Why I built it

If you’ve ever managed more than a handful of WordPress sites, you know the plugin-vuln problem. Every site has its own collection of plugins, every plugin has its own release cycle, and the surface area gets out of hand fast. The traditional answer is to run an active scanner against every site. That works, but it’s loud, it lights up monitoring, and it tends to upset whoever owns the site.

I wanted to know what was vulnerable across the whole estate without ever touching the sites themselves.

How it works

  • Pulls every site (and the plugins each one is running) from Pantheon’s terminus CLI.
  • Looks each plugin and version up in the WPScan API. No active scanning, just lookups.
  • Maps the findings back to the sites running them and ranks the worst offenders.
  • Sends connector-card alerts to MS Teams when something new shows up.
  • Drops snapshots into SharePoint so the data feeds a PowerBI dashboard.

Stack

Python, Pantheon Terminus, WPScan API, pymsteams, pandas, requests.

What it gave us

No active scans across the estate. One place to see overall WordPress risk instead of squinting at it site-by-site. And the trends became actually visible, which had been the part I was missing.