{"id":291335,"date":"2026-06-16T22:07:18","date_gmt":"2026-06-16T22:07:18","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/pluginventory\/"},"modified":"2026-06-16T22:29:49","modified_gmt":"2026-06-16T22:29:49","slug":"pluginventory","status":"publish","type":"plugin","link":"https:\/\/mg.wordpress.org\/plugins\/pluginventory\/","author":23462406,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.2.0","stable_tag":"1.2.0","tested":"6.9.4","requires":"5.0","requires_php":"7.4","requires_plugins":null,"header_name":"Pluginventory","header_author":"Pluginventory Team","header_description":"A user-friendly dashboard that tracks all your plugins across all your sites. This lightweight plugin sends daily status reports to your Pluginventory account.","assets_banners_color":"c7d2d4","last_updated":"2026-06-16 22:29:49","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/pluginventory.com","header_author_uri":"https:\/\/www.pluginventory.com","rating":0,"author_block_rating":0,"active_installs":0,"downloads":113,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.2.0":{"tag":"1.2.0","author":"pluginventoryteam","date":"2026-06-16 22:29:49"}},"upgrade_notice":{"1.2.0":"<p>WordPress.org compliance update. All internal prefixes renamed from pc_ to pluginventory_. Existing installs are automatically migrated \u2014 no re-pairing required. CSS\/JS properly enqueued, unnecessary outbound requests removed. Recommended update for all users.<\/p>","1.1.2":"<p>Security hardening: REST trigger is now POST-only with header-based token auth. All admin redirects use wp_safe_redirect(). Recommended update for all users.<\/p>","1.1.1":"<p>Recommended update for all users. Fixes cron scheduling, enforces HTTPS for the App URL, and adds required privacy disclosure. No re-pairing required.<\/p>","1.1.0":"<p>Recommended update for all users. Adds multisite bulk management, improved diagnostics, and security hardening. No re-pairing required for existing single-site installs.<\/p>"},"ratings":[],"assets_icons":{"icon.svg":{"filename":"icon.svg","revision":3575030,"resolution":false,"location":"assets","locale":false}},"assets_banners":{"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":3575030,"resolution":"1544x500","location":"assets","locale":"","width":1550,"height":502},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":3575030,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.2.0"],"block_files":[],"assets_screenshots":{"screenshot-1.jpg":{"filename":"screenshot-1.jpg","revision":3575030,"resolution":"1","location":"assets","locale":"","width":2000,"height":2081},"screenshot-2.jpg":{"filename":"screenshot-2.jpg","revision":3575030,"resolution":"2","location":"assets","locale":"","width":2500,"height":1401},"screenshot-3.jpg":{"filename":"screenshot-3.jpg","revision":3575030,"resolution":"3","location":"assets","locale":"","width":2500,"height":1613},"screenshot-4.jpg":{"filename":"screenshot-4.jpg","revision":3575030,"resolution":"4","location":"assets","locale":"","width":2500,"height":1383}},"screenshots":{"1":"Settings page for this WordPress connector plugin","2":"Pluginventory Matrix - an intuitive, visual 'spreadsheet' of plugin use across all your sites","3":"Pluginventory Dashboard - a quick overview of your plugins, sites, updates, recent changes","4":"Dialogue Box - add tags, notes and reminders about individual plugins"}},"plugin_section":[],"plugin_tags":[5590,8533,5603,441,2391],"plugin_category":[51,54],"plugin_contributors":[267402],"plugin_business_model":[],"class_list":["post-291335","plugin","type-plugin","status-publish","hentry","plugin_tags-agency","plugin_tags-audit","plugin_tags-monitoring","plugin_tags-multisite","plugin_tags-plugins","plugin_category-multisite","plugin_category-security-and-spam-protection","plugin_contributors-pluginventoryteam","plugin_committers-pluginventoryteam"],"banners":{"banner":"https:\/\/ps.w.org\/pluginventory\/assets\/banner-772x250.jpg?rev=3575030","banner_2x":"https:\/\/ps.w.org\/pluginventory\/assets\/banner-1544x500.jpg?rev=3575030","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":"https:\/\/ps.w.org\/pluginventory\/assets\/icon.svg?rev=3575030","icon":"https:\/\/ps.w.org\/pluginventory\/assets\/icon.svg?rev=3575030","icon_2x":false,"generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/pluginventory\/assets\/screenshot-1.jpg?rev=3575030","caption":"Settings page for this WordPress connector plugin"},{"src":"https:\/\/ps.w.org\/pluginventory\/assets\/screenshot-2.jpg?rev=3575030","caption":"Pluginventory Matrix - an intuitive, visual 'spreadsheet' of plugin use across all your sites"},{"src":"https:\/\/ps.w.org\/pluginventory\/assets\/screenshot-3.jpg?rev=3575030","caption":"Pluginventory Dashboard - a quick overview of your plugins, sites, updates, recent changes"},{"src":"https:\/\/ps.w.org\/pluginventory\/assets\/screenshot-4.jpg?rev=3575030","caption":"Dialogue Box - add tags, notes and reminders about individual plugins"}],"raw_content":"<!--section=description-->\n<p>Pluginventory is the lightweight connector plugin that links your WordPress site to your Pluginventory account. Once installed and paired, it sends a daily signed report so you can see every plugin across every site you manage \u2014 all in one place. Rest easy: it can't change or update your plugins but is only used for reporting.<\/p>\n\n<p><strong>Perfect for agencies and freelancers managing multiple WordPress sites.<\/strong><\/p>\n\n<p>If you manage more than a few WordPress sites, it's easy to forget which plugins are running where \u2014 especially when clients can install anything themselves. And when a site goes down, plugins are almost always the reason: Patchstack's 2026 security report found that 91% of new WordPress vulnerabilities came from plugins, not themes.<\/p>\n\n<p>Managing plugins across multiple sites on different servers makes this even harder. Without the right tool, you're either logging into each one, or finding out something's wrong when a client calls.<\/p>\n\n<p>Pluginventory gives you a single dashboard to see every plugin across every WordPress site you manage. Search any plugin instantly. Spot what's outdated, inactive, or recently added. Know exactly where to act \u2014 without logging into a single site or compromising your security.<\/p>\n\n<p><a href=\"https:\/\/app.pluginventory.com\/demo\">See a live demo<\/a><\/p>\n\n<h4>What it does<\/h4>\n\n<ul>\n<li>Sends a daily HMAC-signed report of your installed plugins, their versions, active\/inactive status, and available updates \u2014 transmitted over HTTPS<\/li>\n<li>Lets you trigger an on-demand report at any time from the Pluginventory dashboard or directly from your WordPress admin<\/li>\n<li>Works on single-site and multisite (subdomain and subdirectory) WordPress installs<\/li>\n<li>Fully supports network-wide activation with a dedicated Network Admin settings screen for bulk pairing and reporting<\/li>\n<\/ul>\n\n<h4>What it does NOT do<\/h4>\n\n<ul>\n<li>It cannot install, update, activate, deactivate, or delete any plugins on your site<\/li>\n<li>It does not collect or transmit any personally identifiable information<\/li>\n<li>It does not run any code on your site's front end<\/li>\n<\/ul>\n\n<h4>How it works<\/h4>\n\n<ol>\n<li>Install and activate this plugin on your WordPress site<\/li>\n<li>Log in to your Pluginventory account at app.pluginventory.com<\/li>\n<li>Generate an Install Token from your account page<\/li>\n<li>Paste the token into the Pluginventory settings screen and click Pair Site<\/li>\n<li>Your site is now connected \u2014 reports will be sent automatically every day<\/li>\n<\/ol>\n\n<h4>Security<\/h4>\n\n<p>All reports are authenticated with an HMAC-SHA256 signature using a secret that is unique to your site and generated at pairing time. Your Pluginventory account verifies this signature before accepting any report. Tokens are stored as WordPress options and are never exposed in your site's HTML or source. All communication requires HTTPS \u2014 non-HTTPS App URLs are blocked.<\/p>\n\n<h4>Multisite support<\/h4>\n\n<p>When network-activated, Pluginventory adds a Network Admin &gt; Settings &gt; Pluginventory screen where you can:<\/p>\n\n<ul>\n<li>Set shared App URL and Install Token defaults for all subsites<\/li>\n<li>Bulk pair all subsites with one click<\/li>\n<li>Bulk send reports for all subsites<\/li>\n<li>Pair or trigger individual subsites from the same screen<\/li>\n<\/ul>\n\n<h3>Privacy Policy \/ External Service Disclosure<\/h3>\n\n<p>This plugin transmits data to an external service (Pluginventory) in order to function. This section discloses what data is sent, when, where, and why \u2014 as required by WordPress.org plugin guidelines.<\/p>\n\n<h4>What data is sent<\/h4>\n\n<p>When a report is triggered (automatically or manually), the following data is transmitted:<\/p>\n\n<p>Site-level data:<\/p>\n\n<ul>\n<li>Your site's URL (home URL) and site name<\/li>\n<li>A stable per-install UUID (generated locally, used to identify your WordPress installation)<\/li>\n<li>A timestamp of when the report was generated<\/li>\n<li>PHP version running on your server<\/li>\n<li>WordPress version, and whether a core update is available (including the available version number)<\/li>\n<li>Database server version<\/li>\n<li>WordPress memory limit setting<\/li>\n<li>Environment type (production, staging, development, or local)<\/li>\n<li>Active theme name, version, slug, and whether it is a child theme (including parent theme name if applicable)<\/li>\n<li>On multisite installs: network ID and blog ID<\/li>\n<\/ul>\n\n<p>Per-plugin data (for each installed plugin):<\/p>\n\n<ul>\n<li>Plugin name, slug, file path, and version<\/li>\n<li>Active or inactive status<\/li>\n<li>Whether an update is available, and the latest available version if applicable<\/li>\n<li>Plugin author name<\/li>\n<li>Minimum PHP and WordPress version requirements declared by the plugin<\/li>\n<li>Plugin URI (homepage URL declared by the plugin)<\/li>\n<li>Approximate install or last-update date (based on file modification time)<\/li>\n<\/ul>\n\n<p>No usernames, email addresses, passwords, post content, or any personally identifiable information is ever included in reports.<\/p>\n\n<h4>When data is sent<\/h4>\n\n<p>Data is only sent after you have completed the pairing process by entering a valid Install Token and clicking Pair Site. Before pairing, no data leaves your site. After pairing, data is sent:<\/p>\n\n<ul>\n<li>Once per day via a scheduled WordPress cron event<\/li>\n<li>Immediately when you click Send Test Report in the settings screen<\/li>\n<li>When triggered remotely from your Pluginventory dashboard using the Remote Trigger Token<\/li>\n<\/ul>\n\n<h4>Where data is sent<\/h4>\n\n<p>Data is sent to the Pluginventory service at the App URL you configure during pairing (default: https:\/\/app.pluginventory.com). Reports are POSTed to {App URL}\/webhook\/report and pairing requests are sent to {App URL}\/webhook\/pair. All requests require HTTPS.<\/p>\n\n<h4>Third-party service information<\/h4>\n\n<ul>\n<li>Service: Pluginventory<\/li>\n<li>Website: https:\/\/pluginventory.com<\/li>\n<li>Privacy Policy: https:\/\/pluginventory.com\/privacy<\/li>\n<li>Terms of Service: https:\/\/pluginventory.com\/terms<\/li>\n<\/ul>\n\n<!--section=installation-->\n<h4>Automatic installation<\/h4>\n\n<ol>\n<li>Go to Plugins &gt; Add New in your WordPress admin<\/li>\n<li>Search for Pluginventory<\/li>\n<li>Click Install Now, then Activate<\/li>\n<li>Go to Settings &gt; Pluginventory and follow the pairing instructions<\/li>\n<\/ol>\n\n<h4>Manual installation<\/h4>\n\n<ol>\n<li>Download the plugin zip file<\/li>\n<li>Go to Plugins &gt; Add New &gt; Upload Plugin<\/li>\n<li>Upload the zip file and click Install Now, then Activate<\/li>\n<li>Go to Settings &gt; Pluginventory and follow the pairing instructions<\/li>\n<\/ol>\n\n<h4>Multisite \/ Network installation<\/h4>\n\n<ol>\n<li>Upload and network-activate the plugin from Network Admin &gt; Plugins<\/li>\n<li>Go to Network Admin &gt; Settings &gt; Pluginventory<\/li>\n<li>Enter your App URL and Install Token, save defaults, then click Pair All Subsites<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"do%20i%20need%20a%20pluginventory%20account%3F\"><h3>Do I need a Pluginventory account?<\/h3><\/dt>\n<dd><p>Yes. This plugin is the connector between your WordPress site and your Pluginventory account. You can create an account at pluginventory.com.<\/p><\/dd>\n<dt id=\"is%20there%20a%20free%20plan%3F\"><h3>Is there a free plan?<\/h3><\/dt>\n<dd><p>Please visit pluginventory.com for current pricing and plan details.<\/p><\/dd>\n<dt id=\"what%20data%20is%20sent%20in%20the%20report%3F\"><h3>What data is sent in the report?<\/h3><\/dt>\n<dd><p>Each daily report includes: your site's URL and name, a timestamp, PHP version, WordPress version (and whether a core update is available), database version, WordPress memory limit, environment type (production\/staging\/development\/local), and your active theme's name, version, and slug. For each installed plugin: name, slug, file path, version, author, active\/inactive status, whether an update is available, the latest available version, minimum PHP and WordPress version requirements, and an approximate install date. On multisite installs, network ID and blog ID are also included. No user data, post content, or personally identifiable information is ever sent. See the Privacy Policy section for full details.<\/p><\/dd>\n<dt id=\"is%20the%20data%20sent%20securely%3F\"><h3>Is the data sent securely?<\/h3><\/dt>\n<dd><p>Yes. Reports are transmitted over HTTPS and authenticated with an HMAC-SHA256 signature. Your Pluginventory account verifies the signature on every report before processing it. Non-HTTPS App URLs are blocked.<\/p><\/dd>\n<dt id=\"can%20this%20plugin%20change%20or%20delete%20my%20plugins%3F\"><h3>Can this plugin change or delete my plugins?<\/h3><\/dt>\n<dd><p>No. Pluginventory is read-only. It can only report on what is installed. It has no ability to install, update, activate, deactivate, or remove any plugins.<\/p><\/dd>\n<dt id=\"what%20happens%20when%20i%20deactivate%20the%20plugin%3F\"><h3>What happens when I deactivate the plugin?<\/h3><\/dt>\n<dd><p>The daily scheduled report is cancelled and any temporary rate-limit data is cleared. Your pairing secrets and settings are preserved so you can reactivate without needing to re-pair.<\/p><\/dd>\n<dt id=\"what%20happens%20when%20i%20delete%20the%20plugin%3F\"><h3>What happens when I delete the plugin?<\/h3><\/dt>\n<dd><p>All plugin data is completely removed from your database, including all settings, secrets, tokens, and scheduled tasks.<\/p><\/dd>\n<dt id=\"does%20this%20work%20with%20wordpress%20multisite%3F\"><h3>Does this work with WordPress Multisite?<\/h3><\/dt>\n<dd><p>Yes, fully. See the Multisite section under Installation above.<\/p><\/dd>\n<dt id=\"can%20i%20trigger%20a%20report%20manually%3F\"><h3>Can I trigger a report manually?<\/h3><\/dt>\n<dd><p>Yes. From the Pluginventory settings page, click Send Test Report to fire an immediate report. You can also trigger reports remotely from your Pluginventory dashboard using the Remote Trigger Token.<\/p><\/dd>\n<dt id=\"i%20paired%20my%20site%20but%20the%20report%20shows%20an%20error.%20what%20should%20i%20do%3F\"><h3>I paired my site but the report shows an error. What should I do?<\/h3><\/dt>\n<dd><p>The settings page shows the last report status including the HTTP response code and a diagnostic hint. Common fixes:<\/p>\n\n<p>404: Click Pair Site again to re-pair.\n403: Your webhook secret may have expired; re-pairing will refresh it.\nConnection error: Check that your server can make outbound HTTPS requests.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>Renamed all internal prefixes from <code>pc_<\/code> to <code>pluginventory_<\/code> for WordPress.org compliance (includes options, classes, constants, cron hooks, CSS classes, and file names)<\/li>\n<li>Added automatic migration routine: existing installs seamlessly transition to new prefix with no re-pairing required<\/li>\n<li>Moved all inline CSS\/JS to properly enqueued external files (assets\/pluginventory-admin.css and assets\/pluginventory-admin.js)<\/li>\n<li>Removed forced wp_update_plugins() call from report generation \u2014 now reads cached transient only, eliminating unnecessary outbound HTTP requests<\/li>\n<li>Removed unnecessary flush_rewrite_rules() from activation and deactivation hooks<\/li>\n<li>Fixed nonce verification order in manual report handler \u2014 nonce is now checked before reading superglobal values<\/li>\n<li>Fixed unsanitized $_REQUEST usage in AJAX handler \u2014 now uses $_POST with proper sanitization<\/li>\n<li>Fixed duplicate \"Settings\" link on Plugins page (was registered in both main class and settings class)<\/li>\n<li>Replaced direct SQL query in uninstall.php with get_sites() API call<\/li>\n<li>Simplified HMAC signature generation (removed redundant bin2hex\/raw_output round-trip)<\/li>\n<li>Removed bundled screenshot files from plugin package (belong in SVN assets\/ directory)<\/li>\n<li>Added Plugin URI header<\/li>\n<li>Removed display:none on core WordPress admin notices<\/li>\n<\/ul>\n\n<h4>1.1.4<\/h4>\n\n<ul>\n<li>Fix: Removed deprecated load_plugin_textdomain() \u2014 WordPress auto-loads translations since 4.6<\/li>\n<li>Fix: Replaced mt_rand() with wp_rand()<\/li>\n<li>Fix: Wrapped wp_die() strings with esc_html__()<\/li>\n<li>Fix: Added translators comments on all sprintf() i18n strings<\/li>\n<li>Fix: Ordered printf placeholders (%1$d, %2$d) in bulk action messages<\/li>\n<li>Fix: Added wp_unslash() to $_SERVER header reads<\/li>\n<li>Fix: Added phpcs:ignore on display-only GET params in network admin<\/li>\n<li>Fix: Updated Tested up to: 6.9<\/li>\n<\/ul>\n\n<h4>1.1.3<\/h4>\n\n<ul>\n<li>Added: PHP version, WordPress version, and database version now included in every report<\/li>\n<li>Added: WordPress core update availability flag (bool + available version) sent with each report<\/li>\n<li>Added: Environment type (production\/staging\/development\/local) sent with each report<\/li>\n<li>Added: WordPress memory limit sent with each report<\/li>\n<li>Added: Active theme name, version, slug, and parent theme info sent with each report<\/li>\n<li>Added: Per-plugin author, minimum PHP requirement, minimum WP requirement fields<\/li>\n<li>Added: Per-plugin installed_at timestamp (file modification date \u2014 reflects install or last update)<\/li>\n<\/ul>\n\n<h4>1.1.2<\/h4>\n\n<ul>\n<li>Security: REST trigger endpoint now POST-only for authenticated requests; GET returns a public health-check ping with no token required and no report sent<\/li>\n<li>Security: Remote trigger token now accepted via HTTP header or JSON body only \u2014 query-string token support removed to prevent secrets appearing in server logs<\/li>\n<li>Fixed: all admin redirects now use wp_safe_redirect() instead of wp_redirect()<\/li>\n<li>Fixed: compatibility check error strings are now translatable<\/li>\n<li>Fixed: error_log() call now only fires when WP_DEBUG_LOG is enabled<\/li>\n<li>Added: screenshot files for WordPress.org plugin directory listing<\/li>\n<\/ul>\n\n<h4>1.1.1<\/h4>\n\n<ul>\n<li>Fixed: readme wording corrected from \"encrypted\" to \"HMAC-signed \/ authenticated over HTTPS\"<\/li>\n<li>Fixed: uninstall.php now properly clears scheduled cron events on plugin deletion<\/li>\n<li>Fixed: App URL now enforces HTTPS \u2014 HTTP URLs are rejected with a clear admin error<\/li>\n<li>Fixed: daily report is no longer scheduled on activation; scheduling now happens only after successful pairing<\/li>\n<li>Fixed: install token is now only saved after pairing succeeds<\/li>\n<li>Added: Privacy Policy \/ External Service Disclosure section in readme (WordPress.org requirement)<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Added multisite Network Admin screen with bulk pair and bulk send actions<\/li>\n<li>Added per-install UUID to prevent network ID collisions across separate installs<\/li>\n<li>Added pairing diagnostics with HTTP error hints on the settings screen<\/li>\n<li>Added remote trigger endpoint (REST API + AJAX fallback) for dashboard-initiated scans<\/li>\n<li>Improved App URL handling with automatic migration from legacy hosts<\/li>\n<li>Fixed double hook registration for reporter and settings bootstrap<\/li>\n<li>Fixed Author header format for WordPress.org compliance<\/li>\n<li>Added License headers<\/li>\n<\/ul>\n\n<h4>0.3.3<\/h4>\n\n<ul>\n<li>Initial public release<\/li>\n<li>Daily cron reporting with HMAC-SHA256 signing<\/li>\n<li>Settings screen with pairing flow<\/li>\n<li>Manual report trigger with nonce verification<\/li>\n<\/ul>","raw_excerpt":"Know exactly which plugins run across your WordPress portfolio \u2014 search any plugin instantly and catch problems before a site breaks.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/291335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=291335"}],"author":[{"embeddable":true,"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/pluginventoryteam"}],"wp:attachment":[{"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=291335"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=291335"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=291335"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=291335"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=291335"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/mg.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=291335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}