Documentation

Setup & everyday use.

Everything below reflects the current release (v1.1.0). Install to a finished risk report is typically under five minutes.

Before you start

You need WordPress 6.0+ on PHP 7.4+, an administrator login on the site you're assessing, and the plugin zip plus licence key from your purchase email. The scanner is read-only — it assesses and reports, and never modifies the site.

Setup, step by step

  1. Install the plugin

    On the site you're assessing, go to Plugins → Add New → Upload Plugin, choose the zip from your purchase email, install and activate. It adds a Takeover Scanner item to the admin menu. It's read-only — it never changes the site.

  2. Enter your licence key

    Open the plugin and paste the key from your purchase email. Keys are domain-based — no account, no phoning home.

  3. Read the verdict

    The scan runs instantly. The banner shows the Low / Medium / High risk verdict, the risk score, and the recommended support price band for that verdict.

  4. Work the category cards

    Eleven categories, each with a severity chip and its findings in plain English: versions, plugin estate, conflicts, admin accounts, custom code, cron, database, updates, security, backup debris & exposure, and complexity.

  5. Run the deep scan (optional)

    Click Deep scan to ask wordpress.org for each plugin's author update date and tested-up-to version. It takes around thirty seconds — the button shows “Scan running…” while it works — and folds abandoned/untested findings into the Plugin estate category.

  6. Set bands & produce the report

    Under settings, set your agency branding and the three price bands to match your rate card. Then Preview report for a branded, print-ready PDF (verdict, band, every finding) to attach to your quote.

Everyday use

The screens you'll actually live in.

The risk verdict

Low / Medium / High from the weighted score, with the risk percentage and your recommended support band front and centre.

The eleven categories

Each scored and colour-chipped by severity, with findings you can read to a client: what's wrong, and how much it matters.

Backup debris & exposure

A web-root sweep for .sql / .wpress / .tar.gz dumps, oversized zips, backup folders, an exposed .git directory and readable log files — the liabilities that don't show in the admin.

The wordpress.org deep scan

Author update dates and tested-up-to per plugin, cached for seven days. Flags plugins abandoned 2+ years and ones untested on your WordPress branch — never runs automatically.

Editable price bands

Three tiers mapped to Low / Medium / High, set to your rate card. The verdict picks a band and it appears on the dashboard and in the report.

Branded PDF report

Your logo, colour and agency name, the verdict, the price band and every category finding — print-ready for a quote so a defensive price reads as professional diligence.

Get WP Takeover Scanner Read the FAQ