WPHammer
Log in
  • Findings
  • Suppression rules
  • Scheduling
  • Related

    • Server Security

    WPHammer includes a built-in security scanning system that checks WordPress sites for vulnerabilities, file integrity issues, suspicious files, and abuse patterns. Scan results are organized by severity and tracked through a finding lifecycle so you can triage, remediate, and verify fixes over time.

    Scan types

    Security scans can run as a full sweep or target specific areas. The available scan types are:

    Full scan

    Runs all individual checks in sequence — integrity, files, cron jobs, and vulnerabilities. This is the most thorough option and the default for scheduled scans.

    Integrity check

    Verifies WordPress core and plugin files against their official checksums. Any file that has been modified, added, or removed from the expected set is flagged. This catches unauthorized code changes, injected malware, and accidentally modified core files.

    File scan

    Scans site directories for suspicious files — files with unusual extensions, obfuscated code patterns, or names that match known malware signatures. This check looks beyond the WordPress installation to catch threats that integrity checks alone would miss.

    Vulnerability check

    Cross-references installed plugins against the Wordfence Intelligence vulnerability database. Each plugin slug and version is checked for known CVEs. Results include the CVE identifier, severity rating, affected versions, and whether a patched version is available.

    The vulnerability database is cached for 24 hours and queried in batches of up to 50 plugins per request to stay within API limits.

    Cron audit

    Inspects WordPress cron jobs for suspicious entries — unexpected URLs, external callbacks, or schedules that do not match known plugins. Compromised cron jobs are a common persistence mechanism for malware.

    Abuse detection

    Analyzes server access logs to identify abuse patterns — brute-force login attempts, automated scanning, and other suspicious traffic. This check operates at the server level rather than per-site.

    Findings

    Each issue discovered by a scan is recorded as a finding with the following attributes:

    • Severity — Critical, High, Medium, Low, or Informational, each with a color-coded indicator
    • Type — the category of the finding (core integrity, plugin integrity, suspicious file, file permission, vulnerability, suspicious cron, abandoned plugin, or abuse pattern)
    • Status — the current lifecycle state: New, Regressed, Resolved, Dismissed, False Positive, or Suppressed
    • Details — title, description, file path, CVE ID (for vulnerabilities), affected and patched versions, and patch availability

    Finding lifecycle

    Findings move through a lifecycle as you investigate and address them:

    1. New — just discovered by a scan
    2. Resolved — you have confirmed the issue is fixed (manually or via remediation)
    3. Regressed — a previously resolved finding has reappeared in a later scan
    4. Dismissed — you have reviewed and intentionally set aside this finding
    5. False Positive — the finding does not represent an actual threat
    6. Suppressed — automatically suppressed by a matching suppression rule

    Patch status

    For vulnerability findings, WPHammer tracks whether the issue is patchable:

    • Patchable — an updated version is available that fixes the vulnerability
    • Unpatched — no fix is available yet from the plugin author
    • Abandoned — the plugin appears to be abandoned with no expected fix

    Suppression rules

    Teams can create rules to automatically suppress findings that match specific criteria. This is useful for known false positives, accepted risks, or findings from plugins that your team has already reviewed. Suppression rules can match on finding type, title pattern, plugin slug, or other fields, and they apply automatically to new scan results.

    Scheduling

    Security scans can be triggered manually from the site or server detail page, or they run on a configurable schedule as background jobs. Each scan records its duration, status (pending, running, completed, or failed), and a summary of findings by severity.

    Related