We Built a WordPress Plugin That Audits Your Media Library for Copyright Risk. Here's What It Found.

A WordPress site owner emailed us last week. Someone on their team had been pulling product shots from "free images" results on Google for months. Then the legal team forwarded a demand letter. Eighteen hundred dollars for three images. The agency had been crawling the site for weeks before they sent anything.

We hear some version of this story a lot. If you run a WordPress site of any size, your Media Library almost certainly contains photos you didn't license, didn't shoot, and have no idea where they came from. The people who file these demands run automated software that finds those photos. You don't.

Until now you'd either pay a one-off audit service somewhere between two and five hundred dollars, or just hope. Neither is great.

So we built a WordPress plugin that runs the same kind of audit, from inside your dashboard, in one click, for free.

What it actually does

Install PixGuard Scanner from the WordPress directory. Activate. Paste in an API key from your free PixGuard account. Click "Scan All Media Library."

That's it. The plugin walks through every image attachment in your install and runs each one through our detection pipeline. You get back a risk score per image, sorted by severity, with the high-risk ones called out.

What we check:

• Stock-database matches. We compare against perceptual hashes from Shutterstock, Adobe Stock, Getty, iStock, and several thousand other photographers' published work. If a "free Pexels grab" turns out to be a stock-licensed photo someone scraped to Pexels, you'll see it.
• Visible and invisible watermarks. Most people know about logos in the corner. Fewer know about the LSB, DCT, and DWT steganographic watermarks embedded in pixel data that survive cropping, re-saving, and compression. We check for all of those.
• EXIF and IPTC metadata. Some agencies sign their exports with telltale software fields, copyright strings, or rights-management data. We parse all of it.
• AI-generation signatures. If an image looks AI-generated, we flag it. Sometimes useful, sometimes a false positive on heavily-edited photos, always informative.
• Reverse-image search. On Pro and Business tiers, we cross-check against Google Lens and other indices to find every other place that image appears on the open web, with first-seen-on dates. Useful for figuring out who actually owns the photo.

You see all of this inside your WordPress admin. No spreadsheet exports, no third-party portal, no separate login.

Why a plugin instead of a URL scan

We already had a hosted scanner where you paste a site URL. The reason we built the plugin is that your Media Library contains images the public-facing site doesn't. Drafts. Old uploads from a previous theme. Editor sandboxes. Email-template images. Thumbnails. Custom-post-type attachments.

A URL crawl catches what's currently displayed on a published page. Based on the sites we've sampled, that's about 30 to 60 percent of what's actually in the Media Library. The plugin catches everything, because it reads from wp_posts where every uploaded image is recorded regardless of whether it's currently on a page.

The other reason: when you decide to remove a high-risk image, you want to do that from inside WordPress. The plugin gives you a one-click jump to the Edit Media screen for any flagged image. No second tool.

How long does an audit take

Depends on Media Library size and your plan. Some numbers we've seen:

• 50 images, under a minute
• 500 images, about four minutes
• 2,000 images, fifteen to twenty minutes

The scan runs in the background with a progress bar. You can leave the page open or come back later. If you hit a rate limit (150 scans per day on free), the plugin pauses and resumes automatically once the window clears. No babysitting.

Pricing

The plugin is free. You get 100 credits at signup, plus 150 scans per day on the free tier. For a one-time audit of a small to mid-sized site, that's usually enough.

Paid plans add:

• Starter ($9/mo): higher rate limits, faster turnaround on bulk scans
• Pro ($29/mo): reverse-image search across the open web (Google Lens, TinEye), full AI-vision analysis on ambiguous cases, source attribution showing where flagged images first appeared online
• Business ($79/mo): everything in Pro plus stock-database deep coverage and priority queue. Annual on Pro and Business saves about a month a year.

Be honest with yourself about which tier you actually need. The free tier handles "let me audit what's already there" use cases fine. The paid tiers are for ongoing protection: scan every upload automatically, monitor your site weekly, get email alerts when new risky images appear. If you upload images rarely, free is probably plenty.

Questions we get a lot

Does this work on LocalWP / MAMP / staging sites?

Yes, since v1.0.3. When your image URLs aren't reachable from the internet (because they're on localhost or behind staging-site auth), the plugin uploads the file bytes directly to our backend instead of asking us to fetch the URL. Works on every local environment we've tested: LocalWP, MAMP, XAMPP, Lando, DDEV.

Will the scan slow my site down?

No. The scan calls our hosted API, so nothing CPU-heavy runs on your WordPress server. The plugin's queries against wp_posts use prepared statements with proper indexing. Even on a Media Library with ten thousand attachments, the dashboard stays snappy.

Are my images stored on your servers?

For about an hour, then deleted. We keep a perceptual hash (basically a 64-character fingerprint) so that the next time anyone scans the same image we can return a cached result for free. The original bytes don't persist.

What about SVG files?

As of v1.0.9 the plugin skips SVGs automatically. Vector graphics don't have raster fingerprints, so copyright detection on them isn't meaningful.

Can I scan only some images?

Yes. The plugin adds a "Copyright Risk" column to your Media Library list view, with a "Scan" button on each row. You can scan individual images, or filter the Media Library to a date or attachment type and only scan that subset.

Getting started

Two paths, depending on where you want to start.

If you want a quick check with no install: paste a site URL into the free scanner. We crawl the homepage and analyze the three largest images on it. Takes about 30 seconds, no signup.

If you want the full audit: install PixGuard Scanner from WordPress.org, create a free account to grab your API key, paste it into the plugin settings, click "Scan All Media Library." Full audit done before your next coffee break.

Not on WordPress? Our hosted scanner works on any URL. Same detection engine.

We built this because the people who chase copyright infringers on small WordPress sites have automation and the defenders mostly don't. Now you have something. It's free to start. If you find something surprising in your library, reply to your welcome email and tell us. We read every one.