Settings reference
SteadyScore's settings live under SteadyScore → Settings. The page is organized into sections, in this order. Pro-gated sections show a lock overlay and read-only preview when no Pro license is active.
License
Always visible. Controls the Pro license activation and shows your current plan.
| Field | Default | What it does |
|---|---|---|
| Plan banner | "Free Plan — X of Y plugins scored" or "Pro Plan — [tier]" | Live readout of your current license state and (Pro) tier, site limit, and remaining slots. |
| License key | empty | Paste your Pro license key here. The field is disabled while Pro is already active — to enter a different key, click Deactivate first. |
| Activate / Deactivate | Activate while free, Deactivate while Pro | Contacts the SteadyPress API to register or release the current site against your license. |
| Manage account link | — | Opens https://steadypress.ai/account in a new tab. |
The license key is stored in wp_options (steadyscore_license_key). The HMAC secret returned by the activation API is stored alongside it (steadyscore_license_secret) and is used to sign subsequent Pro requests.
Source Code Analysis (Pro)
| Field | Default | What it does |
|---|---|---|
| Analyze custom and unknown plugins | On | Enables Path 5 source-code analysis for plugins that have no public data. When on, SteadyScore reads the source code of those plugins and sends it to your configured AI provider so a score and a recommendation can be generated. This is the only way to score Path 5 plugins. |
Off by default? No — when Pro is active and this section is visible, the toggle ships on so that custom plugins get covered out of the box. You can switch it off if you would rather leave custom plugins as N/A.
Monitoring & Alerts (Pro)
| Field | Default | Valid values | What it does |
|---|---|---|---|
| Score Refresh Schedule | weekly | weekly, biweekly, monthly, annual | How often the scheduled monitoring job runs a full refresh and evaluates alert triggers. This is independent of the cache-driven background refresh. |
| Alert Email Recipients | empty | One or more comma-separated email addresses | Where alert emails go. Leave blank to skip emails — the monitoring run still updates scores. |
| Alert Triggers | score_drop, new_vuln, plugin_removed (stale_plugin off) | Any subset of: score_drop, new_vuln, plugin_removed, stale_plugin | Which events trigger an alert email. Labels in the UI read: "Score drops below Warning threshold (60)", "New unpatched vulnerability discovered", "Plugin removed from repository", and "Plugin not updated in 12+ months". |
Display Preferences
Always visible.
| Field | Default | Valid values | What it does |
|---|---|---|---|
| Menu Placement | top_level | top_level, plugins | Where SteadyScore appears in the WordPress admin menu. top_level places it between Tools and Settings; plugins makes it a submenu under Plugins. |
| Default Sort | name_asc | name_asc, score_asc, score_desc, risk | The starting sort order for the dashboard table. |
| Visible Columns | Plugin, Version, Active, Score | Subset of Plugin, Version, Active, Score, Risk, In Use, Recommendation | Which columns to show. Plugin and Score are always visible and cannot be hidden. |
Columns can also be reordered by dragging them in the dashboard's table header.
Vulnerability Data
Always visible.
| Field | Default | What it does |
|---|---|---|
| Wordfence API Key (optional) | empty | A Wordfence Intelligence v3 API key. Saving a key enables CVE lookups for every plugin scored via Paths 1 and 2. Clearing it disables them. No requests are made to Wordfence until a key is saved. |
The Wordfence key is stored in wp_options (steadyscore_wordfence_api_key) as plaintext. It is sent on every Wordfence lookup as an Authorization: Bearer … header. SteadyScore does not encrypt it at rest because anyone with read access to your database already has full site compromise — encryption would not add a meaningful security boundary.
Saving a non-empty key sets the internal flag steadyscore_vulnerability_check_enabled to true. Clearing the key sets it back to false.
Free Wordfence Intelligence API keys are available at wordfence.com.
Data & Privacy
Always visible. This section is informational — it lists exactly what SteadyScore does and does not send anywhere — plus a data-removal button.
The four data-flow blocks:
- Sent to SteadyPress servers (Pro only): plugin slug, version, and active/inactive state; WordPress version and PHP version; site URL for license validation. Nothing in free mode unless you activate Pro or trigger a Pro feature.
- Sent to Wordfence (only when enabled): plugin slugs are sent to Wordfence only after the Wordfence API key is saved. Your Wordfence API key is sent as the Authorization header.
- Sent for AI analysis (Pro, only when enabled): plugin metadata for recommendation generation; source code of custom plugins, only when Source Code Analysis is on.
- Never sent anywhere: site content, posts, pages, or user data; database contents or wp-config.php credentials; customer or visitor information; source code of publicly-listed plugins.
| Field | Behavior |
|---|---|
| Delete All Plugin Data | Truncates every SteadyScore table and clears every SteadyScore option. Use this if you want a clean reset without uninstalling. Irreversible. |
System Status / Diagnostics
Always visible. A read-only block showing your current PHP version, WordPress version, Action Scheduler queue status, and the last successful refresh timestamp. Useful when you contact support.
Save bar
The bottom of the page shows a save bar with two buttons:
- Cancel — discards unsaved changes and resets the form to its last saved state.
- Save Settings — submits via the REST API. A toast confirms success.
The bar also shows when settings were last saved (in human-readable form, for example "Last saved 5 minutes ago") and a multisite reminder ("Settings saved per-site in a multisite environment.") on networks.
Where settings are stored
All settings are stored in wp_options under the steadyscore_ prefix. The relevant keys are listed below. They follow the WordPress.org guideline of one prefix per plugin.
| Option name | Holds |
|---|---|
steadyscore_license_key |
License key (plaintext). |
steadyscore_license_secret |
HMAC secret returned by the activation API. |
steadyscore_license_status |
Cached license tier, site limit, remaining slots, feature flags. |
steadyscore_wordfence_api_key |
Wordfence Intelligence API key (plaintext). |
steadyscore_vulnerability_check_enabled |
Boolean — set automatically when a Wordfence key is saved or cleared. |
steadyscore_menu_placement |
top_level or plugins. |
steadyscore_display_sort |
Default sort order. |
steadyscore_source_code_analysis |
Path 5 toggle (Pro). |
steadyscore_monitoring_schedule |
Pro monitoring cadence. |
steadyscore_alert_recipients |
Comma-separated alert emails (Pro). |
steadyscore_alert_triggers |
Array of enabled alert triggers (Pro). |
A complete uninstall removes every option matching steadyscore_%.
Need more help? Contact support.