AI security audits · WordPress 7.0+

Find what an attacker would find — before they do.

Lockora Audit is an AI-powered WordPress plugin that scans your site for vulnerabilities, misconfigurations, and stale dependencies — then explains every finding in plain English, with a one-click fix.

Trusted by agencies running 1,200+ WordPress sites

Found this plugin already installed? Learn what it is and what to do →

What it audits

Every layer an attacker pokes at

Lockora doesn't just diff plugin versions. It reads your site the way an attacker would — configuration, code, content, and credentials.

CVE intelligence

Cross-references every plugin, theme, and core file against the public CVE feed and WordPress's own advisory database — updated daily.

AI configuration review

An LLM reads your wp-config.php, .htaccess, and active hooks to find logic bugs static scanners miss — secrets in code, race conditions, weak nonces.

One-click fixes

Most findings ship with a tested remediation. Approve it from the dashboard and Lockora applies it — with a rollback point, just in case.

Malware & backdoor scan

YARA rules tuned for the most common WordPress shells, fake plugins, and obfuscated PHP — with line-level diffs against the official repo.

Plain-English reports

Every finding has a "what" (the issue), a "why" (the impact), and a "how" (the fix) — written for humans, not just security pros.

Continuous monitoring

Schedule daily, weekly, or post-deploy audits. Get a Slack/email ping the moment a new CVE affects something you have installed.

How it works

Install, scan, fix. In that order.

No agents. No staging clones. No log shipping. Lockora runs inside your WordPress instance — the audit never leaves your server.

Install the plugin

Upload the zip or install from the WP plugin directory. Activates in under 30 seconds.

Run the audit

Click Run audit. Lockora scans core, plugins, themes, database, and uploads. Most sites finish in under 3 minutes.

Review the report

Findings ranked by exploit likelihood, not just CVSS. AI explains each one in the context of your site.

Apply the fixes

Approve one-click fixes, or export the report as a PDF for your developer or hosting provider.

Transparency

What Lockora does — and doesn’t do

Plain answers for anyone who wants to understand the plugin before trusting it with their site.

Lockora does

  • Scans core files, plugins, themes, database, and uploads
  • Cross-references installed versions against public CVE databases
  • Reads configuration files with AI to find logic-level misconfigurations
  • Runs entirely inside your WordPress installation
  • Creates a rollback point before applying any fix
  • Sends only redacted findings to the AI — never raw source code
  • Alerts you when a new CVE affects something you have installed
×

Lockora does not

  • ×Change anything without your explicit approval
  • ×Send raw source code or file contents off your server
  • ×Apply fixes automatically — every fix is opt-in
  • ×Require server-level or FTP access
  • ×Self-install or spread to other sites
  • ×Store your credentials or API keys
  • ×Contact your server or scan other sites

Not sure why you have this plugin? See “Is Lockora installed on your site?” →

Powered by AI

An audit that reads your code, not just its version number.

Lockora's audit engine is built on Anthropic's Claude. It looks at the actual code in your custom theme, your active hooks, and your wp-config.php — reasoning about behavior, not just matching strings.

How the AI works →
FAQ

Honest answers to fair questions.

Does my site code leave my server?#

The plugin runs locally inside your WordPress installation. Only redacted findings — never raw source — are sent to the AI for reasoning, and you can disable that entirely on Pro and Agency plans.

How is this different from Wordfence or Sucuri?#

Those tools are great at signature-based scanning — Wordfence and Sucuri both do that well. Lockora adds AI-driven configuration review on top: it can spot logic problems (wrong file permissions, weak nonces, secrets in code) that signature scanners cannot.

Will running the audit slow my site down?#

No. The audit runs in a background process and throttles itself if your server load spikes. The average site finishes a full scan in under three minutes.

What if Lockora's “one-click fix” breaks something?#

Every fix creates a rollback point first. If anything goes sideways, you can revert it with a single click — or Lockora will revert automatically if it detects an HTTP 5xx after the change.

Do you support WordPress multisite?#

Yes, on the Agency plan. The plugin installs network-wide and surfaces a per-site dashboard with role-based access.

Who is behind Lockora Audit?#

Lockora Audit is built by a German BSI-aligned certified cybersecurity specialist with 8 years of hands-on experience auditing several hundred WordPress websites across agencies, ecommerce stores, publishers, membership sites, and custom business platforms. Questions? hello@lockora-audit.com

Using the plugin

How do I tell if Lockora Audit is installed on my site?#

Go to WP Admin → Plugins → Installed Plugins and look for “Lockora Audit” in the list. If it’s there, it is installed. If it shows as “Active”, it is currently running. Found it unexpectedly? See our full guide for site owners who did not install it themselves →

How do I run my first audit after installing?#

After activating the plugin, click Lockora Audit in your WordPress admin sidebar to open the dashboard, then click Run audit. The scan takes under three minutes for most sites. See the step-by-step getting-started guide if you want a walkthrough of reading the report and applying your first fix.

How do I uninstall or deactivate Lockora Audit?#

Go to WP Admin → Plugins → Installed Plugins, find Lockora Audit, click Deactivate, then click Delete. This removes only the plugin’s own files — it does not affect your posts, media, users, or any other site content.

Does it run automatically, or only when I click?#

By default, the audit only runs when you click Run audit. You can optionally schedule automatic scans (daily, weekly, or after plugin/theme updates) in the plugin settings. Even with scheduled scans, no fixes are ever applied automatically — every fix requires your approval.

What WordPress permissions does Lockora Audit need?#

Lockora Audit requires the Administrator role to run audits and view reports. It needs read access to your WordPress files and database to perform the scan. It does not require FTP credentials, SSH access, or any server-level configuration.

Audit your site in the next three minutes.

Install the plugin from the WordPress directory and start with a guided audit workflow.