Cleverhog Malware Scanner helps you investigate a suspicious or compromised WordPress site from the admin dashboard. It is free and may be used on unlimited websites with no license keys or per-site fees.
This plugin detects and reports potential security issues. It does not automatically remove malware or guarantee that a site is clean. Always back up your site before changing or deleting files.
What it scans
- Files — Pattern-based scan of themes, plugins, uploads, wp-content, or the full site (with code snippets, file size, and last-modified date)
- Backdoors — Must-use plugins, drop-ins, wp-config, cron jobs, and suspicious hooks
- .htaccess — Discovers
.htaccessfiles site-wide and lists suspicious redirects, PHP handlers in uploads, auto_prepend, cloaking rules, and more - Authentication — XML-RPC, user enumeration, weak salts, file editor, and SSL-related checks
- Database — Suspicious autoloaded options and injected post content
- Administrators — All admin users with registration dates and risk flags
- Updates — Outdated plugins, themes, and core (medium for major/minor updates, low for patch-only updates)
- Plugin integrity — WordPress.org plugins compared to official checksums (one summary per plugin)
Features
- Live threat counter during scans
- Results sorted by severity (critical, high, medium, low)
- Last scan results restored when you reopen the dashboard
- Admin menu badge showing critical issue count
- Excludes this plugin’s own files from file scans to reduce false positives
Privacy
This plugin runs entirely on your server. Scans do not send your site files to the plugin author.
When you run a scan, the plugin may contact:
- WordPress.org (
downloads.wordpress.org) — to fetch official plugin checksums for integrity verification - WordPress.org update APIs — to check for available plugin, theme, and core updates (standard WordPress behavior)
No personal data is collected by the plugin author. Scan results are stored in your WordPress database (options and transients) for display in the admin dashboard and are visible to users who can manage the site.
Support
Support is provided through the WordPress.org support forums after publication.
