# Patchstack Security MCP > Patchstack Security monitors WordPress and PHP installations for vulnerabilities and compliance issues. This MCP lets your AI agent check site software health across dozens of sites, track known CVEs in plugins/themes, and retrieve real-time security alerts from a single chat window. ## Overview - **Category:** security-compliance - **Price:** Free - **Tags:** wordpress-security, vulnerability-tracking, plugin-security, threat-intelligence, patch-management ## Description Using this MCP, you can manage the entire security posture of your WordPress sites without logging into a dozen dashboards. Your AI client directs your agent to monitor all connected sites, providing an instant security overview that pinpoints outdated plugins or themes. Need to know if 'Contact Form 7' has any recent CVEs? Just ask. You can search massive databases for known vulnerabilities in specific components and even check the latest active firewall alerts. If you’re running a large agency or managing client sites, this MCP consolidates site auditing, vulnerability tracking, and patch management into one conversation stream. It gives you immediate visibility into which sites are secure and which need attention. ## Tools ### get_autoupdate_settings Retrieves the current settings that govern automatic security patching of vulnerable components. ### get_component_vulnerabilities Fetches all known vulnerabilities associated with a specific software component or library version. ### get_latest_alerts Pulls the most recent security alerts and any firewall rules that were recently triggered. ### get_latest_vulnerabilities Gathers a list of the newest vulnerabilities added to the Patchstack threat database. ### get_site_software Gets a complete inventory list of all software installed on one specific monitored site. ### get_software_overview Provides a broad security overview, summarizing the health and software status across all your connected sites. ### get_vulnerability_details Delivers detailed technical information for any specific vulnerability you name or reference. ### list_sites Retrieves a comprehensive list and security score summary of every site Patchstack is monitoring. ### search_vulnerabilities Allows you to execute a targeted search query against the entire vulnerability database for specific keywords or CVEs. ## Prompt Examples **Prompt:** ``` List all my monitored sites in Patchstack. ``` **Response:** ``` Fetching sites... I found 3 sites: 'my-blog.com' (Score: 95), 'online-store.net' (Score: 82), and 'dev-site.io' (Score: 100). Would you like to check the software for any of them? ``` **Prompt:** ``` Search for vulnerabilities in the 'Contact Form 7' plugin. ``` **Response:** ``` Searching the database... I found 5 recent vulnerabilities for 'Contact Form 7'. The most severe is an 'Arbitrary File Upload' (CVE-2023-XXXXX) fixed in version 5.7.3. I recommend updating all instances immediately. ``` ## Capabilities ### Audit Site Software Inventory Retrieves a comprehensive list of all installed plugins, themes, and core software versions across your monitored accounts. ### Search Vulnerability Databases Queries the Patchstack database to find known vulnerabilities for specific components or general WordPress parts. ### Review Security Status Across Sites Gets a high-level security score and software overview for every site you manage, allowing quick risk assessment. ### Check Live Threat Alerts Pulls the most recent security alerts and triggered firewall rules to confirm if an attack is happening right now. ### Examine Vulnerability Details Retrieves deep technical information about a specific vulnerability, including recommended fixes or affected versions. ## Use Cases ### Pre-Sale Client Health Check A prospective client asks if their current WordPress installation is secure. You use your agent to run `get_software_overview` across their main site, retrieving a single report that confirms the software versions and highlights any critical outdated components. ### Responding to a Breach Report A client reports suspicious activity. Your agent immediately runs `get_latest_alerts` and cross-references it with `get_site_software` on the affected site, giving you instant confirmation of what was hit and when. ### Routine Agency Compliance Audit It's month-end. You use your agent to run `list_sites`, checking every client for security scores below 90. Then, for the lowest scoring ones, you use `get_component_vulnerabilities` to find the exact offending plugin. ### Development Environment Testing Before merging a new theme, a developer uses your agent with `search_vulnerabilities`. They query the database using the theme's dependencies to ensure no known CVEs exist in the code they are about to ship. ## Benefits - Consolidated Site Auditing: Instead of opening dozens of client dashboards, you can use the `list_sites` tool to get a single security score overview for every site, instantly flagging risks and poor compliance scores. - Deep Vulnerability Research: Need technical proof? Use `search_vulnerabilities` or `get_component_vulnerabilities` to query massive databases directly. You get immediate details on CVEs that would take hours of manual searching. - Real-Time Threat Response: Don't wait for an alert email. With `get_latest_alerts`, your agent pulls the latest security events and triggered firewall rules immediately, giving you a live view of threats. - Proactive Patch Management: Review settings using `get_autoupdate_settings` to confirm if patches are running automatically. You can also use `get_software_overview` to see exactly which components need updating across the board. - Targeted Deep Dives: If a search is too broad, you can narrow it down. Use `get_vulnerability_details` on a specific ID or CVE number for the precise technical info needed by a developer. ## How It Works The bottom line is that you talk to your agent, and it translates complex WordPress security data into simple, actionable text. 1. Subscribe to this MCP and provide your unique Patchstack User Token. 2. Connect your AI client using the token. Your agent can now access all site monitoring data. 3. Ask a natural language question, like 'What are the latest alerts for my dev site?' and get instant security answers. ## Frequently Asked Questions **How do I see the overall health of all my WordPress sites with Patchstack Security MCP?** You run `get_software_overview`. This tool aggregates data from all monitored websites and gives you a single, high-level security score for your entire portfolio. **Can I find out if a specific plugin has been compromised using Patchstack Security MCP?** Yes. Use `search_vulnerabilities` or `get_component_vulnerabilities`. You can search the database by name, version, or even CVE identifier. **What is the difference between alerts and vulnerabilities using Patchstack Security MCP?** Alerts (`get_latest_alerts`) show what happened right now—like a firewall rule being triggered. Vulnerabilities (found via `search_vulnerabilities`) are weaknesses that *could* be exploited. **Does Patchstack Security MCP help me manage automatic updates?** It helps by checking your current settings with `get_autoupdate_settings`. You can confirm if automatic patching is enabled and what components are covered. **Is this better than just using the Patchstack dashboard?** Using this MCP lets you talk to the data. Instead of navigating menus, you ask natural questions like 'List all sites with a score under 80,' and get an instant report.