=== Folder Auditor & Site Lock === Contributors: wpfixit Donate link: https://www.wpfixit.com Tags: security, folder permissions, site lock, file permissions Requires at least: 5.0 Tested up to: 6.8 Requires PHP: 7.4 Stable tag: 3.2 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Audit your site for unused or orphaned folders. == Description == **Folder Auditor & Site Lock** helps WordPress administrators keep their installations clean and secure. Over time, it’s common for orphaned plugin or theme folders to build up in your wp-content directory. These stray folders may be the result of incomplete uninstallations, leftover files from updates, or abandoned code that was never fully removed. While they might seem harmless at first glance, they can create confusion, waste storage space, and in some cases pose a serious security risk. Hackers often exploit these forgotten folders by hiding backdoors or malicious scripts inside them, knowing that site owners rarely check for or even notice such files. An orphaned folder can act as an open invitation for unauthorized access, giving attackers a quiet place to operate undetected. By identifying and removing these unused folders, you not only keep your WordPress installation clean and organized but also close off potential entry points that could otherwise be used to compromise your site. The Folder Auditor plugin makes this process simple, scanning your directories to uncover anything that doesn’t belong and highlighting it for review before it becomes a problem. **SITE LOCK - Only found here!** One of the easiest ways for a hacked user to damage your site is by adding or changing the physical files that WordPress relies on. If attackers can place hidden scripts, modify plugin or theme files, or inject malicious code, they gain the power to compromise your entire site. The Site Lock feature in Folder Auditor protects against this by allowing you to lock all folders and files in your installation and make them read-only. Once locked, no new files can be added, no existing files can be changed, and nothing can be removed. This ensures that the foundation of your WordPress site remains untouched, even if someone attempts to exploit vulnerabilities or gain access. When updates or changes are needed, you can unlock the system with a single action, perform your updates, and then reapply the lock. This simple but powerful safeguard gives you complete control over your site’s file structure and adds a layer of security that goes beyond what most WordPress plugins offer. This plugin scans the following directories: - WordPress Root (main installation folder) - wp-content Folder (wp-content/) - Plugins Folder (wp-content/plugins/) - Themes Folder (wp-content/themes/) - Uploads Folder (wp-content/uploads/) - htaccess files Folder Auditor takes a disk-first approach. It crawls your entire WordPress installation and inventories every single file and folder, not just plugins and themes. Everything is presented in a clear interface where you can open items to view their contents, mark them to ignore, delete them if they are not needed, or download a copy for backup or investigation. Because it works directly from what is actually on disk, you are never limited by what WordPress shows in the admin. You can quickly spot unfamiliar files, tidy up leftovers from old plugins or themes, and pull down suspicious items for review, all without leaving the dashboard. It provides a fast and transparent way to see exactly what is on your server and take action immediately. **Key Features** - Finds plugin folders not listed on the Plugins screen (hidden or orphaned) Scans for plugin folders that exist in your WordPress installation but aren’t showing on the Plugins screen. - Detects missing plugin folders referenced by active or installed plugins Identifies when active or installed plugins are missing their associated folders. - Lists top-level folders and files in key WordPress directories Displays top-level files and folders within critical WordPress directories for easy auditing. - Fully lock all folders and files to make them read only Lets you make all folders and files read-only for maximum protection. - Configure security headers Adds and manages HTTP security headers to harden your site against common threats. - Configure user security Provides settings to strengthen account and login security for WordPress users. - Zero configuration setup Works right after install and activation—no complex setup required. == Installation == 1. Upload the plugin files to the /wp-content/plugins/folder-auditor directory, or install via the WordPress Plugins screen directly. 2. Activate the plugin through the **Plugins** screen in WordPress. 3. Navigate to **Tools > Folder Auditor** to begin auditing your site. == Frequently Asked Questions == = Why do I need this plugin? = Hidden or leftover folders can sometimes indicate incomplete uninstalls or even malicious code. This plugin helps you identify them. = Does it automatically delete orphaned folders? = No. Folder Auditor is strictly an auditing tool. It shows you what exists so you can make informed decisions. = Will this slow down my site? = No. All operations run only when you open the Tools > Folder Auditor screen. Nothing runs on the frontend. = Does it work on multisite? = Currently designed for single-site installs. Multisite support may be added in the future. == Screenshots == 1. **Dashboard tab** showing score and all folder issues present on your site. 2. **Main tab** for auditing your root WordPress install directory. 3. **Content tab** for auditing your wp-content directory. 4. **Plugins tab** potentially hidden or orphaned plugin directories. 5. **Themes tab** for auditing your themes directory. 6. **Uploads tab** for auditing your uploads directory. 7. **htaccess tab** for auditing your htaccess files. 8. **Security tab** for locking down your site. 9. **Site Lock Notice** notifying users when enabled. == Changelog == = 3.2 = * Added items locked to dashboard display = 3.1 = * Fixed Site Health issue when Site Lock is on = 3.0 = * Added user security settings to lock down account attacks = 2.9.4 = * Added Site Lock under Tools menu * Added area for new settings tab * Added drop down to security tab * Style changes = 2.9.3 = * Corrected bulk delete actions = 2.9.2 = * Enhanced Site Lock conditioning = 2.9.1 = * Fixed conflict with WP Rollback = 2.9 = * Added view file action buttons = 2.8 = * UI improvements = 2.7 = * Fixed security header defaults = 2.6 = * Fixed bulk ignore and delete functions = 2.5 = * Added security area to lock folders and files and set security headers = 2.0 = * New UI = 1.3.1 = * Improved plugin header and descriptions. * Added Author URI and GPL license URI. * Enhanced escaping for better security compliance. = 1.3.0 = * Added auditing of wp-content and WordPress root folder. * Improved error handling for unreadable directories. = 1.2.0 = * Added uploads and themes auditing. * Improved plugin rows to match Plugins screen exactly. = 1.0.0 = * Initial release. Added plugin folder auditing. == Upgrade Notice == = 3.2 = * Added items locked to dashboard display = 3.1 = * Fixed Site Health issue when Site Lock is on = 3.0 = * Added user security settings to lock down account attacks = 2.9.4 = * Added Site Lock under Tools menu * Added area for new settings tab * Added drop down to security tab * Style changes = 2.9.3 = * Corrected bulk delete actions = 2.9.2 = * Enhanced Site Lock conditioning = 2.9.1 = * Fixed conflict with WP Rollback = 2.9 = * Added view file action buttons = 2.8 = * UI improvements = 2.7 = * Fixed security header defaults = 2.6 = * Fixed bulk ignore and delete functions = 2.5 = * Added security area to lock folders and files and set security headers = 2.0 = * New UI = 1.3.1 = * Improved plugin metadata, compliance with WordPress security standards, and better overall description. Update recommended.