Documents / Sentinel Security / Features

File Integrity Monitoring

Published: 2026.03.18 Updated: 2026.03.20 As of v1.5.29

File Integrity Monitoring

File Integrity Monitoring periodically scans the WordPress file system to detect unauthorized modifications, additions, and deletions. Using SHA-256 hash comparison, even a single byte change will not go unnoticed.

Why File Integrity Monitoring Is Necessary

When an attack on a WordPress site succeeds, attackers typically take actions such as:

  • Installing backdoors: Placing PHP files for re-entry
  • Modifying core files: Embedding malware in wp-includes/ or wp-admin/ files
  • Tampering with themes/plugins: Adding malicious code to legitimate files
  • Adding suspicious files: Placing PHP files in the uploads/ directory
File Integrity Monitoring detects these changes in real time and notifies the administrator.

How Detection Works

Baseline Scan

During the initial scan, the SHA-256 hash of every file in the target directories is calculated and saved as a baseline.

Change Detection

Subsequent scans compare the current files against the baseline and detect the following types of changes:

Detection TypeDescriptionRisk Level
ModifiedContent change in an existing file🔴 High
AddedA new file has appeared🟠 Medium–High
DeletedA file has been removed🟡 Medium

Suspicious Pattern Detection

Pattern matching within file contents detects suspicious code such as:

  • Combinations of eval() and base64_decode()
  • Direct execution of $_GET or $_POST
  • Obfuscated PHP code
  • Known malware signatures

Scan Targets

TargetScopeCheck Type
WordPress Corewp-admin/, wp-includes/Comparison with official hashes
Theme Fileswp-content/themes/Diff against baseline
Plugin Fileswp-content/plugins/Diff against baseline
Uploadswp-content/uploads/Detection of executable PHP files

Configuration

  1. Navigate to SentinelSecurityFile Integrity
  2. Click the Initial Scan button to create a baseline
  3. Select target directories to scan
  4. Configure exclusion patterns (log files, cache, etc.)

Exclusion Settings

The following files and directories are recommended to be excluded from scanning:

  • wp-content/cache/ — Temporary files from cache plugins
  • *.log — Log files
  • wp-content/uploads/*.jpg
    png
    gif     — Media files (if large volume slows down scans)

Directory Tree View

Scan results are displayed in a directory tree format, similar to a file manager. Each file is shown with a color-coded icon, making it easy to identify issues at a glance.

  • 🟢 No changes
  • 🔴 Modified
  • 🟠 Newly added
  • ⚪ Deleted
The tree supports expand/collapse navigation, allowing you to efficiently explore directories with issues.

Responding to Detected Changes

1. Verify Legitimate Changes

If the changes were made by you — such as WordPress updates, plugin updates, or theme edits — there is no cause for concern. Update the baseline to approve them.

2. Investigate Suspicious Changes

If unexpected changes are detected, investigate with the following steps:

  1. Review the file contents: Use the diff view to identify exact changes
  2. Check for backdoors: Look for suspicious code such as eval/base64
  3. For WordPress core files: Download the same version from wordpress.org and compare
  4. Take action: Remove suspicious code or overwrite with clean files

3. Emergency Response

If clear evidence of tampering is found, follow these steps:

  1. Put the site into maintenance mode
  2. Change all passwords (WordPress, FTP, database)
  3. Overwrite WordPress core files with the official version
  4. Restore from a clean backup
  5. Re-scan file integrity to confirm recovery

Email Notifications

When file changes are detected, the administrator is notified by email. The notification includes:

  • List of changed files
  • Change type (Modified / Added / Deleted)
  • Scan date and time