-only REST and MCP access.

== Description ==

VideoWhisper Security Audit creates WordPress site health, exposure, vulnerability, integrity, readiness, and performance reports for site administrators. The plugin is designed to help administrators review site activity and configuration with AI agents or by using the built-in admin report.

The free plugin is read-only. It reports findings and does not perform cleanup, quarantine, updates, file changes, role changes, or other remediation actions.

Main features:

* Admin Scan tab with scan mode selector, cooldown-aware Run Scan button, scan date, report summary, and report findings.
* Importance-based scan modes: full, critical/high/medium, and critical-only.
* Report filters for issues only or all check results, including passed informational checks when available.
* JSON and plain-text Markdown report output.
* Optional token-protected REST report endpoint.
* Optional token-protected MCP endpoint for read-only AI-agent reports.
* Separate REST and MCP enable/disable settings.
* Generated local tokens with rotation controls and last-used metadata.
* REST/MCP per-minute rate limiting and optional exact IP allowlist.
* Admin scan cooldown, hourly scan limit, and separate agent scan cooldown.
* Category toggles for security, integrity, performance, readiness, commerce, community, and backup checks.
* Redacted AI report defaults, with optional exact version and path disclosure for MCP reports.
* Optional WPVulnerability API lookups for installed plugin vulnerability data.
* Disclaimers in the admin report and Agents tab about report limits, sensitive information, and third-party AI analysis.

= Local checks =

Security Audit currently checks local WordPress signals including:

* Plugin and theme updates.
* Inactive plugins.
* Administrator account count.
* Expected WordPress database tables.
* Administrator role capabilities.
* Upload directory writability.
* Debug log file presence.
* Git metadata in the web root.
* XML-RPC availability.
* Common homepage security headers.
* Autoloaded option size.
* Expired transient count.
* WP-Cron disabled state.
* Permalink structure.
* Search engine visibility setting.
* Privacy Policy page presence.
* Basic WooCommerce page readiness when WooCommerce is active.
* Optional WPVulnerability plugin vulnerability lookups.

= Agent and API reports =

REST and MCP endpoints are disabled by default. When enabled, Security Audit automatically generates local tokens. Anyone with a valid token can read the selected report until the token is rotated, so treat tokens as sensitive secrets.

The REST report endpoint supports:

* `key`: generated REST token. A bearer token can also be used.
* `mode`: `full`, `important`, `critical`, or `changed`.
* `report`: `issues` or `all`.
* `format`: omit for JSON, or use `markdown` for plain Markdown output.

The MCP endpoint supports read-only tools for security summary, vulnerability, exposure, integrity, performance risk, readiness, and Markdown audit reports. Tool arguments include `mode` and `report`.

Endpoint protection controls include:

* REST/MCP requests per minute per IP.
* Separate agent scan cooldown.
* Optional exact IPv4/IPv6 allowlist.
* Token rotation.

= Important limitations and disclaimers =

Security Audit reports are informational only. Findings and AI-ready reports may be incomplete, inaccurate, outdated, or unsuitable for a specific site or legal situation.

Security Audit does not provide legal advice, compliance certification, professional security advice, malware cleanup, incident response, or a guarantee that a site is secure. Administrators should verify findings and consult an experienced security, technical, or legal provider before making important changes.

REST and MCP reports may expose sensitive operational information, including site configuration, component versions, possible vulnerabilities, paths, and other details. Enable agent endpoints only when you understand where the data will be sent and who can access the token.

Third-party AI agents may produce incomplete, incorrect, unsafe, or unsuitable recommendations. Review all recommendations before acting and do not perform destructive changes without backups and appropriate professional review.

This plugin is not a firewall, malware cleaner, legal compliance tool, vulnerability scanner guarantee, or replacement for backups, security monitoring, dedicated scanners, or experienced administrators.

= External services =

By default, Security Audit does not call external vulnerability services.

If the administrator enables WPVulnerability lookups, the plugin sends installed plugin slugs to the public WPVulnerability API at `https://www.wpvulnerability.net/` to retrieve vulnerability data. No API key is required for normal component lookups. Responses are cached locally. See:

* https://www.wpvulnerability.com/
* https://docs.wpvulnerability.com/
* https://www.wpvulnerability.com/privacy/
* https://www.wpvulnerability.com/license/

During scans, Security Audit may also make a local HTTP HEAD request to the site's own homepage URL to inspect response headers. This request is sent to the configured site URL, not to a third-party vulnerability service.

== Installation ==

1. Upload the plugin folder to `/wp-content/plugins/` or install it from the WordPress plugin screen.
2. Activate VideoWhisper Security Audit.
3. Go to Tools > Security Audit.
4. Run a scan and review findings.
5. Open the Settings tab to configure categories, default scan/report mode, scan limits, and optional WPVulnerability lookups.
6. Open the Agents tab to enable REST/MCP endpoints, rotate tokens, view endpoint URLs, and copy setup instructions if you want read-only external report access.

== Frequently Asked Questions ==

= Does this plugin change my site? =

No. The MVP is read-only. It reports findings and does not perform cleanup, quarantine, updates, file edits, role changes, or remediation.

= Is this a firewall or malware scanner? =

No. Security Audit checks health, exposure, vulnerability, integrity, performance, and readiness signals. It does not claim to detect or remove all malware, block attacks, or guarantee that a site is secure.

= Does the plugin send data to external services? =

Only if you enable WPVulnerability lookups. That optional feature sends installed plugin slugs to WPVulnerability and caches results locally.

The plugin may also request your own homepage URL during scans to inspect response headers.

= Are REST and MCP endpoints enabled by default? =

No. REST and MCP report endpoints are disabled by default and must be enabled by an administrator from the Agents tab.

= Is the MCP endpoint public? =

The MCP endpoint can be reachable by URL when enabled, but report access requires the generated Security Audit MCP token. Anyone with the token URL or bearer token can read the selected redacted report until you rotate the token.

The Agents tab also supports a per-minute endpoint rate limit and an optional IP allowlist for REST/MCP access.

= What is the difference between issues and all reports? =

Issues reports hide passed informational checks and show current reportable findings. All reports include informational passed checks when available, such as a WPVulnerability lookup that returned no affected vulnerability for the installed plugin version.

= Can AI agents safely fix findings? =

The free plugin exposes read-only reports only. AI recommendations may be incomplete, inaccurate, unsafe, or unsuitable for your site. Review all recommendations carefully and consult an experienced provider before taking important action.

== Changelog ==

= 0.1.0 =

* Initial MVP with admin reports, local checks, optional WPVulnerability lookups, token-protected REST JSON/Markdown reports, token-protected MCP reports, scan limits, endpoint rate limits, IP allowlist, and read-only AI-agent setup instructions.
