WordPress.org

Catalan (Balear)

Get WordPress
WordPress.org

Plugin Directory

Server Scout

Server Scout

By susheelhbti
Download

Description

Server Scout is a tool for server administrators who manage multiple WordPress sites on the same server. Instead of logging into each site one by one, Scout gives you a single dashboard where you can see every WordPress installation on the server and quickly access them.

What it does

  • Recursively scans a directory of your choice (e.g. /var/www) for all WordPress installations.
  • Stores the results in a dedicated database table so the dashboard loads instantly without re-scanning.
  • Refreshes the stored results automatically in the background (WP-Cron), every 30 minutes by default.
  • Displays each site’s name, URL, WordPress version, and database prefix.
  • Lists all administrator users for each site (username + email).
  • Generates a secure, one-time, 5-minute login link so you can jump straight into any site’s admin area without needing the password.

Who is it for?

  • VPS / dedicated server owners managing multiple client or personal WordPress sites.
  • Developers running several local or staging environments on one machine.
  • Agencies with a fleet of sites on a single server.

How scanning & caching works

  1. The first time you open the dashboard, click Scan Server.
  2. Results are written to a {prefix}servsc_sites table — one row per installation.
  3. Every later visit renders straight from that table (no filesystem walk).
  4. A background WP-Cron task re-scans the same root on a schedule so the data stays fresh.
  5. Use Rescan Now any time to force an immediate refresh.

How login links work

  1. Click Generate Login Link next to any admin user.
  2. A cryptographically signed, one-time token is stored in that site’s database (valid for 5 minutes).
  3. The generated link goes through WordPress’s standard admin-ajax.php endpoint — not a direct PHP file — and includes a nonce for request verification.
  4. Opening the link logs you directly into that site’s admin dashboard.
  5. The token is deleted immediately on first use — it cannot be used twice.

Security

  • Requires the manage_options capability (Administrator) to use the plugin.
  • All form submissions are protected with WordPress nonces.
  • Login links use wp_ajax_nopriv_ (WordPress AJAX), include a nonce, and go through admin-ajax.php.
  • Tokens are HMAC-signed with a per-token secret — cannot be forged.
  • Scan paths are validated with realpath() before use.
  • All database queries use prepared statements.
  • The standard wp_login action is fired on login so security plugins (login limiters, audit logs) are notified.

Important: This plugin is intended for server administrators only. Do not install it on shared hosting environments where you do not control all sites on the server.

Installation

  1. Upload the server-scout folder to /wp-content/plugins/.
  2. Activate the plugin through the Plugins menu in WordPress.
  3. Go to Tools Server Scout in the admin menu.
  4. Enter the root directory to scan (e.g. /var/www) and click Scan Server.

FAQ

Will this work on shared hosting?

Technically yes, but it is not recommended. This plugin reads the database credentials of other WordPress installations on the same server. Only use it if you own and administer all sites on that server.

How often does the background refresh run?

Every 30 minutes by default. WP-Cron only fires when the site receives traffic, so on a low-traffic server the refresh can lag — set up a real system cron calling wp-cron.php if you need it on a strict schedule. You can change the interval with the servsc_refresh_minutes filter.

Where are scan results stored?

In a dedicated table, {prefix}servsc_sites. Only the configured scan path and the last-scan timestamp are kept as options. The table is removed when you delete the plugin.

What happens to unused login links?

Tokens expire automatically after 5 minutes. When you delete the plugin, uninstall.php cleans up any leftover tokens from the database.

The scan found no results. What should I check?

  • Make sure PHP has read permission for the scan directory.
  • Try a more specific path (e.g. /var/www/html instead of /).
  • Some server setups place sites under /home or /srv/www.

Why does the login link say “invalid”?

The link was either already used (one-time only) or has expired (5-minute window). Generate a new one.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Server Scout” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Server Scout” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.1.0

  • Scan results are now stored in a dedicated database table instead of being re-scanned on every page load.
  • Added a background WP-Cron refresh (every 30 minutes by default; filterable via servsc_refresh_minutes).
  • Added a “Rescan Now” action and a “last scanned” indicator.

1.0.0

  • Initial release.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum