File Integrity Monitoring
File Integrity Monitoring periodically scans the WordPress file system to detect unauthorized modifications, additions, and deletions. Using SHA-256 hash comparison, even a single byte change will not go unnoticed.
Why File Integrity Monitoring Is Necessary
When an attack on a WordPress site succeeds, attackers typically take actions such as:
- Installing backdoors: Placing PHP files for re-entry
- Modifying core files: Embedding malware in wp-includes/ or wp-admin/ files
- Tampering with themes/plugins: Adding malicious code to legitimate files
- Adding suspicious files: Placing PHP files in the uploads/ directory
How Detection Works
Baseline Scan
During the initial scan, the SHA-256 hash of every file in the target directories is calculated and saved as a baseline.
Change Detection
Subsequent scans compare the current files against the baseline and detect the following types of changes:
| Detection Type | Description | Risk Level |
|---|---|---|
| Modified | Content change in an existing file | 🔴 High |
| Added | A new file has appeared | 🟠 Medium–High |
| Deleted | A file has been removed | 🟡 Medium |
Suspicious Pattern Detection
Pattern matching within file contents detects suspicious code such as:
- Combinations of
eval()andbase64_decode() - Direct execution of
$_GETor$_POST - Obfuscated PHP code
- Known malware signatures
Scan Targets
| Target | Scope | Check Type |
|---|---|---|
| WordPress Core | wp-admin/, wp-includes/ | Comparison with official hashes |
| Theme Files | wp-content/themes/ | Diff against baseline |
| Plugin Files | wp-content/plugins/ | Diff against baseline |
| Uploads | wp-content/uploads/ | Detection of executable PHP files |
Configuration
- Navigate to SentinelSecurity → File Integrity
- Click the Initial Scan button to create a baseline
- Select target directories to scan
- Configure exclusion patterns (log files, cache, etc.)
Exclusion Settings
The following files and directories are recommended to be excluded from scanning:
wp-content/cache/— Temporary files from cache plugins*.log— Log fileswp-content/uploads/*.jpg— Media files (if large volume slows down scans)
gifpng
Directory Tree View
Scan results are displayed in a directory tree format, similar to a file manager. Each file is shown with a color-coded icon, making it easy to identify issues at a glance.
- 🟢 No changes
- 🔴 Modified
- 🟠 Newly added
- ⚪ Deleted
Responding to Detected Changes
1. Verify Legitimate Changes
If the changes were made by you — such as WordPress updates, plugin updates, or theme edits — there is no cause for concern. Update the baseline to approve them.
2. Investigate Suspicious Changes
If unexpected changes are detected, investigate with the following steps:
- Review the file contents: Use the diff view to identify exact changes
- Check for backdoors: Look for suspicious code such as eval/base64
- For WordPress core files: Download the same version from wordpress.org and compare
- Take action: Remove suspicious code or overwrite with clean files
3. Emergency Response
If clear evidence of tampering is found, follow these steps:
- Put the site into maintenance mode
- Change all passwords (WordPress, FTP, database)
- Overwrite WordPress core files with the official version
- Restore from a clean backup
- Re-scan file integrity to confirm recovery
Email Notifications
When file changes are detected, the administrator is notified by email. The notification includes:
- List of changed files
- Change type (Modified / Added / Deleted)
- Scan date and time