WPHammer
Log in
  • Vulnerability status
  • Update suppression
  • Related

    • Plugin Management

    Plugins are the most common source of both functionality and risk in WordPress. WPHammer tracks every plugin across your sites — version, status, available updates, and known vulnerabilities — so you can manage updates confidently and respond to security issues quickly.

    Plugin inventory

    When inventory collection is enabled, WPHammer collects plugin data from each site via WP-CLI. Each plugin record includes:

    • Name — the display name of the plugin
    • Slug — the WordPress.org identifier (e.g., wordfence, akismet)
    • Version — the currently installed version
    • Status — whether the plugin is active or inactive
    • Update available — whether a newer version exists

    The WordPress dashboard shows plugins aggregated across all sites, so you can see at a glance which plugins are most widely installed and which have pending updates.

    Plugin actions

    From the site detail page, you can manage individual plugins:

    Update

    Update a plugin to the latest available version. Updates are executed via WP-CLI on the server. The action runs as a background job so it does not block your session.

    Activate and deactivate

    Toggle a plugin between active and inactive states. Deactivating a plugin disables it without removing its files — useful for troubleshooting compatibility issues.

    Delete

    Remove a plugin entirely from the site. This deletes the plugin files from the server. Use with care — deleted plugins need to be reinstalled if you want them back.

    Vulnerability status

    WPHammer checks installed plugins against the Wordfence Intelligence vulnerability database. Each plugin slug and version is matched against known CVEs to determine:

    • Whether the installed version has any known vulnerabilities
    • The severity of each vulnerability (critical, high, medium, low)
    • The CVE identifier for reference
    • The affected version range
    • Whether a patched version is available

    Vulnerability data is cached for 24 hours and refreshed automatically. Plugins with known vulnerabilities are flagged in both the plugin inventory and the security findings view.

    Patch status

    Each vulnerability finding includes a patch status:

    • Patchable — an updated version exists that fixes the vulnerability. Updating the plugin resolves the finding.
    • Unpatched — no fix is available yet. Monitor for an update from the plugin author.
    • Abandoned — the plugin appears to be unmaintained. Consider replacing it with an alternative.

    Update suppression

    If you intentionally run a specific plugin version — for compatibility, customization, or testing reasons — you can create an update suppression rule to hide it from update counts and bulk workflows. Suppression rules are managed at the team level and match by plugin slug and optionally version.

    Related