File Change Monitor
File Change Monitor periodically scans the WordPress file system to detect unauthorized modifications, additions, and deletions. Using SHA-256 hash comparison, even a single byte change will not go unnoticed.
Why File Change Monitoring Is Necessary
When an attack on a WordPress site succeeds, attackers typically take actions such as:
- Installing backdoors: Placing PHP files for re-entry
- Modifying core files: Embedding malware in wp-includes/ or wp-admin/ files
- Tampering with themes/plugins: Adding malicious code to legitimate files
- Adding suspicious files: Placing PHP files in the uploads/ directory
How Detection Works
Baseline Scan
During the initial scan, the SHA-256 hash of every file in the target directories is calculated and saved as a baseline.
Change Detection
Subsequent scans compare the current files against the baseline and detect the following types of changes:
| Detection Type | Description | Risk Level |
|---|---|---|
| Modified | Content change in an existing file | 🔴 High |
| Added | A new file has appeared | 🟠 Medium–High |
| Deleted | A file has been removed | 🟡 Medium |
Suspicious Pattern Detection
Pattern matching within file contents detects suspicious code such as:
- Combinations of
eval()andbase64_decode() - Direct execution of
$_GETor$_POST - Obfuscated PHP code
- Known suspicious code patterns often abused by malware
Scan Targets
| Target | Scope | Check Type |
|---|---|---|
| WordPress Core | wp-admin/, wp-includes/ | Diff against baseline |
| Theme Files | wp-content/themes/ | Diff against baseline |
| Plugin Files | wp-content/plugins/ | Diff against baseline |
| Uploads | wp-content/uploads/ | Detection of executable PHP files |
Note: WordPress Core files are compared against the baseline created during the initial scan, not against official WordPress.org hashes. For manual verification of specific files, download the same version from wordpress.org and compare locally.
Configuration
- Navigate to SentinelSecurity → File Change Monitor
- Click the Initial Scan button to create a baseline
- Select target directories to scan
- Configure exclusion patterns (log files, cache, etc.)
Exclusion Settings
The following files and directories are recommended to be excluded from scanning:
wp-content/cache/— Temporary files from cache plugins*.log— Log fileswp-content/uploads/*.jpg— Media files (if large volume slows down scans)
gifpng
Scan Results
Scan results are displayed in a list (table) format. Each row shows the scan time, type, and the number of modified, added, and deleted files at a glance.
| Column | Description |
|---|---|
| Scan Time | Date and time the scan ran |
| Type | Initial / Manual / Auto |
| Modified | Number of files with content changes |
| Added | Number of newly added files |
| Deleted | Number of removed files |
Monitor Scope Selection
You choose which directories to monitor using a tree-style checkbox interface. Directories can be expanded or collapsed, making it easy to select exactly the scope you need.
Responding to Detected Changes
1. Verify Legitimate Changes
If the changes were made by you — such as WordPress updates, plugin updates, or theme edits — there is no cause for concern. Update the baseline to approve them.
2. Investigate Suspicious Changes
If unexpected changes are detected, investigate with the following steps:
- Review the file contents: Use the diff view to identify exact changes
- Check for backdoors: Look for suspicious code such as eval/base64
- For WordPress core files: Download the same version from wordpress.org and compare
- Take action: Remove suspicious code or overwrite with clean files
3. Emergency Response
If clear evidence of tampering is found, follow these steps:
- Put the site into maintenance mode
- Change all passwords (WordPress, FTP, database)
- Overwrite WordPress core files with the official version
- Restore from a clean backup
- Re-scan with File Change Monitor to confirm recovery
Email Notifications
When file changes are detected, the administrator is notified by email. The notification includes:
- List of changed files
- Change type (Modified / Added / Deleted)
- Scan date and time