The uncomfortable truth about most WordPress compromises: the door was already unlocked, publicly, with a sign on it. A plugin shipped a security fix. The CVE went public. The patched version went out. And on one of your client sites, that plugin stayed three versions behind — until an automated scanner found it.
This is an illustration, not a specific customer. It's the shape of the incident that hits agencies who can see updates but not risk.
The window between disclosure and patch
A vulnerability isn't dangerous the day it's written. It's dangerous the day it's disclosed — because disclosure is also when the scanners get the signature. From that moment, every site running the vulnerable version is on a list, and the only thing standing between the list and the incident is how fast you patch.
For one site, you'd probably see the security notice and act. Across fifty client sites with different plugin sets, the notice for the one plugin that matters is buried in fifty dashboards you don't check daily.
Where it bends: see the risk, not just the version
The fix isn't heroics — it's visibility aimed at the right thing:
- Check versions against a vulnerability database, fleet-wide. SiteAgent's
check_vulnerabilitiestool compares installed plugins and themes against the WordPress.org vulnerability data, so a newly disclosed CVE surfaces every affected site at once. - Score the broader posture.
scan_securityreports the ordinary exposure — file-edit lockdown, debug output, SSL, default admin, open registration, PHP version — so you're not just patching one hole while three others stay open. - Then close it, governed. Knowing isn't fixing. Roll the patch out through a health-checked plugin batch that reverts automatically if it breaks, and log who approved it.
The honest boundaries
- These scans read — they tell you where the risk is; they don't patch on their own. Closing the gap is a separate, governed update.
- Automatic rollback covers the plugin batch path. Core and theme patches run governed but without that automatic revert, so keep a recent backup.
- A scan is a point-in-time read. New CVEs land constantly; the value is checking regularly, not once.
The cheapest incident is the one you patched first
You can't out-heroics a compromise at 2am. You can make the vulnerable version visible the day it's disclosed, and close it before it's found. That's the whole game.
Aura's SiteAgent plugin is free and open source; connecting your first site — to see its health, versions, and security posture — takes a minute. The governed patch-and-rollback flow runs on a paid plan. See pricing or read the update-risk teardown.