Everything below reflects the current release (v1.1.0). Install to a finished risk report is typically under five minutes.
You need WordPress 6.0+ on PHP 7.4+, an administrator login on the site you're assessing, and the plugin zip plus licence key from your purchase email. The scanner is read-only — it assesses and reports, and never modifies the site.
On the site you're assessing, go to Plugins → Add New → Upload Plugin, choose the zip from your purchase email, install and activate. It adds a Takeover Scanner item to the admin menu. It's read-only — it never changes the site.
Open the plugin and paste the key from your purchase email. Keys are domain-based — no account, no phoning home.
The scan runs instantly. The banner shows the Low / Medium / High risk verdict, the risk score, and the recommended support price band for that verdict.
Eleven categories, each with a severity chip and its findings in plain English: versions, plugin estate, conflicts, admin accounts, custom code, cron, database, updates, security, backup debris & exposure, and complexity.
Click Deep scan to ask wordpress.org for each plugin's author update date and tested-up-to version. It takes around thirty seconds — the button shows “Scan running…” while it works — and folds abandoned/untested findings into the Plugin estate category.
Under settings, set your agency branding and the three price bands to match your rate card. Then Preview report for a branded, print-ready PDF (verdict, band, every finding) to attach to your quote.
The screens you'll actually live in.
Low / Medium / High from the weighted score, with the risk percentage and your recommended support band front and centre.
Each scored and colour-chipped by severity, with findings you can read to a client: what's wrong, and how much it matters.
A web-root sweep for .sql / .wpress / .tar.gz dumps, oversized zips, backup folders, an exposed .git directory and readable log files — the liabilities that don't show in the admin.
Author update dates and tested-up-to per plugin, cached for seven days. Flags plugins abandoned 2+ years and ones untested on your WordPress branch — never runs automatically.
Three tiers mapped to Low / Medium / High, set to your rate card. The verdict picks a band and it appears on the dashboard and in the report.
Your logo, colour and agency name, the verdict, the price band and every category finding — print-ready for a quote so a defensive price reads as professional diligence.