Flag pending core, plugin, and theme updates, abandoned plugins, and common hardening misconfigurations. An update-and-config check — not a CVE database lookup.
Most WordPress compromises start with the obvious: an abandoned plugin, a core version that's three releases behind, or debug mode left on in production. The Outdated Software Check catches the low-hanging fruit attackers look for first.
Flag plugins with pending updates and those flagged as abandoned in the WordPress.org repo.
Flag themes with pending updates — both the active theme and any installed inactive themes.
Flag when core is behind the latest release so you notice the update pending in the WP dashboard hasn't been applied.
Flag weak default usernames like "admin", WP_DEBUG left enabled, DISALLOW_FILE_EDIT not set, and user enumeration still open.
Flag if HTTPS isn't configured at the site URL level so mixed-content and cookie-over-HTTP issues get caught.
Detect insecure legacy artifacts still on disk: TimThumb, exposed debug.log, config backups (wp-config.php.bak), and similar.
Every finding carries a severity so you can triage the list without reading every row.
An abandoned plugin, a WP_DEBUG flag left on in production, or HTTPS not configured at all. Address today.
Major core/plugin updates pending, DISALLOW_FILE_EDIT not set, or user enumeration still open. Address this week.
Minor plugin/theme updates pending or a weak default admin username. Schedule within your normal maintenance window.
Inactive themes with pending updates, residual files from old installs, and similar housekeeping items.
It's worth being direct about what this module does, because the WordPress security space is full of tools that imply more than they deliver.
This is an update-and-config check. It uses data you already have access to: the WordPress.org repository metadata, your site's installed versions, your wp-config constants, and your admin account table. It flags the low-hanging fruit — pending updates, abandoned plugins, missing hardening constants, weak admin defaults — that account for the overwhelming majority of real-world WordPress compromises.
This is not a CVE database lookup. There is no cloud feed, no WPScan / Patchstack / NVD subscription, no CVSS score attached to a specific vulnerability ID. A plugin that is up-to-date on WordPress.org may still have an undisclosed CVE — we won't know and we won't tell you we do. For that, you'd want a dedicated threat-intelligence service.
Get the Outdated Software Check and all other GuardPress Pro features with a single license.