Title: VulnTitan – Malware Scanner, Vulnerability Scanner & Security Author: Jaroslav Svetlik Published: May 13, 2025 Last modified: March 31, 2026 --- Search plugins ![](https://ps.w.org/vulntitan/assets/banner-772x250.png?rev=3296655) ![](https://ps.w.org/vulntitan/assets/icon-256x256.png?rev=3479597) # VulnTitan – Malware Scanner, Vulnerability Scanner & Security By [Jaroslav Svetlik](https://profiles.wordpress.org/jerryscg/) [Download](https://downloads.wordpress.org/plugin/vulntitan.2.1.17.zip) * [Details](https://pcd.wordpress.org/plugins/vulntitan/#description) * [Reviews](https://pcd.wordpress.org/plugins/vulntitan/#reviews) * [Installation](https://pcd.wordpress.org/plugins/vulntitan/#installation) * [Development](https://pcd.wordpress.org/plugins/vulntitan/#developers) [Support](https://wordpress.org/support/plugin/vulntitan/) ## Description VulnTitan is a WordPress security plugin focused on malware scanning and removal, vulnerability detection, file integrity monitoring, firewall protection, and anti- spam controls for comments and supported forms. Instantly scan your WordPress site for malware infections and known vulnerabilities, review detailed results, and clean or remove malware safely using a guided fix workflow with automatic backups. VulnTitan focuses on practical protection: vulnerability detection, malware scanning and removal, file integrity monitoring, firewall protection, anti-spam defense for comments and supported forms, hidden custom login access, and a weekly executive security digest every 7 days. #### Malware Scanner The WordPress malware scanner inspects your site files for suspicious code patterns and known malicious signatures. * Detect malware infections in core, plugins, and themes * Review problematic files with contextual code preview * Safe-fix workflow with automatic backups * Clear severity indicators and actionable recommendations #### Vulnerability Scanner The vulnerability scanner checks your installed WordPress core, plugins, and themes against a real-time vulnerability database powered by the VulnTitan API. * Detect vulnerable plugins and themes * Identify outdated components with known security risks * Real-time vulnerability intelligence * Clear risk explanations and remediation guidance #### File Integrity Scanner Monitor unauthorized file changes and unexpected modifications. * Baseline comparison for WordPress files * Queue-based processing for performance safety * Visual status legends for fast review * Actionable next steps for suspicious changes #### Firewall, Login, Comment & Form Protection VulnTitan includes firewall, WAF, login protection, and anti-spam controls to block common attack patterns and protect WordPress login, comment, and supported form submission surfaces. * Early MU-plugin runtime request guards * SQL injection (SQLi) payload protection * Command injection detection * Suspicious path traversal blocking * Endpoint whitelisting controls * Login lockout protection against brute-force attacks * TOTP-based two-factor authentication for selected roles * Recovery codes and trusted-device support for enrolled accounts * CAPTCHA protection for login, registration, lost-password, and optional comment forms * XML-RPC allow, disable, or rate-limit policy controls with IP allowlisting * Weak-password blocking during profile updates, password resets, and compatible registrations * Comment Shield with honeypot, signed tokens, submit-time validation, duplicate detection, guest link limits, IP rate limiting, and moderation-aware logging * Form Shield for Contact Form 7 and Fluent Forms with honeypot, signed submit tokens, link heuristics, repeated-domain detection, and IP rate limiting * Form spam blocks are logged into the WAF/live feed with provider-aware source labels for easier review * Suspicious comments can be held for moderation or blocked immediately * REST comments can enforce signed anti-spam tokens and CAPTCHA when anonymous REST commenting is enabled elsewhere * Configurable custom login slug so administrators can use a private login URL instead of the default `wp-login.php` * Default `wp-login.php` and guest `wp-admin` access can be hidden behind a `404` response when custom login is enabled * Weekly executive security report email with 7-day firewall, login abuse, WAF, form spam, and comment moderation statistics #### Security-First Architecture * Secure storage and cleanup of scan queues and logs * Hardened backup handling outside `ABSPATH` by default * Hardened malware and integrity scan actions with stricter capability checks and in-root path validation * Adaptive performance tuning for safe large-site scanning #### WP-CLI Support VulnTitan supports WP-CLI commands for malware, integrity, and vulnerability scans so administrators can run checks from the terminal, scripts, or server automation. * `wp vulntitan scan malware` * `wp vulntitan scan integrity` * `wp vulntitan scan vulnerability` * `wp vulntitan scan all` * Optional flags: `--scope=plugins`, `--format=json`, `--fail-on-findings` ### External services This plugin connects to an external API at https://vulntitan.com/api/vulnerabilities to fetch up-to-date vulnerability data for WordPress core, plugins, and themes. This data is essential for detecting known vulnerabilities during scan operations. When a vulnerability scan is performed, the following data is sent to the VulnTitan API: – The slug and version of each plugin – The slug and version of each theme– The WordPress core version This data is transmitted only during scans initiated by the user or by scheduled scan settings. No personal, user-identifying, or sensitive site data is collected, transmitted, or stored. The external service is provided and operated by VulnTitan.com. * Terms of Service: https://vulntitan.com/terms * Privacy Policy: https://vulntitan.com/privacy ## Screenshots * [[ * WordPress malware and vulnerability scan dashboard overview. * [[ * Malware detection results with safe-fix workflow and backup protection. * [[ * Vulnerability scanner results showing vulnerable plugins and themes. * [[ * File integrity scan results with baseline comparison. * [[ * Firewall and WAF protection settings panel. * [[ * Vulnerability scan progress bar. * [[ * Firewall hidden custom login configuration and protected access screen. ## Installation #### From your WordPress dashboard 1. Navigate to **Plugins > Add New** 2. Click **Upload Plugin** 3. Upload the downloaded ZIP file 4. Click **Install Now**, then **Activate** #### From FTP or File Manager 1. Upload the extracted `vulntitan` folder to the `/wp-content/plugins/` directory 2. Go to your WordPress dashboard 3. Navigate to **Plugins > Installed Plugins** 4. Find **VulnTitan** and click **Activate** #### Once activated * Go to **VulnTitan** in your admin menu * Click **Scan Now** to run a malware and vulnerability scan * Review detected vulnerabilities, malware infections, and file integrity issues * Apply guided safe fixes where needed ## FAQ ### Who owns the VulnTitan API? The VulnTitan API is developed, owned, and maintained by the same team behind this plugin. It is not a third-party service. The API is operated solely to provide accurate and real-time vulnerability intelligence for WordPress sites. ### What data does the plugin send to the API? The plugin sends only non-personal technical information such as plugin slugs, theme slugs, and WordPress core version numbers. No personal data, login credentials, email addresses, or sensitive information is transmitted or stored. ### Why is the API connection required? The API provides up-to-date vulnerability data needed to detect known security issues affecting WordPress core, plugins, and themes. Without this connection, vulnerability detection would not function correctly. ### Does VulnTitan remove malware? Yes. When malware is detected, VulnTitan provides a guided safe-fix workflow with backup protection so you can review and safely remove infected files. ### Does VulnTitan support WP-CLI? Yes. VulnTitan includes WP-CLI commands for malware, integrity, vulnerability, and combined scans. Examples: * `wp vulntitan scan malware` * `wp vulntitan scan integrity` * `wp vulntitan scan vulnerability` * `wp vulntitan scan all` * `wp vulntitan scan malware --scope=plugins` * `wp vulntitan scan all --format=json` * `wp vulntitan scan vulnerability --fail-on-findings` ### My site is behind a proxy or CDN. How do I configure IP detection? If you use Cloudflare, enable “Trust Cloudflare” in **VulnTitan > Firewall > Access Shield > Proxy & CDN**. For other reverse proxies or load balancers, add their IP addresses to “Trusted Proxy IPs”. If your site is not behind a proxy or CDN, leave these settings disabled to avoid spoofed IP addresses in logs and lockouts. ### Does VulnTitan protect contact forms from spam? Yes. VulnTitan currently supports spam protection for Contact Form 7 and Fluent Forms, alongside native WordPress comment anti-spam controls. ## Reviews ![](https://secure.gravatar.com/avatar/c94cb602982ba79c954601440f9d556a4afe8be08cd6c66d36c123f641dbd8bc? s=60&d=retro&r=g) ### 󠀁[Excellent vulnerability scanner!](https://wordpress.org/support/topic/excellent-vulnerability-scanner/)󠁿 [componentz](https://profiles.wordpress.org/componentz/) May 17, 2025 I’ve been using VulnTitan for a few weeks now and I’m genuinely impressed. The plugin is fast, lightweight, and managed to detect vulnerabilities I had completely overlooked in some of my plugins. I especially like the file integrity and malware scanning features – they provide great peace of mind. The interface is clean and easy to use, and the reports are clear and helpful.Highly recommended for anyone serious about securing their WordPress site! [ Read all 1 review ](https://wordpress.org/support/plugin/vulntitan/reviews/) ## Contributors & Developers “VulnTitan – Malware Scanner, Vulnerability Scanner & Security” is open source software. The following people have contributed to this plugin. Contributors * [ Jaroslav Svetlik ](https://profiles.wordpress.org/jerryscg/) [Translate “VulnTitan – Malware Scanner, Vulnerability Scanner & Security” into your language.](https://translate.wordpress.org/projects/wp-plugins/vulntitan) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/vulntitan/), check out the [SVN repository](https://plugins.svn.wordpress.org/vulntitan/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/vulntitan/) by [RSS](https://plugins.trac.wordpress.org/log/vulntitan/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### v2.1.17 – 31 Mar, 2026 * Hardened malware and integrity scan actions with stricter capability checks, boundary-safe path validation, and server-side verification of auto-fix targets. * Closed the conditional REST comment bypass by enforcing signed anti-spam tokens and comment CAPTCHA on REST comment submissions as well. * Added stronger 2FA challenge throttling, tighter proxy trust handling, bounded anti-spam token lifetimes, and reduced hot-path maintenance overhead. * Expanded release metadata and readme coverage for comment moderation, digest reporting, and hardening updates. #### v2.1.16 – 25 Mar, 2026 * Tightened Comment Shield spam detection with casino, betting, gambling, promotional- link, repeated-domain, and thin-link comment heuristics for guest comments. * Added firewall logging when suspicious comments are held and when WordPress routes comments into the pending moderation queue. * Expanded the weekly executive security digest with form spam, comment queue, and broader protection-profile coverage. * Improved the HTML digest layout on mobile by stacking compressed two-column sections into a readable single-column flow. #### v2.1.15 – 18 Mar, 2026 * Added “Not installed” provider messaging in Spam Protection and disabled unavailable form provider toggles until Contact Form 7 or Fluent Forms is activated. #### v2.1.14 – 18 Mar, 2026 * Fixed the Firewall settings save flow after the Spam Protection UI refactor by removing stale legacy comment-field JavaScript references. #### v2.1.13 – 18 Mar, 2026 * Added form anti-spam protection for Contact Form 7 and Fluent Forms with honeypot, signed submit tokens, link heuristics, repeated-domain detection, and rate limiting. * Added a dedicated Spam Protection UI with separate Comments and Forms controls plus provider toggles. * Logged supported form spam blocks into the WAF/live feed with provider-aware source labels and separated form blocks from general WAF blocks in the live feed. #### v2.1.12 – 16 Mar, 2026 * Added vulnerability detail fields: fixed version, affected versions, CVSS score/ vector, published date, and exploit status. * Added risk score (severity + exposure) badges in vulnerability findings. * Added risk decisions (“Accept risk” / “Ignore”) with expiry and audit log entries. * Persisted risk decisions in a dedicated table and return decisions in scan results. * Added robust formatting for affected version ranges, including Wordfence-style range objects. * Mapped API fields (patched_versions, published, etc.) to UI-friendly names. * Added inline update/deactivate actions that run without leaving the scan view. * Added post-update rescan to refresh vulnerability cards in place. * Refreshed update transients before building scan items so update actions appear consistently. #### v2.1.11 – 16 Mar, 2026 * Normalized slug handling for single-file plugins and edge cases to improve scan accuracy. * Continued scans when individual items fail instead of aborting the entire run. * Added timeout/backoff handling with clear 429/503 messaging for vulnerability data requests. * Added short server-side cache per (type, slug, version) and surfaced “data age” in the overview. * Added filters and sorting for severity, component type, active status, and fix availability. * Added direct actions for “Update now”, “Deactivate”, and “Open plugin page”. * Added “Last scan at”, “Errors count”, and “Data age” to the scan overview. * Improved scan flow with “Retry failed”, “Stop scan”, and smart auto-scroll. * Styled scan output filter dropdowns to match the dashboard theme and remove white backgrounds. #### v2.1.10 – 16 Mar, 2026 * Added Learning Mode suggestions for WAF whitelisting, with configurable thresholds and review-only approvals. * Added a Learning Suggestions panel and actions to approve or dismiss suggested patterns. * Fixed a PHP 8.4 deprecation warning by making trusted proxy settings nullable explicitly. #### v2.1.9 – 16 Mar, 2026 * Added Proxy/CDN configuration in Firewall settings, including Trust Cloudflare and trusted proxy IPs. * Added in-dashboard warnings when proxy headers are detected but trust is not configured. * Updated IP detection to trust forwarded headers only for configured proxies. * Restricted malware, integrity, and vulnerability scan actions to administrators only. * Hardened integrity scan file handling to prevent unsafe path traversal. #### v2.1.8 – 16 Mar, 2026 * Fixed PHP 7.4 compatibility by replacing PHP 8-only syntax in scanner, CAPTCHA, and login-security flows. #### v2.1.7 – 16 Mar, 2026 * Added an approvals workflow for WAF-blocked admin-ajax and REST requests, including targeted whitelist patterns and approve/dismiss actions. * Added admin alerts and a menu badge for pending approvals, with direct links to the Approvals tab. * Moved the Clear Logs action into the Live Security Feed toolbar. #### v2.1.6 – 15 Mar, 2026 * Added scan progress status notes that highlight the current component or file during Malware, Vulnerability, and Integrity scans. #### v2.1.5 – 15 Mar, 2026 * Added role-based 2FA enforcement so selected roles must enroll before using the admin dashboard, with a direct setup shortcut. * Moved the live Firewall security feed into its own submenu and replaced pagination with a Load more flow. * Added quick actions to unblock or allowlist locked-out IPs from the Firewall feed. #### v2.1.4 – 14 Mar, 2026 * Added a Login Security Pack with TOTP-based 2FA, recovery codes, trusted devices, CAPTCHA form protection, XML-RPC policy controls, and weak-password blocking. * Reworked the 2FA setup UX into a clearer step-by-step profile flow with QR provisioning and inline activation feedback. * Fixed 2FA setup and challenge-screen issues so activation errors return to the verification step and the public login flow no longer depends on admin-only helpers. #### v2.1.3 – 14 Mar, 2026 * Added WP-CLI scan commands for malware, integrity, vulnerability, and combined scan execution. * Added readme documentation and FAQ examples for running VulnTitan scans from the terminal. #### v2.1.2 – 14 Mar, 2026 * Refined the Vulnerability scanner UI with a more professional overview and findings layout. * Moved the Vulnerability Overview panel outside the scrolling results area so it stays sticky as a separate summary block. * Improved clean-result messaging so results now explicitly reference the scanned plugin, theme, or WordPress core component. #### v2.1.1 – 14 Mar, 2026 * Added a live-updating Firewall security feed with auto-refresh, pause/resume controls, quick filters, search, and per-event forensic detail panels. * Expanded Firewall feed event data so administrators can inspect richer request, actor, and rule context directly in the admin UI. * Improved live refresh behavior so recent event polling no longer overwrites unsaved Firewall settings while the page is open. #### v2.1.0 – 13 Mar, 2026 * Added Comment Shield anti-spam protection for WordPress comments with honeypot, submit-time validation, duplicate detection, link controls, and IP rate limiting. * Added Firewall dashboard and weekly digest statistics for blocked or moderated comment spam activity. * Changed Firewall MU loader status to show WordPress-relative paths such as `wp- content/mu-plugins/vulntitan-firewall.php` instead of absolute server filesystem paths. #### v2.0.8 – 13 Mar, 2026 * Added a weekly executive security digest email with 7-day firewall telemetry, login abuse summaries, WAF detections, and top targeted paths/rules. * Added Firewall settings for enabling the weekly digest and overriding the recipient email address. * Upgraded the digest into a professional branded HTML email template with VulnTitan logo, metric cards, timeline, and protection profile summary. #### v2.0.7 – 13 Mar, 2026 * Fixed custom login logout requests on some Nginx-backed WordPress sites so hidden login logout no longer triggers `502 Bad Gateway` responses. * Stabilized hidden login request bootstrapping and canonical custom login route handling for logout/login flows. #### v2.0.6 – 12 Mar, 2026 * Added configurable custom login slug support so administrators can use a private login URL instead of the default `wp-login.php` path. * Hidden direct guest access to default `wp-login.php` and `wp-admin` entry points when custom login protection is enabled. * Reworked the Firewall page with a tabbed settings layout, a wider recent events section, and toast-style action feedback. #### v2.0.4 – 10 Mar, 2026 * Redesigned the VulnTitan Dashboard into an elite, professional security command center layout. * Redesigned the Firewall page into a professional command center layout. * Removed the dashboard sidebar to keep the UI focused on scan operations. * Redesigned the top navigation bar to match the new elite dashboard and firewall style. * Fixed scan progress indicator layout in the redesigned dashboard. #### v2.0.3 – 10 Mar, 2026 * Reduced false positives for benign decode-only utilities (e.g., base64 + gzuncompress). * Reduced false positives for safe data:image/svg+xml;base64 payloads. * Disabled auto-fix for low-risk malware findings to prevent accidental code removal. #### v2.0.2 – 10 Mar, 2026 * Reduced malware scanner false positives for base64-decoded signature and key material. * Avoided false positives from benign data:image base64 CSS payloads embedded in PHP/JS strings. * Prevented false positives on large serialized option blobs without execution or file-write patterns. #### v2.0.1 – 03 Mar, 2026 * Fixed Vulnerability scanner UI so the “Vulnerability Overview” section stays pinned at the top while results are scrolled. * Reduced Malware scanner false positives for benign CSS `content:` strings and similar static string-literal matches. #### v2.0.0 – 25 Feb, 2026 * Major release with redesigned Malware, Vulnerability, and File Integrity scan UX. * Improved malware scanner with detailed problematic-files panel and guided safe- fix actions. * Enhanced vulnerability detection powered by updated API intelligence. * Improved file integrity scanner with clearer legends and performance tuning. * Added dedicated Firewall module with MU runtime guards and login lockout protection. * Added WAF payload protection for SQL injection and command injection. * Security hardening for backup storage and automated cleanup routines. For full release history, see `CHANGELOG.md` included in the plugin package. ## Meta * Version **2.1.17** * Last updated **4 days ago** * Active installations **10+** * Tested up to **6.9.4** * PHP version ** 7.4 or higher ** * Language * [English (US)](https://wordpress.org/plugins/vulntitan/) * Tags * [malware removal](https://pcd.wordpress.org/plugins/tags/malware-removal/)[malware scanner](https://pcd.wordpress.org/plugins/tags/malware-scanner/) [vulnerability scanner](https://pcd.wordpress.org/plugins/tags/vulnerability-scanner/) * [Advanced View](https://pcd.wordpress.org/plugins/vulntitan/advanced/) ## Ratings 5 out of 5 stars. * [ 1 5-star review ](https://wordpress.org/support/plugin/vulntitan/reviews/?filter=5) * [ 0 4-star reviews ](https://wordpress.org/support/plugin/vulntitan/reviews/?filter=4) * [ 0 3-star reviews ](https://wordpress.org/support/plugin/vulntitan/reviews/?filter=3) * [ 0 2-star reviews ](https://wordpress.org/support/plugin/vulntitan/reviews/?filter=2) * [ 0 1-star reviews ](https://wordpress.org/support/plugin/vulntitan/reviews/?filter=1) [Add my review](https://wordpress.org/support/plugin/vulntitan/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/vulntitan/reviews/) ## Contributors * [ Jaroslav Svetlik ](https://profiles.wordpress.org/jerryscg/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/vulntitan/) ## Donate Would you like to support the advancement of this plugin? [ Donate to this plugin ](https://www.paypal.com/ncp/payment/TPGXWZTJX7TDE)