Aipatch Security Scanner

Description

Aipatch Security Scanner is a modular security audit engine built for site owners, developers, and AI-powered agents who need deep visibility into WordPress security posture — without the bloat of all-in-one security suites.

Why Aipatch Security Scanner?

Most WordPress security plugins are either too simple to be useful or too heavy to be practical. Aipatch takes a different approach:

• Audit-first architecture. Every check is a standalone, testable module that returns structured findings with severity, confidence, evidence, and fingerprints.
• Built for automation. 23 MCP abilities expose the full audit, scanning, and remediation surface to external AI agents — making Aipatch the first WordPress security plugin designed for agentic workflows.
• Zero external dependencies. Everything runs locally. No accounts, no cloud services, no API keys required.
• Reversible by design. Every automated remediation stores rollback data so you can undo any change with one click.

Core Capabilities

36-Point Security Audit

Aipatch runs 36 automated checks across 8 categories — core, plugins, themes, users, configuration, server, access control, and malware surface:

• Outdated WordPress core, plugins, and themes
• Default admin username, excessive admin accounts, inactive admin users, user ID 1 exposure
• XML-RPC, file editor, debug mode, debug log, REST API exposure, directory listing
• PHP version, HTTPS, file permissions, security headers (X-Frame-Options, CSP, etc.)
• Database prefix, sensitive files, PHP execution in uploads, auto-update configuration
• Salt key strength, cron health, cookie security flags, CORS, application passwords
• Exposed backup files, phpinfo files, uploads directory indexing, default login URL
• Database credential security, file installation permissions

Every finding includes a severity (critical / high / medium / low / info), confidence score, human-readable explanation, and actionable recommendation.

Weighted Security Score (0–100)

A logarithmic scoring engine computes an overall security score and per-area breakdown across six risk dimensions: software, access control, configuration, infrastructure, malware surface, and vulnerability exposure. Severity weights and confidence multipliers ensure the score reflects actual risk, not just issue count.

Multi-Layer Malware File Scanner

A three-layer file scanner (content 55%, context 25%, integrity 20%) with 27 detection signatures, Shannon entropy analysis, and malware family classification detects:

• Code execution patterns: eval(), assert(), create_function(), preg_replace /e
• System command functions: shell_exec, exec, passthru, backtick operators
• Obfuscation techniques: base64 encoding, hex encoding, str_rot13, gzinflate chains, chr() concatenation, variable variables, suspiciously long lines
• Network/exfiltration: cURL execution, fsockopen, remote file_get_contents
• Known backdoor signatures: c99, r57, WSO, b374k, weevely, FilesMan
• WordPress-specific threats: unauthorized admin creation, critical option injection, security function removal

Scanning runs in batches via an async job system with configurable batch sizes — safe for shared hosting.

Files are classified into 11 malware families (web shell, obfuscated loader, dropper, persistence backdoor, cloaked PHP, code injector, and more) with confidence scores and remediation hints.

WordPress Core Integrity Verification

Verifies every core file against official checksums from api.wordpress.org. Detects modified core files (checksum mismatch), missing core files, and unexpected files planted in wp-admin/ or wp-includes/. Core tampering findings are automatically escalated to critical severity with zero false-positive likelihood.

File Integrity Baseline

Build a known-good hash baseline of all PHP files in your installation. Diff against it at any time to detect modified, deleted, or newly added files. Origin detection distinguishes core, plugin, theme, and upload files.

Vulnerability Intelligence

A local knowledge base of known plugin, theme, and core vulnerabilities with a database-backed caching layer for fast lookups. Provider architecture allows extending with external feeds.

One-Click Remediation with Rollback

Apply fixes directly from findings — change WordPress options, delete suspicious files, rename files, patch file contents, or add .htaccess rules. Every automated action stores a full rollback payload so you can reverse any change. Manual remediations can be logged for audit trails.

Six supported action types: wp_option, delete_file, rename_file, file_patch, htaccess_rule, manual.

Hardening Module

Five toggleable hardening rules with clear explanations and compatibility warnings:

• Disable XML-RPC — blocks external XML-RPC requests and removes X-Pingback header
• Hide WordPress Version — removes version leaks from source, RSS feeds, scripts, and styles
• Restrict REST API — limits sensitive endpoints to authenticated users
• Block Author Scanning — prevents user enumeration via author archives
• Login Brute-Force Protection — rate-limits login attempts per IP with configurable thresholds and lockout duration

Persistent Findings Store

All audit findings persist in a dedicated database table with automatic deduplication by fingerprint. Track findings over time — dismissed findings stay dismissed across scans; resolved findings reopen if the issue reappears.

Security Event Logging

Every scan, hardening change, remediation, and significant event is logged to a dedicated table. Logs are filterable by severity and exportable as CSV.

WordPress Site Health Integration

Adds 6 security tests to the built-in Site Health screen: file editor, debug mode, XML-RPC, admin username, SSL, and overall security score.

Performance Diagnostics

Built-in performance profiling to identify slow queries, high memory usage, and resource bottlenecks related to security operations.

REST API

10 authenticated endpoints under the aipatch-security-scanner/v1 namespace for triggering scans, retrieving summaries, toggling hardening, exporting logs, and running performance diagnostics.

MCP Surface for AI Agents (23 Abilities)

Aipatch exposes 23 structured abilities via the WordPress Abilities API — making your site’s security surface fully accessible to external AI agents, coding assistants, and orchestration tools:

By default, only aipatch/audit-site is enabled. You can enable additional abilities from Aipatch Security Scanner -> Settings -> MCP Abilities.

Audit & Scanning

• aipatch/audit-site — Run a full 36-check security audit with scored findings
• aipatch/audit-suspicious — Quick heuristic scan for suspicious files
• aipatch/start-file-scan — Launch an async multi-layer malware scan job
• aipatch/process-file-scan-batch — Process next batch of files in a running scan
• aipatch/file-scan-progress — Check file scan progress
• aipatch/file-scan-results — Retrieve enriched scan results with family, reasons, layer scores
• aipatch/get-scan-summary — Comprehensive latest scan summary with classification breakdown
• aipatch/list-suspicious-files — List suspicious files from latest scan (no job_id needed)

Integrity & Baseline

• aipatch/verify-core-integrity — Verify WP core files against official api.wordpress.org checksums
• aipatch/baseline-build — Build or refresh the known-good file hash baseline
• aipatch/baseline-diff — Compare current filesystem against stored baseline
• aipatch/baseline-stats — Baseline statistics by origin type
• aipatch/get-baseline-drift — Combined baseline drift + core integrity report

Findings & Monitoring

• aipatch/list-findings — Query persistent findings with status/severity/category filters
• aipatch/findings-stats — Aggregate finding statistics
• aipatch/findings-diff — New and resolved findings since a point in time
• aipatch/get-file-finding-detail — Single finding with decoded metadata, layer scores, family
• aipatch/dismiss-finding — Dismiss a finding as accepted risk

Remediation

• aipatch/apply-remediation — Apply a security fix with rollback support
• aipatch/rollback-remediation — Undo a previously applied fix
• aipatch/list-remediations — List remediation history with filters

Jobs & Status

• aipatch/list-jobs — List scan/audit jobs with filters
• aipatch/get-async-job-status — Check async job status and retrieve results

20 abilities are read-only; only 3 (dismiss, apply-remediation, rollback) modify site state. All abilities include typed input/output schemas, permission checks (manage_options), and structured error responses.

What Aipatch Does NOT Do

• It is NOT a firewall or WAF — it does not filter incoming traffic.
• It does NOT intercept frontend requests or affect page load performance.
• It does NOT phone home, require an account, or send data externally.
• It does NOT inject ads, upsells, or nag notices.