# WordPress Plugin Auditor MCP

> WordPress Plugin Auditor provides your agent with secure, read-only access to list every plugin on a WordPress site. It returns the name, version number, author, and whether each plugin is active or inactive. Use this MCP for quick security sweeps, compliance checks, and generating detailed maintenance reports without ever needing full admin credentials.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** plugin-management, security-audit, maintenance, vulnerability-scanning, site-health

## Description

Managing multiple client websites means juggling dozens of plugins. You don't want to give your AI agent the master admin password just to check if a couple of things are outdated or inactive. This MCP solves that risk by giving your agent specific, read-only access.

It lets you ask questions like, "Which plugins haven't been used in three months?" and instantly get a structured list detailing every plugin’s status and version. It works entirely on the assumption that the data is for viewing—the AI client can check inventory, but it cannot delete anything or change settings. This secure scoping is vital when dealing with sensitive client sites.

If you're used to manually logging into WordPress dashboards just to pull a list of plugins, this changes that. You connect your preferred agent through Vinkius, and the auditing capability becomes an immediate tool in your workflow, letting you gather all necessary plugin metadata for maintenance reporting or vulnerability assessments without touching a single core file.

## Tools

### audit_wordpress_plugins
Lists all installed WordPress plugins, returning the name, version, author, and current active or inactive status for each one.

## Prompt Examples

**Prompt:** 
```
Can you audit my WordPress site and tell me which plugins are currently inactive?
```

**Response:** 
```
I've audited your site. You have 12 plugins installed, and 2 are currently inactive:

1. Hello Dolly (v1.7.2)
2. Classic Editor (v1.6.3)

I recommend deleting these if you no longer use them to improve security.
```

## Capabilities

### Generate Plugin Inventory
Lists every installed WordPress plugin, providing its name, version number, author, and operational status.

### Identify Inactive Plugins
Checks the site to pinpoint plugins that are currently disabled or unused, helping focus cleanup efforts.

### Create Maintenance Reports
Gathers structured data on all active and inactive components needed for client-facing status reports.

### Audit Security Status
Performs a quick sweep to check plugin statuses, assisting in vulnerability or cleanup planning.

## Use Cases

### Client Onboarding Audit
A development team needs to know every component on a legacy client site before migration. They use `audit_wordpress_plugins` to get an exhaustive list of all plugins, versions, and statuses. This report allows them to scope the migration effort accurately without ever requesting high-level credentials.

### Security Health Check
A security consultant suspects a client has abandoned several old plugins that could be exploited. They run an audit using `audit_wordpress_plugins` and immediately filter the results to show all inactive components, flagging them for immediate removal.

### Routine Maintenance Reporting
A web agency owner needs to send a quarterly report detailing site health. They use the MCP's capabilities to generate a structured summary of all active plugins and their versions, making the process automated rather than manual data entry.

### Pre-Deployment Readiness Check
Before launching a new feature set, the team needs confirmation that no critical dependencies were accidentally disabled. They run an audit to verify all necessary plugins are listed as active and correctly versioned.

## Benefits

- Avoid using full admin passwords for simple checks. This MCP uses native WordPress Application Passwords, ensuring the AI client only reads data and never touches core settings or deletes plugins.
- Stop manual reporting. You can automatically gather a detailed monthly report of all active and inactive plugins, making client communication faster and more reliable.
- Instantly check for security gaps. Quickly identify unused or outdated plugins that pose a vulnerability risk, giving you a clear list for cleanup.
- Speed up the audit process significantly. Instead of clicking through multiple plugin menus, your agent retrieves all necessary metadata in one go.
- Better project scoping. Before building anything, run an audit to understand exactly what components are already active on the client's site.

## How It Works

The bottom line is: you get an instant, comprehensive inventory of every installed plugin's details without needing to log in or risk making changes.

1. Your agent sends a request asking for a site audit, specifying which plugins' data it needs.
2. The MCP securely executes the read-only query against the WordPress environment.
3. You receive a structured list containing all plugin names, versions, authors, and their current active/inactive status.

## Frequently Asked Questions

**Can WordPress Plugin Auditor MCP delete inactive plugins?**
No, this is a purely read-only tool. It can only audit and report the names, versions, and statuses of installed plugins; it cannot perform any deletion or modification actions.

**Does WordPress Plugin Auditor MCP require full admin credentials?**
No. The MCP is designed for secure scoping using native WordPress Application Passwords, meaning you don't have to risk giving out your main administrator password just to read the data.

**What information does audit_wordpress_plugins provide?**
The tool provides four key pieces of metadata for every plugin: its name, version number, who wrote it (author), and whether it is currently active or inactive on the site.

**Can I use WordPress Plugin Auditor MCP for vulnerability scanning?**
Yes. By providing a complete inventory of names and versions, you can feed that data into other security tools to check for known vulnerabilities associated with those specific plugin versions.

**Is this safe for multiple client sites?**
Yes. Because it operates in a read-only capacity using secure scoping methods, it is designed to audit many different WordPress environments without risking data integrity.

**Can the AI install or delete plugins with this tool?**
No. This MCP only calls the `GET` endpoint for plugins. It cannot modify your site's plugin configuration.