Descripción
Pluginventory is the lightweight connector plugin that links your WordPress site to your Pluginventory account. Once installed and paired, it sends a daily signed report so you can see every plugin across every site you manage — all in one place. Rest easy: it can’t change or update your plugins but is only used for reporting.
Perfect for agencies and freelancers managing multiple WordPress sites.
If you manage more than a few WordPress sites, it’s easy to forget which plugins are running where — especially when clients can install anything themselves. And when a site goes down, plugins are almost always the reason: Patchstack’s 2026 security report found that 91% of new WordPress vulnerabilities came from plugins, not themes.
Managing plugins across multiple sites on different servers makes this even harder. Without the right tool, you’re either logging into each one, or finding out something’s wrong when a client calls.
Pluginventory gives you a single dashboard to see every plugin across every WordPress site you manage. Search any plugin instantly. Spot what’s outdated, inactive, or recently added. Know exactly where to act — without logging into a single site or compromising your security.
What it does
- Sends a daily HMAC-signed report of your installed plugins, their versions, active/inactive status, and available updates — transmitted over HTTPS
- Lets you trigger an on-demand report at any time from the Pluginventory dashboard or directly from your WordPress admin
- Works on single-site and multisite (subdomain and subdirectory) WordPress installs
- Fully supports network-wide activation with a dedicated Network Admin settings screen for bulk pairing and reporting
What it does NOT do
- It cannot install, update, activate, deactivate, or delete any plugins on your site
- It does not collect or transmit any personally identifiable information
- It does not run any code on your site’s front end
How it works
- Install and activate this plugin on your WordPress site
- Log in to your Pluginventory account at app.pluginventory.com
- Generate an Install Token from your account page
- Paste the token into the Pluginventory settings screen and click Pair Site
- Your site is now connected — reports will be sent automatically every day
Security
All reports are authenticated with an HMAC-SHA256 signature using a secret that is unique to your site and generated at pairing time. Your Pluginventory account verifies this signature before accepting any report. Tokens are stored as WordPress options and are never exposed in your site’s HTML or source. All communication requires HTTPS — non-HTTPS App URLs are blocked.
Multisite support
When network-activated, Pluginventory adds a Network Admin > Settings > Pluginventory screen where you can:
- Set shared App URL and Install Token defaults for all subsites
- Bulk pair all subsites with one click
- Bulk send reports for all subsites
- Pair or trigger individual subsites from the same screen
Privacy Policy / External Service Disclosure
This plugin transmits data to an external service (Pluginventory) in order to function. This section discloses what data is sent, when, where, and why — as required by WordPress.org plugin guidelines.
What data is sent
When a report is triggered (automatically or manually), the following data is transmitted:
Site-level data:
- Your site’s URL (home URL) and site name
- A stable per-install UUID (generated locally, used to identify your WordPress installation)
- A timestamp of when the report was generated
- PHP version running on your server
- WordPress version, and whether a core update is available (including the available version number)
- Database server version
- WordPress memory limit setting
- Environment type (production, staging, development, or local)
- Active theme name, version, slug, and whether it is a child theme (including parent theme name if applicable)
- On multisite installs: network ID and blog ID
Per-plugin data (for each installed plugin):
- Plugin name, slug, file path, and version
- Active or inactive status
- Whether an update is available, and the latest available version if applicable
- Plugin author name
- Minimum PHP and WordPress version requirements declared by the plugin
- Plugin URI (homepage URL declared by the plugin)
- Approximate install or last-update date (based on file modification time)
No usernames, email addresses, passwords, post content, or any personally identifiable information is ever included in reports.
When data is sent
Data is only sent after you have completed the pairing process by entering a valid Install Token and clicking Pair Site. Before pairing, no data leaves your site. After pairing, data is sent:
- Once per day via a scheduled WordPress cron event
- Immediately when you click Send Test Report in the settings screen
- When triggered remotely from your Pluginventory dashboard using the Remote Trigger Token
Where data is sent
Data is sent to the Pluginventory service at the App URL you configure during pairing (default: https://app.pluginventory.com). Reports are POSTed to {App URL}/webhook/report and pairing requests are sent to {App URL}/webhook/pair. All requests require HTTPS.
Third-party service information
- Service: Pluginventory
- Website: https://pluginventory.com
- Privacy Policy: https://pluginventory.com/privacy
- Terms of Service: https://pluginventory.com/terms
Capturas
Instalación
Automatic installation
- Go to Plugins > Add New in your WordPress admin
- Search for Pluginventory
- Click Install Now, then Activate
- Go to Settings > Pluginventory and follow the pairing instructions
Manual installation
- Download the plugin zip file
- Go to Plugins > Add New > Upload Plugin
- Upload the zip file and click Install Now, then Activate
- Go to Settings > Pluginventory and follow the pairing instructions
Multisite / Network installation
- Upload and network-activate the plugin from Network Admin > Plugins
- Go to Network Admin > Settings > Pluginventory
- Enter your App URL and Install Token, save defaults, then click Pair All Subsites
Preguntas frecuentes
-
Do I need a Pluginventory account?
-
Yes. This plugin is the connector between your WordPress site and your Pluginventory account. You can create an account at pluginventory.com.
-
Is there a free plan?
-
Please visit pluginventory.com for current pricing and plan details.
-
What data is sent in the report?
-
Each daily report includes: your site’s URL and name, a timestamp, PHP version, WordPress version (and whether a core update is available), database version, WordPress memory limit, environment type (production/staging/development/local), and your active theme’s name, version, and slug. For each installed plugin: name, slug, file path, version, author, active/inactive status, whether an update is available, the latest available version, minimum PHP and WordPress version requirements, and an approximate install date. On multisite installs, network ID and blog ID are also included. No user data, post content, or personally identifiable information is ever sent. See the Privacy Policy section for full details.
-
Is the data sent securely?
-
Yes. Reports are transmitted over HTTPS and authenticated with an HMAC-SHA256 signature. Your Pluginventory account verifies the signature on every report before processing it. Non-HTTPS App URLs are blocked.
-
Can this plugin change or delete my plugins?
-
No. Pluginventory is read-only. It can only report on what is installed. It has no ability to install, update, activate, deactivate, or remove any plugins.
-
What happens when I deactivate the plugin?
-
The daily scheduled report is cancelled and any temporary rate-limit data is cleared. Your pairing secrets and settings are preserved so you can reactivate without needing to re-pair.
-
What happens when I delete the plugin?
-
All plugin data is completely removed from your database, including all settings, secrets, tokens, and scheduled tasks.
-
Does this work with WordPress Multisite?
-
Yes, fully. See the Multisite section under Installation above.
-
Can I trigger a report manually?
-
Yes. From the Pluginventory settings page, click Send Test Report to fire an immediate report. You can also trigger reports remotely from your Pluginventory dashboard using the Remote Trigger Token.
-
I paired my site but the report shows an error. What should I do?
-
The settings page shows the last report status including the HTTP response code and a diagnostic hint. Common fixes:
404: Click Pair Site again to re-pair.
403: Your webhook secret may have expired; re-pairing will refresh it.
Connection error: Check that your server can make outbound HTTPS requests.
Reseñas
No hay reseñas para este plugin.
Colaboradores y desarrolladores
Este software es de código abierto. Las siguientes personas han contribuido a este plugin.
Colaboradores
Traduce “Pluginventory” a tu idioma.
¿Interesado en el desarrollo?
Revisa el código, echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.
Registro de cambios
1.2.0
- Renamed all internal prefixes from
pc_topluginventory_for WordPress.org compliance (includes options, classes, constants, cron hooks, CSS classes, and file names) - Added automatic migration routine: existing installs seamlessly transition to new prefix with no re-pairing required
- Moved all inline CSS/JS to properly enqueued external files (assets/pluginventory-admin.css and assets/pluginventory-admin.js)
- Removed forced wp_update_plugins() call from report generation — now reads cached transient only, eliminating unnecessary outbound HTTP requests
- Removed unnecessary flush_rewrite_rules() from activation and deactivation hooks
- Fixed nonce verification order in manual report handler — nonce is now checked before reading superglobal values
- Fixed unsanitized $_REQUEST usage in AJAX handler — now uses $_POST with proper sanitization
- Fixed duplicate “Settings” link on Plugins page (was registered in both main class and settings class)
- Replaced direct SQL query in uninstall.php with get_sites() API call
- Simplified HMAC signature generation (removed redundant bin2hex/raw_output round-trip)
- Removed bundled screenshot files from plugin package (belong in SVN assets/ directory)
- Added Plugin URI header
- Removed display:none on core WordPress admin notices
1.1.4
- Fix: Removed deprecated load_plugin_textdomain() — WordPress auto-loads translations since 4.6
- Fix: Replaced mt_rand() with wp_rand()
- Fix: Wrapped wp_die() strings with esc_html__()
- Fix: Added translators comments on all sprintf() i18n strings
- Fix: Ordered printf placeholders (%1$d, %2$d) in bulk action messages
- Fix: Added wp_unslash() to $_SERVER header reads
- Fix: Added phpcs:ignore on display-only GET params in network admin
- Fix: Updated Tested up to: 6.9
1.1.3
- Added: PHP version, WordPress version, and database version now included in every report
- Added: WordPress core update availability flag (bool + available version) sent with each report
- Added: Environment type (production/staging/development/local) sent with each report
- Added: WordPress memory limit sent with each report
- Added: Active theme name, version, slug, and parent theme info sent with each report
- Added: Per-plugin author, minimum PHP requirement, minimum WP requirement fields
- Added: Per-plugin installed_at timestamp (file modification date — reflects install or last update)
1.1.2
- Security: REST trigger endpoint now POST-only for authenticated requests; GET returns a public health-check ping with no token required and no report sent
- Security: Remote trigger token now accepted via HTTP header or JSON body only — query-string token support removed to prevent secrets appearing in server logs
- Fixed: all admin redirects now use wp_safe_redirect() instead of wp_redirect()
- Fixed: compatibility check error strings are now translatable
- Fixed: error_log() call now only fires when WP_DEBUG_LOG is enabled
- Added: screenshot files for WordPress.org plugin directory listing
1.1.1
- Fixed: readme wording corrected from “encrypted” to “HMAC-signed / authenticated over HTTPS”
- Fixed: uninstall.php now properly clears scheduled cron events on plugin deletion
- Fixed: App URL now enforces HTTPS — HTTP URLs are rejected with a clear admin error
- Fixed: daily report is no longer scheduled on activation; scheduling now happens only after successful pairing
- Fixed: install token is now only saved after pairing succeeds
- Added: Privacy Policy / External Service Disclosure section in readme (WordPress.org requirement)
1.1.0
- Added multisite Network Admin screen with bulk pair and bulk send actions
- Added per-install UUID to prevent network ID collisions across separate installs
- Added pairing diagnostics with HTTP error hints on the settings screen
- Added remote trigger endpoint (REST API + AJAX fallback) for dashboard-initiated scans
- Improved App URL handling with automatic migration from legacy hosts
- Fixed double hook registration for reporter and settings bootstrap
- Fixed Author header format for WordPress.org compliance
- Added License headers
0.3.3
- Initial public release
- Daily cron reporting with HMAC-SHA256 signing
- Settings screen with pairing flow
- Manual report trigger with nonce verification