{"id":318243,"date":"2026-05-27T16:39:12","date_gmt":"2026-05-27T16:39:12","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/malware-doctor\/"},"modified":"2026-05-27T16:24:05","modified_gmt":"2026-05-27T16:24:05","slug":"cleverhog-malware-scanner","status":"publish","type":"plugin","link":"https:\/\/twd.wordpress.org\/plugins\/cleverhog-malware-scanner\/","author":23505524,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.6.7","stable_tag":"trunk","tested":"7.0","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"Cleverhog Malware Scanner","header_author":"Cleverhog","header_description":"Free WordPress malware scanner for unlimited sites. Detect infected files, backdoors, login threats, and rogue admin users, with file size and last-modified dates.","assets_banners_color":"010e18","last_updated":"2026-05-27 16:24:05","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/wordpress.org\/plugins\/cleverhog-malware-scanner\/","header_author_uri":"https:\/\/profiles.wordpress.org\/cleverhog\/","rating":5,"author_block_rating":0,"active_installs":0,"downloads":28,"num_ratings":1,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":[],"upgrade_notice":{"1.6.0":"<p>Use slug <strong>cleverhog-malware-scanner<\/strong> for WordPress.org. Quarantine moves to the uploads folder; restore any quarantined files before upgrading if needed.<\/p>","1.5.0":"<p>Install the <code>cleverhog-malware-doctor<\/code> folder (superseded by cleverhog-malware-scanner in 1.6.0).<\/p>","1.4.3":"<p>Renamed to Cleverhog Malware Doctor (display name only).<\/p>","1.4.2":"<p>New plugin slug <code>cleverhog-malware-plugin<\/code>. Deactivate the old folder, upload the new one, and activate.<\/p>","1.4.1":"<p>Rebranded to Cleverhog Malware Scanner. Same scanner features; no settings migration required.<\/p>","1.4.0":"<p>WordPress.org release with improved server limits display and uninstall cleanup.<\/p>","1.3.5":"<p>One-click plugin and theme updates from the Cleverhog Malware Scanner results list.<\/p>","1.3.4":"<p>Remove unused inactive plugins and themes from the scan results list with one click.<\/p>","1.3.3":"<p>Safer file actions: one-click delete only where removal is unlikely to break your site.<\/p>","1.3.2":"<p>Manage quarantined files from a dedicated list and restore them when needed.<\/p>","1.3.1":"<p>Act on file findings directly from scan results: preview, quarantine, delete, or restore.<\/p>","1.3.0":"<p>More accurate scans with fewer false positives and stronger malware detection.<\/p>","1.2.0":"<p>WordPress.org-ready release with Plugin Check fixes and grouped plugin integrity results.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":1},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3550969,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3550969,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-772x250.png":{"filename":"banner-772x250.png","revision":3550969,"resolution":"772x250","location":"assets","locale":"","width":2161,"height":728}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":[],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3550969,"resolution":"1","location":"assets","locale":"","width":1200,"height":900},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3550969,"resolution":"2","location":"assets","locale":"","width":1200,"height":900},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3550969,"resolution":"3","location":"assets","locale":"","width":1200,"height":900},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3550969,"resolution":"4","location":"assets","locale":"","width":1200,"height":900}},"screenshots":{"1":"Scan configuration and live threat counter","2":"Scan results with severity filters and file details","3":"Administrator account audit","4":"Threat summary sidebar"}},"plugin_section":[],"plugin_tags":[8646,7900,1184,6464,600],"plugin_category":[54],"plugin_contributors":[264657],"plugin_business_model":[],"class_list":["post-318243","plugin","type-plugin","status-publish","hentry","plugin_tags-backdoor","plugin_tags-hacked","plugin_tags-malware","plugin_tags-scanner","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-cleverhog","plugin_committers-cleverhog"],"banners":{"banner":"https:\/\/ps.w.org\/cleverhog-malware-scanner\/assets\/banner-772x250.png?rev=3550969","banner_2x":false,"banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/cleverhog-malware-scanner\/assets\/icon-128x128.png?rev=3550969","icon_2x":"https:\/\/ps.w.org\/cleverhog-malware-scanner\/assets\/icon-256x256.png?rev=3550969","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/cleverhog-malware-scanner\/assets\/screenshot-1.png?rev=3550969","caption":"Scan configuration and live threat counter"},{"src":"https:\/\/ps.w.org\/cleverhog-malware-scanner\/assets\/screenshot-2.png?rev=3550969","caption":"Scan results with severity filters and file details"},{"src":"https:\/\/ps.w.org\/cleverhog-malware-scanner\/assets\/screenshot-3.png?rev=3550969","caption":"Administrator account audit"},{"src":"https:\/\/ps.w.org\/cleverhog-malware-scanner\/assets\/screenshot-4.png?rev=3550969","caption":"Threat summary sidebar"}],"raw_content":"<!--section=description-->\n<p><strong>Cleverhog Malware Scanner<\/strong> helps you investigate a suspicious or compromised WordPress site from the admin dashboard. It is <strong>free<\/strong> and may be used on <strong>unlimited websites<\/strong> with no license keys or per-site fees.<\/p>\n\n<p>This plugin <strong>detects and reports<\/strong> potential security issues. It does <strong>not<\/strong> automatically remove malware or guarantee that a site is clean. Always back up your site before changing or deleting files.<\/p>\n\n<h4>What it scans<\/h4>\n\n<ul>\n<li><strong>Files<\/strong> \u2014 Pattern-based scan of themes, plugins, uploads, wp-content, or the full site (with code snippets, file size, and last-modified date)<\/li>\n<li><strong>Backdoors<\/strong> \u2014 Must-use plugins, drop-ins, wp-config, cron jobs, and suspicious hooks<\/li>\n<li><strong>.htaccess<\/strong> \u2014 Discovers <code>.htaccess<\/code> files site-wide and lists suspicious redirects, PHP handlers in uploads, auto_prepend, cloaking rules, and more<\/li>\n<li><strong>Authentication<\/strong> \u2014 XML-RPC, user enumeration, weak salts, file editor, and SSL-related checks<\/li>\n<li><strong>Database<\/strong> \u2014 Suspicious autoloaded options and injected post content<\/li>\n<li><strong>Administrators<\/strong> \u2014 All admin users with registration dates and risk flags<\/li>\n<li><strong>Updates<\/strong> \u2014 Outdated plugins, themes, and core (high for major\/minor updates, medium for patches only)<\/li>\n<li><strong>Plugin integrity<\/strong> \u2014 WordPress.org plugins compared to official checksums (one summary per plugin)<\/li>\n<\/ul>\n\n<h4>Features<\/h4>\n\n<ul>\n<li>Live threat counter during scans<\/li>\n<li>Results sorted by severity (critical, high, medium, low)<\/li>\n<li>Last scan results restored when you reopen the dashboard<\/li>\n<li>Admin menu badge showing critical issue count<\/li>\n<li>Excludes this plugin\u2019s own files from file scans to reduce false positives<\/li>\n<\/ul>\n\n<h3>Privacy<\/h3>\n\n<p>This plugin runs entirely on your server. Scans do not send your site files to the plugin author.<\/p>\n\n<p>When you run a scan, the plugin may contact:<\/p>\n\n<ul>\n<li><strong>WordPress.org<\/strong> (<code>downloads.wordpress.org<\/code>) \u2014 to fetch official plugin checksums for integrity verification<\/li>\n<li><strong>WordPress.org update APIs<\/strong> \u2014 to check for available plugin, theme, and core updates (standard WordPress behavior)<\/li>\n<\/ul>\n\n<p>No personal data is collected by the plugin author. Scan results are stored in your WordPress database (options and transients) for display in the admin dashboard and are visible to users who can manage the site.<\/p>\n\n<h3>Support<\/h3>\n\n<p>Support is provided through the WordPress.org support forums after publication.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Install through <strong>Plugins \u2192 Add New<\/strong> after this plugin is on WordPress.org, or upload the <code>cleverhog-malware-scanner<\/code> folder to <code>\/wp-content\/plugins\/<\/code><\/li>\n<li>Activate <strong>Cleverhog Malware Scanner<\/strong><\/li>\n<li>Open <strong>Cleverhog Malware Scanner<\/strong> in the admin menu<\/li>\n<li>Choose scan types and click <strong>Start Security Scan<\/strong><\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20remove%20malware%20automatically%3F\"><h3>Does this remove malware automatically?<\/h3><\/dt>\n<dd><p>No. It shows what was found with file paths, snippets, and severity so you can investigate. Restore from backup or use professional help for active breaches.<\/p><\/dd>\n<dt id=\"can%20it%20give%20false%20positives%3F\"><h3>Can it give false positives?<\/h3><\/dt>\n<dd><p>Yes. Legitimate plugins may use patterns that look suspicious (for example <code>base64_decode<\/code>). Review every critical finding before deleting files.<\/p><\/dd>\n<dt id=\"does%20it%20scan%20its%20own%20plugin%20files%3F\"><h3>Does it scan its own plugin files?<\/h3><\/dt>\n<dd><p>No. The scanner excludes its own directory from file scans.<\/p><\/dd>\n<dt id=\"will%20large%20sites%20timeout%3F\"><h3>Will large sites timeout?<\/h3><\/dt>\n<dd><p>File scans run in batches via AJAX to reduce PHP timeout issues.<\/p><\/dd>\n<dt id=\"which%20plugins%20can%20be%20checksum-verified%3F\"><h3>Which plugins can be checksum-verified?<\/h3><\/dt>\n<dd><p>Only plugins hosted on WordPress.org with published checksums for the installed version. Premium or custom plugins are listed as unverified; use the file malware scan on those.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.6.7<\/h4>\n\n<ul>\n<li>PHPCS\/WPCS: prefix dashboard template globals for Plugin Check compliance<\/li>\n<\/ul>\n\n<h4>1.6.6<\/h4>\n\n<ul>\n<li>WordPress.org review: all wp-admin includes centralized in Admin_Dependencies with immediate function use<\/li>\n<li>Path resolution centralized in Wp_Paths (uploads, plugins via WPMG_PLUGIN_FILE, WP_LANG_DIR, core files)<\/li>\n<li>Checksum API failures cached with a distinct marker (not an empty array)<\/li>\n<\/ul>\n\n<h4>1.6.5<\/h4>\n\n<ul>\n<li>Checksum fetch failures use a distinct transient marker so plugins are not marked verified after a failed lookup<\/li>\n<\/ul>\n\n<h4>1.6.4<\/h4>\n\n<ul>\n<li>Language pack paths use WP_LANG_DIR only (no WP_CONTENT_DIR\/languages fallback)<\/li>\n<\/ul>\n\n<h4>1.6.3<\/h4>\n\n<ul>\n<li>Quarantine and plugin-owned files use wp_upload_dir() under uploads\/cleverhog-malware-scanner (no hard-coded WP_CONTENT_DIR\/uploads paths)<\/li>\n<li>Plugin and content paths resolved via WPMG_PLUGIN_FILE and Wp_Paths helpers instead of WP_PLUGIN_DIR \/ WP_CONTENT_DIR in scanner code<\/li>\n<\/ul>\n\n<h4>1.6.2<\/h4>\n\n<ul>\n<li>All wp-admin includes go through Admin_Dependencies only (including uninstall and is_plugin_active)<\/li>\n<\/ul>\n\n<h4>1.6.1<\/h4>\n\n<ul>\n<li>WordPress.org review: centralize wp-admin includes via Admin_Dependencies (load + immediate use)<\/li>\n<\/ul>\n\n<h4>1.6.0<\/h4>\n\n<ul>\n<li>WordPress.org review: distinctive name <strong>Cleverhog Malware Scanner<\/strong>, slug <code>cleverhog-malware-scanner<\/code><\/li>\n<li>Quarantine files stored under uploads (not wp-content root)<\/li>\n<li>Admin menu CSS enqueued with wp_add_inline_style (no raw &lt;style&gt; in admin_head)<\/li>\n<\/ul>\n\n<h4>1.5.0<\/h4>\n\n<ul>\n<li>Full slug rename: <code>cleverhog-malware-doctor<\/code> folder, main file, text domain, and admin menu page slug<\/li>\n<\/ul>\n\n<h4>1.4.3<\/h4>\n\n<ul>\n<li>Display name updated to Cleverhog Malware Doctor<\/li>\n<\/ul>\n\n<h4>1.4.2<\/h4>\n\n<ul>\n<li>WordPress.org slug changed to <code>cleverhog-malware-plugin<\/code> (trademark)<\/li>\n<\/ul>\n\n<h4>1.4.1<\/h4>\n\n<ul>\n<li>Rebranded to Cleverhog Malware Scanner (display name and documentation)<\/li>\n<\/ul>\n\n<h4>1.4.0<\/h4>\n\n<ul>\n<li>WordPress.org readiness: textdomain loading, uninstall cleanup, server limits UI layout fix<\/li>\n<li>Server limits panel uses stacked rows (fixes overlapping table text in the admin sidebar)<\/li>\n<li>Legacy bootstrap files (wp-mal-guard.php, wp-malware-doctor.php) updated for correct plugin paths and scan exclusion<\/li>\n<li>Plugin Check: remove .DS_Store, fix screenshot filenames, WP_Filesystem for quarantine, Tested up to 7.0<\/li>\n<\/ul>\n\n<h4>1.3.9<\/h4>\n\n<ul>\n<li>Server limits panel: shows current vs recommended PHP memory and execution time<\/li>\n<li>Scan failures show an in-page error panel with tips and one-click smaller scan presets (uploads, plugins, themes, etc.)<\/li>\n<\/ul>\n\n<h4>1.3.8<\/h4>\n\n<ul>\n<li>Fix 504 gateway timeouts: start scan returns in seconds; heavy work runs across many short AJAX batches<\/li>\n<li>Incremental file-list building, plugin verification (2 per batch), and split backdoor\/htaccess scans<\/li>\n<\/ul>\n\n<h4>1.3.7<\/h4>\n\n<ul>\n<li>Fix scan 500 errors on large sites: file queue stored separately, higher PHP limits, capped plugin checksum depth<\/li>\n<li>Scan failures now return a clearer error message in the admin alert<\/li>\n<\/ul>\n\n<h4>1.3.6<\/h4>\n\n<ul>\n<li>Fewer false positives: theme cache PHP in uploads, payment webhooks using php:\/\/input, protective uploads .htaccess<\/li>\n<li>Weak salt check only inspects AUTH_KEY-style defines (not the word \"WordPress\" in comments)<\/li>\n<li>World-writable core check uses file permissions instead of is_writable()<\/li>\n<li>Third-party\/premium plugins reported as low-severity informational findings<\/li>\n<li>Auth and config findings no longer show unrelated file paths or action buttons<\/li>\n<\/ul>\n\n<h4>1.3.5<\/h4>\n\n<ul>\n<li>Update outdated plugins and themes directly from scan results via AJAX<\/li>\n<\/ul>\n\n<h4>1.3.4<\/h4>\n\n<ul>\n<li>Delete inactive plugins and themes directly from scan results (updates and integrity findings)<\/li>\n<\/ul>\n\n<h4>1.3.3<\/h4>\n\n<ul>\n<li>Delete is only offered for high-confidence threats (e.g. PHP in uploads, suspicious drop-zone filenames)<\/li>\n<\/ul>\n\n<h4>1.3.2<\/h4>\n\n<ul>\n<li>Quarantined files panel on the dashboard with restore, view, and permanent delete<\/li>\n<\/ul>\n\n<h4>1.3.1<\/h4>\n\n<ul>\n<li>View, quarantine, delete, and restore actions on file findings from the scan results<\/li>\n<li>File preview modal with safe path validation and quarantine storage under uploads\/cleverhog-malware-scanner\/wpmg-quarantine\/<\/li>\n<\/ul>\n\n<h4>1.3.0<\/h4>\n\n<ul>\n<li>Context-aware malware scanning (reduces false positives in translations, themes, and core)<\/li>\n<li>Smarter signatures: eval on request, webshell names, remote includes, chmod 777, and more<\/li>\n<li>Skip WordPress core\/language files; suppress noise for outdated plugins and themes<\/li>\n<li>Improved .htaccess scan; fewer backdoor\/REST\/cron false positives<\/li>\n<\/ul>\n\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>WordPress.org Plugin Check compliance (naming, i18n, privacy, nonce helpers)<\/li>\n<li>Group plugin integrity mismatches into one result per plugin<\/li>\n<li>Update severity: high for major\/minor updates, medium for patch-only<\/li>\n<li>Sort results by severity; persist last scan; admin menu critical badge<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Plugin integrity checksum scanner; live threat counts; dashboard UI refresh<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release (as Malware Doctor)<\/li>\n<\/ul>","raw_excerpt":"Free WordPress malware scanner by Cleverhog: detect suspicious files, backdoors, weak logins, and outdated software from your dashboard.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/318243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=318243"}],"author":[{"embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/cleverhog"}],"wp:attachment":[{"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=318243"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=318243"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=318243"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=318243"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=318243"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/twd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=318243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}