SudoWP Radar is a WordPress Plugin Directory app by sudowp.
AppRanks verdict
Generated from live marketplace data — refreshed daily
SudoWP Radar is a newly-listed WordPress app with a limited review volume. It is listed in the Security category on WordPress Plugin Directory, which AppRanks treats as the canonical taxonomy node for ranking and competitor comparison. no published reviews yet means feature claims are unverified by the wider merchant base. Without a published review base, the only fit-signal available is the developer's own documentation plus the marketplace's listing-quality audit (linked below). Paid-only pricing means evaluating fit on the marketplace listing or via the developer's documentation before installing. AppRanks tracks rating, review count, pricing tier, and category position daily — the figures on this page reflect the most recent scrape from the canonical WordPress Plugin Directory listing.
Pros
- +Published by sudowp — established developer track record
Cons
- −No public reviews yet — fit and reliability are unverified
Looking to switch from SudoWP Radar?
See SudoWP Radar's alternatives ranked by audit score, rating, and review velocity.
How SudoWP Radar works
Show full descriptionShow less
SudoWP Radar is a runtime security auditor for the WordPress 6.9 Abilities API. It scans every registered ability across all active plugins and themes, applying a rule engine that detects the vulnerability patterns most likely to be exploited in production.
What it audits:
Open and weak permissions — abilities with no permission_callback, or one that allows any authenticated user through.
Missing or loose input schemas — abilities that accept unconstrained string inputs, creating potential injection vectors for path traversal, SSRF, and similar attacks.
REST overexposure — abilities marked show_in_rest with no or open permission control, accessible to unauthenticated callers.
MCP overexposure — abilities marked meta.mcp.public = true with a weak or null permission callback are directly callable by any connected AI agent. Flagged as CRITICAL.
Orphaned callbacks — execute_callbacks that reference functions no longer loaded, often left behind by deactivated plugins.
Namespace collisions — duplicate ability names where the last registration silently overwrites the first, potentially downgrading the permission model.
AI prompt filter bypass (WP 7.0+) — callbacks on wp_ai_client_prevent_prompt that unconditionally return false, disabling the AI prompt prevention gate sitewide. Flagged as HIGH.
AI REST overexposure (WP 7.0+) — REST endpoints that call wp_ai_client_prompt() with no or weak permission callbacks. Flagged as CRITICAL or HIGH.
AI missing version gate (WP 7.0+) — plugins that call wp_ai_client_prompt() without a function_exists compatibility check, causing fatal errors on WP < 7.0. Flagged as MEDIUM.
Hosting-injected ability (WP 7.0+) — abilities registered by hosting-provider auto-installed plugins with REST exposure, without explicit site administrator consent. Flagged as HIGH. Requires premium vendor slug list.
Connector key in database (WP 7.0+) — AI connector API keys stored as plaintext in the WordPress database via the WP 7.0 Connectors API, rather than as environment variables or PHP constants. Flagged as HIGH.
How it works:
SudoWP Radar reads the live abilities registry after all plugins and themes have loaded. It applies static rules to each ability and returns a structured findings report with severity ratings (Critical, High, Medium, Low) and actionable remediation guidance. A risk score from 0-100 summarises the overall exposure of the site.
Security model:
Requires the radar_run_audit capability (granted to site administrators by default).
All audit requests are nonce-gated. No public-facing endpoints.
Audit findings are stored in user meta, not global options.
Rate-limited to one audit per 30 seconds per user.
Optional premium extension (SudoWP Pro):
The free plugin is a fully functional standalone security auditor. An optional premium add-on extends it with SudoWP Vulnerability Dataset matching (CVE references, CVSS scores, patch guidance), scheduled audits with email alerts, multi-site dashboard aggregation, and report export. None of these are required to use the core auditing features.
SudoWP Radar is a complement to static analysis tools. It audits the live, runtime state of your site — what is actually registered and executing — not just what is declared in code.
External Services When an API key is configured, SudoWP Radar connects to the SudoWP vulnerability
dataset API (api.sudowp.com) to retrieve patch availability information for
registered WordPress abilities.
No data is transmitted without an API key being explicitly entered by the site
administrator. When no key is present, the plugin makes zero external network
requests.
Data sent to the API: the ability name being looked up and your API key.
No personal data, no site URL, no user data is transmitted.
API key registration: https://sudowp.com/get-api-key/
Terms of service: https://sudowp.com/tos/
Privacy policy: https://sudowp.com/privacy-policy/
Premium Extension Filters SudoWP Radar exposes four WordPress filters so a premium plugin can extend
the audit engine without modifying core plugin files.
radar_dataset_enabled Controls whether dataset lookups run during an audit. Return true to activate.
Parameters:
$enabled (bool) — default false.
Returns:
bool
Example:
add_filter( 'radar_dataset_enabled', function ( bool $enabled ): bool { return true; // Enable dataset lookups. } );
radar_dataset_findings Inject Finding objects from a vulnerability dataset for a specific ability.
Called once per ability during an audit. Non-Finding return values are stripped.
Parameters:
$findings (array) — current Finding[] for this ability, default [].
$ability (array) — ability data array from Scanner (name, meta, callbacks, etc.).
Returns:
Finding[]
Note: register with accepted_args=2 to receive both parameters.
Example:
add_filter( 'radar_dataset_findings', function ( array $findings, array $ability ): array { if ( str_starts_with( $ability['name'], 'my-plugin/' ) ) { $findings[] = new \SudoWP\Radar\Finding( ability_name: $ability['name'], severity: \SudoWP\Radar\Finding::SEVERITY_CRITICAL, vuln_class: \SudoWP\Radar\Finding::VULN_DATASET_MATCH, message: 'Known vulnerable ability pattern detected (CVE-2026-1234).', recommendation: 'Update my-plugin to version 2.1.0 or later.', is_premium: true, ); } return $findings; }, 10, 2 );
radar_dataset_status Override the dataset status array displayed in the admin UI.
Parameters:
$status (array) — default status with keys:
enabled (bool) — false in free version.
label (string) — UI display string.
last_updated (string|null) — ISO 8601 date or null.
total_entries (int) — 0 in free version.
Returns:
array (same shape as input)
Example:
add_filter( 'radar_dataset_status', function ( array $status ): array { return [ 'enabled' => true, 'label' => 'SudoWP Vulnerability Dataset: Connected. 4,821 entries.', 'last_updated' => '2026-03-08', 'total_entries' => 4821, ]; } );
radar_audit_findings Modify the complete findings array after all rules and dataset lookups have run.
Use this to add cross-ability findings, re-score existing findings, or suppress
false positives. Called once per full audit run.
Parameters:
$findings (array) — complete Finding[] from the full audit.
$abilities (array) — all ability data arrays scanned during this audit.
Returns:
Finding[]
Note: register with accepted_args=2 to receive both parameters.
Example:
add_filter( 'radar_audit_findings', function ( array $findings, array $abilities ): array { // Example: promote medium findings to high for a high-risk site. return array_map( function ( $finding ) { if ( $finding->severity === \SudoWP\Radar\Finding::SEVERITY_MEDIUM ) { return new \SudoWP\Radar\Finding( ability_name: $finding->ability_name, severity: \SudoWP\Radar\Finding::SEVERITY_HIGH, vuln_class: $finding->vuln_class, message: $finding->message, recommendation: $finding->recommendation, context: $finding->context, is_premium: $finding->is_premium, ); } return $finding; }, $findings ); }, 10, 2 );
Category rankings
As of Jul 16, 2026- Abilities-api#0of 4Top 1%
- Audit#0of 22Top 1%
- Permissions#0of 15Top 1%
- Scanner#0of 20Top 1%
- Security#0of 666Top 1%
See 90-day rank history for each category
Track daily rank changes, category shifts, and position volatility.
Keyword rankings
SudoWP Radar ranks for 1 keywords across WordPress Plugin Directory. Here are the top 1:
- 1.ai agentRank #678
Competitors & alternatives
SudoWP Radar doesn't have curated competitor matchups yet. Other tracked security apps on WordPress:
Where SudoWP Radar stands in the Security category
SudoWP Radar ranks #0 of 666 apps in the Security category, placing it in the top 1% of the listing.
Frequently asked questions
What is SudoWP Radar?
SudoWP Radar is an app for WordPress. It is published on WordPress Plugin Directory and tracked by AppRanks, and AppRanks has been tracking its public marketplace data on the refresh cadence published in our methodology. It is listed under the Security category on AppRanks, where you can see its current category position, review-velocity trend, and how it compares against the top alternatives in the same space. Developed by sudowp.
Who uses SudoWP Radar?
SudoWP Radar is actively installed across WordPress stores tracked by AppRanks. Its review base is still building, which usually maps to early-stage merchants and stores piloting a new workflow. It is part of the Security category on WordPress.