Security dashboards are only useful if you can act on what they show you. This guide walks through every section of the WO Security Shield dashboard so you know exactly what each metric means and what to do about it.
The top-level health score
The dashboard opens with an overall site health score (0–100). This is a weighted composite of:
- Active findings — open malware, backdoors, and vulnerabilities (highest weight)
- File integrity status — whether core files match official WordPress checksums
- Security configuration — headers, login hardening, XML-RPC status
- Outdated components — WordPress core, plugins, and themes behind on updates
A score below 70 means there are actionable issues requiring attention. Below 50 means there are likely active threats on your site.
Finding categories explained
Malware findings
Direct malicious code detected in your files or database. These are always Critical priority.
Common types:
- Webshells — PHP files that give remote code execution
- Backdoors — hidden access mechanisms injected into legitimate files
- Cryptominers — code that uses server resources to mine cryptocurrency
- Redirect injectors — code that sends visitors to spam or phishing sites
Action: Remove immediately. Then check for the entry point.
File integrity alerts
Files that don't match the official WordPress checksums. These can be:
- Legitimate (customised theme files, plugins that modify core) — mark as Acknowledged
- Malicious (modified core files) — treat as Malware
wp-includes/functions.php ← Modified (hash mismatch)
wp-login.php ← Modified (hash mismatch)
Action: Compare the diff shown in the dashboard. If the modification is unexpected, restore the file from a clean WordPress download.
CVE vulnerabilities
Known vulnerabilities in your installed plugins and themes, sourced from the WPScan CVE database.
Each finding shows:
- CVE ID — the official vulnerability identifier
- CVSS score — severity rating (0–10)
- Affected versions — whether your installed version is affected
- Patch version — the version that fixes it (if available)
Action: Update the affected plugin immediately. If no patch is available, consider deactivating and deleting the plugin until one is released.
Identity alerts
Suspicious user accounts or authentication anomalies:
- Admin accounts created without your knowledge
- Accounts with
administratorrole that shouldn't have it - Login attempts from unusual geolocations
Action: Review and remove rogue accounts. Investigate the login logs.
Recovery recommendations
Configuration issues that leave you exposed if an attack occurs:
- No backup configured
- Backup destination is local-only
- No 2FA on admin accounts
Action: Address before an incident — not during.
Finding statuses
| Status | Meaning |
|---|---|
| Open | Needs action |
| Investigating | You've started looking at it |
| Acknowledged | Reviewed and confirmed as a known-good change |
| Resolved | Fixed and verified |
Move findings through these statuses as you work through them. This keeps your dashboard accurate and lets you track progress over multiple sessions.
Reading the scan timeline
The scan timeline in the dashboard shows:
- Last scan time and duration
- Finding delta — how many new findings appeared vs. resolved since the previous scan
- File change velocity — number of files modified per hour (spikes are red flags)
A sudden spike in the file change velocity metric — especially outside business hours — is often the first indicator of a compromise in progress. If you spot one, follow the incident response playbook immediately.
Setting up alerts
WO Security Shield can notify you via email or Slack when:
- Any new Critical finding appears
- A core file is modified
- A new admin account is created
- Login attempts exceed your threshold
Configure these under Settings → Notifications. At minimum, enable Critical finding alerts and admin account creation alerts — these two cover the most serious real-world attack scenarios.
Understanding your dashboard is the difference between security theatre and actual protection. The data is there — you just need to know what to look at first. Start with wosecurity.com.
Reading Your Dashboard: A Practical Walkthrough
When you first open your WO Security Shield dashboard, the volume of data can be overwhelming. Here's exactly what to look at and in what order.
Step 1: Check the Severity Summary
Your dashboard shows findings grouped by severity:
| Severity | What it means | Action required |
|---|---|---|
| 🔴 Critical | Active malware or backdoor detected | Immediate — quarantine or remove within minutes |
| 🟠 Warning | Suspicious code or configuration issue | Same day — investigate and resolve |
| 🟡 Info | Noteworthy but not dangerous | Weekly review — check during your regular audit |
| ⚪ Clean | No issues detected | No action needed |
Start with Critical findings. Always. If your dashboard shows zero Critical findings, you're in good shape — move to Warnings.
Step 2: Understand File Change Timelines
The file change timeline is one of your most powerful tools. It shows:
- When files were modified (with timestamps)
- What changed (diff view for text files)
- Who triggered the change (plugin update, WordPress core update, or manual modification)
Spikes in file changes outside of your normal update schedule are a red flag. If you see 50 files modified at 3 AM and you weren't running updates, that's almost certainly an attack.
Step 3: Login Activity Analysis
Your dashboard tracks every login attempt:
Successful logins: admin (3 times this week, from 2 IPs)
Failed attempts: 142 this week (from 87 unique IPs)
Blocked by firewall: 1,247 this week
Key patterns to watch:
- Successful logins from unexpected IPs — someone else has your credentials
- Failed attempts concentrated on one username — targeted attack, not just bots
- Sudden spike in blocked requests — your site is being actively targeted
Step 4: Resource Usage Anomalies
Unexpected CPU or memory spikes can indicate:
- Cryptomining malware — learn how to detect and remove miners
- DDoS attack in progress — your firewall logs will confirm this
- Spam email sending — compromised sites are often used to send spam
- Brute-force attack — heavy load on
wp-login.phporxmlrpc.php
Creating Actionable Reports
Export your dashboard data monthly for stakeholders or clients:
- Executive summary — Critical/Warning counts, trend direction (improving or worsening)
- Blocked threats — number of attacks prevented (this justifies your security investment)
- Recommendations — specific actions to improve the security posture
- Comparison — month-over-month trend to show progress
This is especially valuable for agencies managing client sites — it demonstrates the value of ongoing security monitoring.