Lockora Audit is an AI-powered WordPress plugin that scans your site for vulnerabilities, misconfigurations, and stale dependencies — then explains every finding in plain English, with a one-click fix.
Found this plugin already installed? Learn what it is and what to do →
Lockora doesn't just diff plugin versions. It reads your site the way an attacker would — configuration, code, content, and credentials.
Cross-references every plugin, theme, and core file against the public CVE feed and WordPress's own advisory database — updated daily.
An LLM reads your
wp-config.php, .htaccess, and active hooks to find logic bugs static scanners
miss — secrets in code, race conditions, weak nonces.
Most findings ship with a tested remediation. Approve it from the dashboard and Lockora applies it — with a rollback point, just in case.
YARA rules tuned for the most common WordPress shells, fake plugins, and obfuscated PHP — with line-level diffs against the official repo.
Every finding has a "what" (the issue), a "why" (the impact), and a "how" (the fix) — written for humans, not just security pros.
Schedule daily, weekly, or post-deploy audits. Get a Slack/email ping the moment a new CVE affects something you have installed.
No agents. No staging clones. No log shipping. Lockora runs inside your WordPress instance — the audit never leaves your server.
Upload the zip or install from the WP plugin directory. Activates in under 30 seconds.
Click Run audit. Lockora scans core, plugins, themes, database, and uploads. Most sites finish in under 3 minutes.
Findings ranked by exploit likelihood, not just CVSS. AI explains each one in the context of your site.
Approve one-click fixes, or export the report as a PDF for your developer or hosting provider.
Plain answers for anyone who wants to understand the plugin before trusting it with their site.
Not sure why you have this plugin? See “Is Lockora installed on your site?” →
Lockora's audit engine is built on
Anthropic's Claude. It looks at the actual code in your custom theme, your active
hooks, and your wp-config.php — reasoning about
behavior, not just matching strings.
The plugin runs locally inside your WordPress installation. Only redacted findings — never raw source — are sent to the AI for reasoning, and you can disable that entirely on Pro and Agency plans.
Those tools are great at signature-based scanning — Wordfence and Sucuri both do that well. Lockora adds AI-driven configuration review on top: it can spot logic problems (wrong file permissions, weak nonces, secrets in code) that signature scanners cannot.
No. The audit runs in a background process and throttles itself if your server load spikes. The average site finishes a full scan in under three minutes.
Every fix creates a rollback point first. If anything goes sideways, you can revert it with a single click — or Lockora will revert automatically if it detects an HTTP 5xx after the change.
Yes, on the Agency plan. The plugin installs network-wide and surfaces a per-site dashboard with role-based access.
Lockora Audit is built by a German BSI-aligned certified cybersecurity specialist with 8 years of hands-on experience auditing several hundred WordPress websites across agencies, ecommerce stores, publishers, membership sites, and custom business platforms. Questions? hello@lockora-audit.com
Using the plugin
Go to WP Admin → Plugins → Installed Plugins and look for “Lockora Audit” in the list. If it’s there, it is installed. If it shows as “Active”, it is currently running. Found it unexpectedly? See our full guide for site owners who did not install it themselves →
After activating the plugin, click Lockora Audit in your WordPress admin sidebar to open the dashboard, then click Run audit. The scan takes under three minutes for most sites. See the step-by-step getting-started guide if you want a walkthrough of reading the report and applying your first fix.
Go to WP Admin → Plugins → Installed Plugins, find Lockora Audit, click Deactivate, then click Delete. This removes only the plugin’s own files — it does not affect your posts, media, users, or any other site content.
By default, the audit only runs when you click Run audit. You can optionally schedule automatic scans (daily, weekly, or after plugin/theme updates) in the plugin settings. Even with scheduled scans, no fixes are ever applied automatically — every fix requires your approval.
Lockora Audit requires the Administrator role to run audits and view reports. It needs read access to your WordPress files and database to perform the scan. It does not require FTP credentials, SSH access, or any server-level configuration.
Install the plugin from the WordPress directory and start with a guided audit workflow.