WordPress.org

Tweants

Get WordPress
WordPress.org

Plugin Directory

Cleverhog Malware Scanner

Cleverhog Malware Scanner

By cleverhog
Download

Description

Cleverhog Malware Scanner helps you investigate a suspicious or compromised WordPress site from the admin dashboard. It is free and may be used on unlimited websites with no license keys or per-site fees.

This plugin detects and reports potential security issues. It does not automatically remove malware or guarantee that a site is clean. Always back up your site before changing or deleting files.

What it scans

  • Files — Pattern-based scan of themes, plugins, uploads, wp-content, or the full site (with code snippets, file size, and last-modified date)
  • Backdoors — Must-use plugins, drop-ins, wp-config, cron jobs, and suspicious hooks
  • .htaccess — Discovers .htaccess files site-wide and lists suspicious redirects, PHP handlers in uploads, auto_prepend, cloaking rules, and more
  • Authentication — XML-RPC, user enumeration, weak salts, file editor, and SSL-related checks
  • Database — Suspicious autoloaded options and injected post content
  • Administrators — All admin users with registration dates and risk flags
  • Updates — Outdated plugins, themes, and core (high for major/minor updates, medium for patches only)
  • Plugin integrity — WordPress.org plugins compared to official checksums (one summary per plugin)

Features

  • Live threat counter during scans
  • Results sorted by severity (critical, high, medium, low)
  • Last scan results restored when you reopen the dashboard
  • Admin menu badge showing critical issue count
  • Excludes this plugin’s own files from file scans to reduce false positives

Privacy

This plugin runs entirely on your server. Scans do not send your site files to the plugin author.

When you run a scan, the plugin may contact:

  • WordPress.org (downloads.wordpress.org) — to fetch official plugin checksums for integrity verification
  • WordPress.org update APIs — to check for available plugin, theme, and core updates (standard WordPress behavior)

No personal data is collected by the plugin author. Scan results are stored in your WordPress database (options and transients) for display in the admin dashboard and are visible to users who can manage the site.

Support

Support is provided through the WordPress.org support forums after publication.

Screenshots

  • Scan configuration and live threat counter
  • Scan results with severity filters and file details
  • Administrator account audit
  • Threat summary sidebar

Installation

  1. Install through Plugins Add New after this plugin is on WordPress.org, or upload the cleverhog-malware-scanner folder to /wp-content/plugins/
  2. Activate Cleverhog Malware Scanner
  3. Open Cleverhog Malware Scanner in the admin menu
  4. Choose scan types and click Start Security Scan

FAQ

Does this remove malware automatically?

No. It shows what was found with file paths, snippets, and severity so you can investigate. Restore from backup or use professional help for active breaches.

Can it give false positives?

Yes. Legitimate plugins may use patterns that look suspicious (for example base64_decode). Review every critical finding before deleting files.

Does it scan its own plugin files?

No. The scanner excludes its own directory from file scans.

Will large sites timeout?

File scans run in batches via AJAX to reduce PHP timeout issues.

Which plugins can be checksum-verified?

Only plugins hosted on WordPress.org with published checksums for the installed version. Premium or custom plugins are listed as unverified; use the file malware scan on those.

Reviews

Does a lot for a free plugin

May 27, 2026
Scans are divided into steps so it didn’t timeout on my shared hosting, which other scanners struggled with. Took me a minute to understand that “unverified” plugins aren’t necessarily infected — just not on WordPress.org checksums. Once I got that, the reports made sense. Would love scheduled scans in a future update, but for manual checks this is very useful.
Read all 1 review

Contributors & Developers

“Cleverhog Malware Scanner” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Cleverhog Malware Scanner” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.6.7

  • PHPCS/WPCS: prefix dashboard template globals for Plugin Check compliance

1.6.6

  • WordPress.org review: all wp-admin includes centralized in Admin_Dependencies with immediate function use
  • Path resolution centralized in Wp_Paths (uploads, plugins via WPMG_PLUGIN_FILE, WP_LANG_DIR, core files)
  • Checksum API failures cached with a distinct marker (not an empty array)

1.6.5

  • Checksum fetch failures use a distinct transient marker so plugins are not marked verified after a failed lookup

1.6.4

  • Language pack paths use WP_LANG_DIR only (no WP_CONTENT_DIR/languages fallback)

1.6.3

  • Quarantine and plugin-owned files use wp_upload_dir() under uploads/cleverhog-malware-scanner (no hard-coded WP_CONTENT_DIR/uploads paths)
  • Plugin and content paths resolved via WPMG_PLUGIN_FILE and Wp_Paths helpers instead of WP_PLUGIN_DIR / WP_CONTENT_DIR in scanner code

1.6.2

  • All wp-admin includes go through Admin_Dependencies only (including uninstall and is_plugin_active)

1.6.1

  • WordPress.org review: centralize wp-admin includes via Admin_Dependencies (load + immediate use)

1.6.0

  • WordPress.org review: distinctive name Cleverhog Malware Scanner, slug cleverhog-malware-scanner
  • Quarantine files stored under uploads (not wp-content root)
  • Admin menu CSS enqueued with wp_add_inline_style (no raw <style> in admin_head)

1.5.0

  • Full slug rename: cleverhog-malware-doctor folder, main file, text domain, and admin menu page slug

1.4.3

  • Display name updated to Cleverhog Malware Doctor

1.4.2

  • WordPress.org slug changed to cleverhog-malware-plugin (trademark)

1.4.1

  • Rebranded to Cleverhog Malware Scanner (display name and documentation)

1.4.0

  • WordPress.org readiness: textdomain loading, uninstall cleanup, server limits UI layout fix
  • Server limits panel uses stacked rows (fixes overlapping table text in the admin sidebar)
  • Legacy bootstrap files (wp-mal-guard.php, wp-malware-doctor.php) updated for correct plugin paths and scan exclusion
  • Plugin Check: remove .DS_Store, fix screenshot filenames, WP_Filesystem for quarantine, Tested up to 7.0

1.3.9

  • Server limits panel: shows current vs recommended PHP memory and execution time
  • Scan failures show an in-page error panel with tips and one-click smaller scan presets (uploads, plugins, themes, etc.)

1.3.8

  • Fix 504 gateway timeouts: start scan returns in seconds; heavy work runs across many short AJAX batches
  • Incremental file-list building, plugin verification (2 per batch), and split backdoor/htaccess scans

1.3.7

  • Fix scan 500 errors on large sites: file queue stored separately, higher PHP limits, capped plugin checksum depth
  • Scan failures now return a clearer error message in the admin alert

1.3.6

  • Fewer false positives: theme cache PHP in uploads, payment webhooks using php://input, protective uploads .htaccess
  • Weak salt check only inspects AUTH_KEY-style defines (not the word “WordPress” in comments)
  • World-writable core check uses file permissions instead of is_writable()
  • Third-party/premium plugins reported as low-severity informational findings
  • Auth and config findings no longer show unrelated file paths or action buttons

1.3.5

  • Update outdated plugins and themes directly from scan results via AJAX

1.3.4

  • Delete inactive plugins and themes directly from scan results (updates and integrity findings)

1.3.3

  • Delete is only offered for high-confidence threats (e.g. PHP in uploads, suspicious drop-zone filenames)

1.3.2

  • Quarantined files panel on the dashboard with restore, view, and permanent delete

1.3.1

  • View, quarantine, delete, and restore actions on file findings from the scan results
  • File preview modal with safe path validation and quarantine storage under uploads/cleverhog-malware-scanner/wpmg-quarantine/

1.3.0

  • Context-aware malware scanning (reduces false positives in translations, themes, and core)
  • Smarter signatures: eval on request, webshell names, remote includes, chmod 777, and more
  • Skip WordPress core/language files; suppress noise for outdated plugins and themes
  • Improved .htaccess scan; fewer backdoor/REST/cron false positives

1.2.0

  • WordPress.org Plugin Check compliance (naming, i18n, privacy, nonce helpers)
  • Group plugin integrity mismatches into one result per plugin
  • Update severity: high for major/minor updates, medium for patch-only
  • Sort results by severity; persist last scan; admin menu critical badge

1.1.0

  • Plugin integrity checksum scanner; live threat counts; dashboard UI refresh

1.0.0

  • Initial release (as Malware Doctor)

Meta

Ratings

5 out of 5 stars.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum