ShadowScan Security Link

by shadowscan

Description

ShadowScan Security Link pairs your site to the ShadowScan portal and keeps it in sync with heartbeat status, Guard Layer signals, login abuse detection, and security commands.

ShadowScan does not install, activate, or configure third-party security tools. If another security plugin is present, the connector only records its presence as metadata.

External services

This plugin connects to external services to sync status, process security workflows, and support optional diagnostics.

Service: ShadowScan API (hosted at Supabase Edge Functions)
URL: https://foemwjtosslaiynduiyt.supabase.co/functions/v1/
Used for: site pairing, heartbeat sync, command polling, command-result upload, subscription/policy sync, and support contact submissions.
Data sent and when: site URL, WordPress version, PHP version, connector version, Guard Layer/control status, heartbeat timestamps, and command execution metadata whenever the connector syncs with ShadowScan; contact form fields only when an admin submits support contact.
Terms: https://shadowscan.com.au/terms
Privacy: https://shadowscan.com.au/privacy
Service: Have I Been Pwned Passwords API
URL: https://api.pwnedpasswords.com
Used for: optional breached-password checks in password policy enforcement.
Data sent and when: k-anonymity password hash prefix (first 5 SHA-1 characters, no raw passwords) only when a password is checked by the policy flow.
Terms: https://haveibeenpwned.com/TermsOfUse
Privacy: https://haveibeenpwned.com/Privacy
Service: Sentry
URL: https://sentry.io
Used for: optional error and fatal-event telemetry to assist troubleshooting.
Data sent and when: error event metadata (such as exception messages, stack traces, and runtime context) only after an admin explicitly enables Sentry telemetry in plugin settings and a Sentry DSN is configured; the optional MU diagnostics helper can send early-startup fatal errors only while both Sentry telemetry and remote diagnostics are enabled.
Terms: https://sentry.io/terms/
Privacy: https://sentry.io/privacy/

Third-Party Libraries

This plugin bundles:
* pragmarx/google2fa (MIT License)
* bacon/bacon-qr-code (BSD-2-Clause; Copyright (c) 2017-present, Ben Scholzen “DASPRiD”)

Hooks

shadowscan_log
Fires when the plugin emits an internal log message. You can hook this in a must‑use plugin or theme if you want to capture logs.

Installation

Upload the plugin ZIP in WordPress: Plugins Add New Upload Plugin.
Activate “ShadowScan Security Link”.
Open ShadowScan in WP Admin and follow the setup steps.

Screenshots

ShadowScan setup dashboard in WordPress admin.

Faq

Does this plugin require a ShadowScan account?

Yes. You need a ShadowScan account to generate a pairing code and connect the site.

Does deactivating the plugin disconnect the site from ShadowScan?

By default, no. Deactivation pauses scheduled connector activity, but disconnect is only performed from explicit disconnect/uninstall actions.

What data is sent to ShadowScan?

The connector sends basic environment details (site URL, WordPress/PHP versions, plugin version) and heartbeat status so we can monitor connection health.

Does it send administrator credentials?

No. Credentials are never sent by the plugin.

Does remote diagnostics install anything on the site?

Only after an admin explicitly enables Sentry telemetry and remote diagnostics, ShadowScan can install a temporary must-use helper from the portal to capture early startup errors for troubleshooting. It can be removed from the portal or automatically when telemetry/remote diagnostics are disabled.

Reviews

Changelog

1.0.12

Improves portal connection reliability and policy syncing consistency.
Improves command delivery and signature compatibility so queued actions complete more reliably.
Improves connector diagnostics and status reporting, including admin geo and plugin auto-update signals.
Improves evidence export handling and clears stale connector errors after successful syncs.

1.0.11

Improves plugin package reliability for smoother updates.
Improves quality checks so releases are more consistent.
Improves release process stability to reduce update issues.

1.0.10

Improves privacy controls for diagnostics and telemetry settings.
Improves account protection flows during profile and sign-in updates.
Improves compatibility by updating bundled dependencies.

1.0.9

Improves connection recovery behavior when the portal temporarily rejects requests.
Improves admin status reporting so connection state is easier to understand.

1.0.8

Strip non-production vendor scripts/tests from release ZIP for WordPress.org compliance.
Keep release guard clean after POT generation.
Document external password breach check service.

1.0.7

Improve release workflow stability and dependency locking.
Add MU helper diagnostics commands and admin visibility.
Harden logging and input sanitization for compliance.

1.0.6

Improve release pipeline and runtime resilience.
Strengthen API reliability, event delivery, and enforcement handling.
Tighten sanitization and filesystem safety checks.

1.0.5

Same changes as 1.0.6 (superseded by tag v1.0.6).

1.0.4

Adds Admin Access Guard with location-based protection for wp-login/wp-admin, including observe/enforce modes and emergency bypass.
Improves plugin safety and recovery behavior (fail-open access, clearer status visibility, safer handling during billing pauses).
Refines plugin UI and diagnostics to make protection coverage, controls, and troubleshooting easier to understand and use.

1.0.3

Adds PHP 7.4 compatibility for MFA using Google2FA and Bacon QR.
Improves admin UI clarity and offboarding/diagnostics handling.

1.0.2

Adds emergency containment, targeted integrity scans, and server controls.
Adds operational controls for htaccess, enumeration protections, and security headers.
Refines third-party security plugin detection and updates tooling/docs.