Why a credential scanner exists #
WordPress diagnostic data sometimes contains sensitive values. PHP error logs can include Database Connection strings. REST API responses can include authentication tokens. Debug output can include API keys that plugins printed for their own logging purposes. None of that should leave your server in a capture file.
The credential scanner runs before any data leaves your environment. It runs entirely client-side, in the Chrome extension and the WordPress Plugin, before the capture payload is assembled and transmitted. Nothing is sent to Loupely’s servers until after the scan completes.
What the scanner looks for #
The scanner matches patterns that match common credential formats: API key structures (long alphanumeric strings with specific prefixes used by common services), Database Connection strings containing username and password fields, authentication tokens and bearer tokens, private key blocks, and strings that match formats used by common SaaS providers whose keys appear regularly in WordPress environments (Stripe secret keys, AWS credentials, and others).
The scanner is pattern-based, not keyword-based. It doesn’t search for the word “password” in error messages. It looks for strings that structurally match credential formats.
What happens when something is found #
Any value matching a credential pattern is replaced with a redaction marker before the capture payload is assembled. The capture file you download notes how many items were redacted and in which sections they were found. The actual values are never written to the payload, never transmitted, and never visible in the downloaded file.
The capture file does not show what the redacted values were. Loupely never sees them. The redaction happens locally, before the data moves anywhere.
Limitations #
The scanner catches known credential patterns. A custom internal token that doesn’t match any known format won’t be detected. If your WordPress environment uses non-standard credential formats (for example, a custom internal authentication system with its own token structure), those values may appear in the raw capture data. Before sharing any capture file with a third party (a developer, a support agent), review it and redact anything sensitive that the scanner may have missed. The capture file is a plain text file that you can open and review before sharing.