外掛標籤
開發者團隊
原文外掛簡介
Server Scout is a tool for server administrators who manage multiple WordPress sites on the same server. Instead of logging into each site one by one, Scout gives you a single dashboard where you can see every WordPress installation on the server and quickly access them.
What it does
Recursively scans a directory of your choice (e.g. /var/www) for all WordPress installations.
Stores the results in a dedicated database table so the dashboard loads instantly without re-scanning.
Refreshes the stored results automatically in the background (WP-Cron), every 30 minutes by default.
Displays each site’s name, URL, WordPress version, and database prefix.
Lists all administrator users for each site (username + email).
Generates a secure, one-time, 5-minute login link so you can jump straight into any site’s admin area without needing the password.
Who is it for?
VPS / dedicated server owners managing multiple client or personal WordPress sites.
Developers running several local or staging environments on one machine.
Agencies with a fleet of sites on a single server.
How scanning & caching works
The first time you open the dashboard, click Scan Server.
Results are written to a {prefix}servsc_sites table — one row per installation.
Every later visit renders straight from that table (no filesystem walk).
A background WP-Cron task re-scans the same root on a schedule so the data stays fresh.
Use Rescan Now any time to force an immediate refresh.
How login links work
Click Generate Login Link next to any admin user.
A cryptographically signed, one-time token is stored in that site’s database (valid for 5 minutes).
The generated link goes through WordPress’s standard admin-ajax.php endpoint — not a direct PHP file — and includes a nonce for request verification.
Opening the link logs you directly into that site’s admin dashboard.
The token is deleted immediately on first use — it cannot be used twice.
Security
Requires the manage_options capability (Administrator) to use the plugin.
All form submissions are protected with WordPress nonces.
Login links use wp_ajax_nopriv_ (WordPress AJAX), include a nonce, and go through admin-ajax.php.
Tokens are HMAC-signed with a per-token secret — cannot be forged.
Scan paths are validated with realpath() before use.
All database queries use prepared statements.
The standard wp_login action is fired on login so security plugins (login limiters, audit logs) are notified.
Important: This plugin is intended for server administrators only. Do not install it on shared hosting environments where you do not control all sites on the server.
