Back to Overview

Content Security Audit

Updated: January 10, 2026 Category: General

Content Security Audit is a free WordPress plugin created to help site owners understand what is happening inside their website content and system hooks. While many security tools focus on blocking access or monitoring logins, this plugin focuses on visibility. It scans your site to uncover sensitive data exposure, suspicious patterns, and unusual WordPress hook behavior that may indicate security problems.

The plugin does not automatically change or remove anything. Instead, it gives you clear information so you can make informed decisions about what should be reviewed, ignored, or fixed.

How Content Security Audit Works

When a scan runs, the plugin looks through selected areas of your WordPress site. This includes your posts, pages, custom post types, and WordPress hooks. It compares what it finds against known risk patterns and reports anything that may require attention.

Scans run in real time, and you can see progress as the plugin works through your content. Once the scan is finished, all findings are displayed in a single dashboard where you can review them at your own pace.

What the Plugin Scans

Content Scanning Explained

The plugin can scan different parts of your content depending on your settings. This includes post titles, main content, excerpts, and custom fields. During the scan, it looks for sensitive phrases, patterns that resemble credit card numbers, and other commonly flagged data that could pose a risk if exposed publicly.

This type of scan is especially useful for older websites, imported content, or sites managed by multiple authors where sensitive information may have been published unintentionally.

System Integrity Checks Explained

Beyond content, the plugin also examines WordPress system hooks. Malware often hides inside actions and filters because they are less visible than theme or plugin files.

Content Security Audit checks these hooks for suspicious closures or unknown callbacks. When something unusual is found, it is listed separately as a system integrity issue so it can be reviewed carefully.

Optional AI Analysis

The plugin includes optional AI-assisted analysis for users who want additional context. When enabled, flagged issues can be sent to an AI model via OpenRouter. The AI helps explain why something was flagged and whether it may be a false positive.

This feature is disabled by default and requires your own API key. The plugin functions fully without AI enabled, and no content is sent to external services unless you explicitly turn this feature on.

Installation Guide

Installing Content Security Audit works the same way as most WordPress plugins. You can upload the plugin ZIP file through the WordPress admin area or install it manually by placing the plugin folder inside your wp-content/plugins directory.

Once activated, the plugin automatically creates the database tables it needs. No additional setup is required before your first scan.

Getting Started After Activation

After activation, a new menu called Security Audit appears in your WordPress dashboard. This menu gives you access to the main dashboard and the settings page.

Before running a scan, it is recommended to visit the settings page and review the default options. This allows you to control what content is scanned and how long scans are allowed to run.

Understanding the Settings

General Settings

The scan time limit controls how long a scan can run before stopping. On shared hosting, a lower value is often safer to prevent timeouts.

Post type settings allow you to choose which content types are included in scans. If your site uses custom post types, you can include or exclude them as needed.

Scan area settings determine whether the plugin scans titles, main content, excerpts, or custom fields. Selecting fewer areas can speed up scans on large sites.

Notification Settings

The plugin can send email summaries after scans complete. You can enter one or more email addresses to receive these reports.

If you use Slack, you can also configure an Incoming Webhook URL. When enabled, the plugin sends real-time alerts whenever an issue is detected during a scan.

AI Analyzer Settings

If you choose to enable AI analysis, you will need to enter your OpenRouter API key and select a model. These settings are only used when AI analysis is turned on and can be disabled at any time.

Running a Scan

To run a manual scan, open the Security Audit dashboard and click the Run Manual Scan button. The plugin will immediately begin scanning based on your current settings.

As the scan runs, you will see a progress bar and status messages showing which items are being checked. This is helpful for large sites where scans may take several minutes.

When the scan finishes, a summary appears showing how many issues were found.

Reviewing Scan Results

All scan results are listed in the main dashboard. Each entry shows what was flagged, where it was found, and what type of issue it is.

You can open any issue to review additional details. If the issue is harmless or expected, you can mark it as ignored. Ignored items will not trigger future alerts.

If you have fixed the issue manually, you can mark it as resolved to keep your dashboard organized.

Understanding System Integrity Results

System integrity issues are clearly labeled so they can be reviewed separately from content issues. These findings often involve WordPress hooks and deserve closer attention, especially on sites that may have been compromised in the past.

If you are unsure about a system hook finding, it is recommended to consult a developer before making changes.

Automated Scans

The plugin schedules daily background scans automatically. These scans run quietly in the background and use your existing settings.

You can adjust scan frequency in the settings if needed. Automated scans follow the same notification rules as manual scans.

Best Practices for Safe Use

It is a good habit to run a scan after installing new plugins or themes. Regular scans also help catch accidental data exposure before it becomes a problem.

Always keep backups before removing or editing suspicious code. The plugin is designed to inform you, not to make changes automatically.

Troubleshooting Common Issues

If a scan stops unexpectedly, try lowering the scan time limit or scanning fewer post types at once. On some hosting environments, increasing PHP execution limits may also help.

If Slack notifications are not working, confirm that the webhook URL is correct and that your server can send outbound HTTPS requests.

If the progress bar appears frozen, refreshing the page usually resolves the issue. The scan continues to run in the background.

Final Thoughts

Content Security Audit gives you clarity and insight into your WordPress site without forcing automated actions. It is designed to support informed decisions, whether you manage a single website or multiple client installations.

Install the plugin, run scans regularly, and keep your WordPress environment transparent and under control.

© 2026 SoftArt. All rights reserved. | Support