A security scan tells you what's wrong right now. File integrity monitoring tells you the moment something changes — giving you a fighting chance to catch an attack before it spreads. Not sure if your site is already compromised? Check the warning signs of a hacked WordPress site first.
How file integrity monitoring works
The concept is simple:
- Baseline scan — hash every PHP file on your site and store the fingerprints
- Continuous monitoring — re-hash files on every page load (for high-risk paths) and on scheduled scans
- Alert on change — any file whose hash doesn't match the baseline triggers an immediate alert
The hash is typically SHA-1 or MD5. Since we're detecting unauthorised changes (not collision attacks), SHA-1 is sufficient and significantly faster across thousands of files.
What WO Security Shield monitors
WO Security Shield baselines and monitors:
| Path | Why it matters |
|---|---|
wp-admin/ |
Core admin files — any modification is a red flag |
wp-includes/ |
Core WordPress libraries — attackers inject here for persistence |
wp-content/plugins/ |
Your plugin files — each plugin gets its own baseline (malware often hides here) |
wp-content/themes/ |
Theme files — functions.php is a common injection point |
mu-plugins/ |
Must-use plugins — often used for persistence because they can't be disabled |
| WordPress root | wp-config.php, index.php, .htaccess |
Near-real-time detection
Full scans run on a schedule, but WO Security Shield also runs a lightweight check on every WordPress page load that examines files modified in the last 10 minutes in high-risk directories. This means you're typically alerted within minutes of an infection, not hours.
Why baselines matter for plugins
When you update a plugin, its files legitimately change — that's expected. WO Security Shield handles this gracefully:
- After updating a plugin, you approve a new baseline for it
- All previous
file_integrity_changealerts for that plugin are automatically dismissed - A fresh sync is triggered to update your WO Security Shield dashboard
This means you only see alerts that actually matter — not false positives from routine updates.
Core checksum verification
Beyond your own baseline, WO Security Shield fetches the official WordPress checksum list from api.wordpress.org and compares every core file's MD5. If a core file has been tampered with, it shows up immediately with a "Restore Official Copy" action that fetches the original file directly from WordPress.org.
Setting up monitoring in under 5 minutes
- Install WO Security Shield
- Go to Monitoring → Plugin Integrity
- Click "Run Security Scan" to build your initial baseline
- Enable scheduled monitoring
From that point forward, any unauthorised file change will appear as a finding in your dashboard — both locally in WordPress and in the WO Security Shield SaaS dashboard if you've connected your site.
File integrity monitoring won't stop every attack. But it will ensure that when an attack does happen, you know about it fast enough to limit the damage. When monitoring does flag an issue, follow our step-by-step guide to cleaning a hacked WordPress site for a structured recovery process.
How File Integrity Monitoring Actually Works
At its core, file integrity monitoring (FIM) is simple: take a snapshot of every file, then compare future snapshots to detect changes. But the implementation details matter enormously.
Hash-Based Detection
The most reliable method uses cryptographic hashes:
# Initial baseline
wp-includes/version.php → SHA256: a1b2c3d4e5...
wp-includes/load.php → SHA256: f6g7h8i9j0...
# Later scan
wp-includes/version.php → SHA256: a1b2c3d4e5... ✅ (unchanged)
wp-includes/load.php → SHA256: x9y8z7w6v5... ⚠️ CHANGED!
Even a single character change produces a completely different hash, making it impossible for malware to modify a file without detection.
WordPress.org Checksum Comparison
WO Security Shield goes beyond local hash comparison. For WordPress core files, it compares your file hashes against the official checksums published by WordPress.org:
WordPress.org says version.php should be: a1b2c3d4e5...
Your version.php is: a1b2c3d4e5... ✅ MATCH
WordPress.org says load.php should be: f6g7h8i9j0...
Your load.php is: x9y8z7w6v5... ❌ MISMATCH
This catches modifications even if you don't have a previous baseline — if your core files don't match the official release, something is wrong.
What Changes Should Be Monitored?
Not all file changes are suspicious. A good FIM system categorises changes:
| Change Type | Examples | Risk Level |
|---|---|---|
| New PHP file in uploads/ | wp-content/uploads/2026/shell.php | 🔴 Critical — almost always malicious |
| Modified core file | wp-includes/version.php changed | 🔴 Critical — core files should never be modified |
| New file in root directory | /test.php, /info.php | 🟡 High — unexpected root files are suspicious |
| Modified plugin file | plugin/includes/class-main.php changed | 🟡 Medium — could be an update or an injection |
| Modified theme file | theme/functions.php changed | 🟡 Medium — common injection target |
| Config file change | wp-config.php modified | 🔴 Critical — should only change during setup |
| New or modified .htaccess | .htaccess in any directory | 🟡 High — common redirect injection point |
Real-Time vs Scheduled Scanning
Scheduled scanning (e.g., every 5 minutes via cron):
- Lower server impact
- Catches changes within the scan interval
- Sufficient for most sites
Real-time monitoring (hooks into file operations):
- Immediate detection
- Higher server overhead
- Important for high-value sites (e-commerce, financial services)
WO Security Shield supports both modes. Low resource mode defers heavy scans to cron while keeping real-time protection active for critical file operations.
Setting Up File Integrity Monitoring
Step 1: Establish a clean baseline
Before enabling monitoring, ensure your site is clean:
- Update WordPress core, all plugins, and all themes
- Delete unused plugins and themes
- Scan for existing malware
- Once clean, the monitoring system takes its first baseline snapshot
Step 2: Configure scan exemptions
Some directories change frequently and generate false positives:
- Cache directories (
wp-content/cache/) - Log files (
*.log) - Temporary upload directories
Add these to your scan exemptions in WO Security Shield settings.
Step 3: Set up alert channels
Configure where you want to receive alerts:
- Admin email — for critical findings
- Slack webhook — for team visibility
- Activity log — for audit trail and historical review
Step 4: Respond to alerts
When a file change is detected:
- Review the change — is it from a legitimate update or suspicious?
- Check the diff — WO Security Shield shows what exactly changed in the file
- If suspicious: quarantine the file, investigate further
- If legitimate: approve the change to update the baseline
Why FIM Catches What Firewalls Miss
A firewall blocks known attack patterns. But what about:
- Zero-day exploits that no firewall rule exists for yet?
- Compromised plugins that arrived pre-infected from the vendor?
- Insider threats — someone with legitimate access making malicious changes?
- Server-level compromise — the attacker bypassed WordPress entirely?
File integrity monitoring catches all of these because it doesn't care how the file changed — only that it did change. It's your last line of defence when everything else fails.