Title: Codebase Manager
Author: WordPress VIP Documentation
Published: April 21, 2022
Last modified: July 9, 2025

---

#  Codebase Manager

VIP’s Codebase Manager is a service that helps customers keep versions of plugins
and themes in their WordPress application code secure and up to date. Codebase Manager’s
automated security scanning watches for new vulnerabilities that are published to
[WPScan](https://wpscan.com/).

[The WPScan API](https://wpscan.com/api) is leveraged by Codebase Manager to scan
the application code deployed to a WordPress environment for known vulnerabilities
and available version updates for plugins.

Codebase Manager scans application code that is deployed with [the **Default Deployment** method](https://docs.wpvip.com/code-deployment/default-deployment/)
and with [the **Custom Deployment** method](https://docs.wpvip.com/code-deployment/custom-deployment/).

## Reports for scan results

Customers can stay informed of known security vulnerabilities that are identified
by the scans in several ways:

 * **[The Bot’s Vulnerability and Update Scan](https://docs.wpvip.com/vulnerability-and-update-scan/)**:
   Security vulnerabilities and available version updates for plugin and theme code
   in pull requests are identified and reported by the VIP Code Analysis Bot.
 * **[VIP Dashboard Plugins panel](https://docs.wpvip.com/codebase-manager/plugins-panel/)**:
   Identified security vulnerabilities and available version updates for plugins
   that are already deployed to application environments are reported in the VIP
   Dashboard Plugins panel.
 * **[Notifications](https://docs.wpvip.com/notifications/):** Automated messages
   that are triggered by **all levels** of identified security vulnerabilities for
   plugins that are already deployed to application environments. Notifications 
   are opt-in, and can be sent to a webhook URL for Slack, Google Chat, or Microsoft
   Teams, [a general-purpose webhook URL](https://docs.wpvip.com/notifications/webhook-urls/),
   or an email address.
 * **[Important Alerts](https://docs.wpvip.com/notifications/important-alerts/):**
   Automated Notifications that are triggered by identified security vulnerabilities
   rated as **high** or **critical** for plugins that are already deployed to application
   environments. All users with [an Org admin role](https://docs.wpvip.com/manage-user-access/vip-dashboard/org-roles/)
   or [an App admin role](https://docs.wpvip.com/manage-user-access/vip-dashboard/app-role/)
   receive Important Alerts by email by default.

## WPScan CVSS ratings

Known vulnerabilities are assigned a rating based on the [Common Vulnerability Scoring System (CVSS)](https://www.first.org/cvss/calculator/3.1).

**None**: 0.0
**Low**: 0.1-3.9**Medium**: 4.0-6.9**High**: 7.0-8.9**Critical**: 
9.0-10.0

## Preventing false-positive matches

On rare occasions, the naming convention of a plugin or theme directory can cause
Codebase Manager to identify a false positive match. A false positive can occur 
when the directory name for a custom plugin or theme—or third-party plugin or theme
from a different source—is identical or similar to the directory name of a WordPress.
org plugin or theme.

To prevent false-positive matches, customers should:

 * Verify that the (WordPress.org) plugin or theme reported by Codebase manager 
   as having a vulnerability or an available update is an accurate match for the
   plugin or theme in their application repository or scanned pull request.
 * Utilize the [`Update URI`](https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/)
   header field in custom plugins and themes to prevent them from being accidentally
   overwritten by an update of a plugin or theme from the [WordPress.org Plugin Directory](https://wordpress.org/plugins/)
   that has a similar name and slug. In plugins the `Update URI` header should be
   added to the [header file](https://codex.wordpress.org/File_Header), and for 
   themes it should be added to [the main stylesheet](https://developer.wordpress.org/themes/basics/main-stylesheet-style-css/).
   The Bot’s WPScan Analysis supports the `Update URI` header for themes, even though
   it is not supported by WordPress itself.

A plugin or theme will be ignored by Codebase Manager scans if the `Update URI` 
header is assigned as `false`, or assigned a value that does not contain `WordPress.
org` or `w.org`.

Last updated: July 09, 2025