VulnTitan is a WordPress security plugin focused on malware scanning and removal, vulnerability detection, file integrity monitoring, firewall protection, and anti-spam controls for comments and supported forms.<\/p>\n\n
Instantly scan your WordPress site for malware infections and known vulnerabilities, review detailed results, and clean or remove malware safely using a guided fix workflow with automatic backups.<\/p>\n\n
VulnTitan focuses on practical protection: vulnerability detection, malware scanning and removal, file integrity monitoring, firewall protection, anti-spam defense for comments and supported forms, hidden custom login access, and a weekly executive security digest every 7 days.<\/p>\n\n
The WordPress malware scanner inspects your site files for suspicious code patterns and known malicious signatures.<\/p>\n\n
The vulnerability scanner checks your installed WordPress core, plugins, and themes against a real-time vulnerability database powered by the VulnTitan API.<\/p>\n\n
Monitor unauthorized file changes and unexpected modifications.<\/p>\n\n
VulnTitan includes firewall, WAF, login protection, and anti-spam controls to block common attack patterns and protect WordPress login, comment, and supported form submission surfaces.<\/p>\n\n
wp-login.php<\/code><\/li>\n- Default
wp-login.php<\/code> and guest wp-admin<\/code> access can be hidden behind a 404<\/code> response when custom login is enabled<\/li>\n- Weekly executive security report email with 7-day firewall, login abuse, WAF, form spam, and comment moderation statistics<\/li>\n<\/ul>\n\n
Security-First Architecture<\/h4>\n\n\n- Secure storage and cleanup of scan queues and logs<\/li>\n
- Hardened backup handling outside
ABSPATH<\/code> by default<\/li>\n- Hardened malware and integrity scan actions with stricter capability checks and in-root path validation<\/li>\n
- Adaptive performance tuning for safe large-site scanning<\/li>\n<\/ul>\n\n
WP-CLI Support<\/h4>\n\n
VulnTitan supports WP-CLI commands for malware, integrity, and vulnerability scans so administrators can run checks from the terminal, scripts, or server automation.<\/p>\n\n
\nwp vulntitan scan malware<\/code><\/li>\nwp vulntitan scan integrity<\/code><\/li>\nwp vulntitan scan vulnerability<\/code><\/li>\nwp vulntitan scan all<\/code><\/li>\n- Optional flags:
--scope=plugins<\/code>, --format=json<\/code>, --fail-on-findings<\/code><\/li>\n<\/ul>\n\nExternal services<\/h3>\n\n
This plugin connects to an external API at https:\/\/vulntitan.com\/api\/vulnerabilities to fetch up-to-date vulnerability data for WordPress core, plugins, and themes. This data is essential for detecting known vulnerabilities during scan operations.<\/p>\n\n
When a vulnerability scan is performed, the following data is sent to the VulnTitan API:\n- The slug and version of each plugin\n- The slug and version of each theme\n- The WordPress core version<\/p>\n\n
This data is transmitted only during scans initiated by the user or by scheduled scan settings. No personal, user-identifying, or sensitive site data is collected, transmitted, or stored.<\/p>\n\n
The external service is provided and operated by VulnTitan.com.<\/p>\n\n
\n- Terms of Service: https:\/\/vulntitan.com\/terms<\/li>\n
- Privacy Policy: https:\/\/vulntitan.com\/privacy<\/li>\n<\/ul>\n\n\n
From your WordPress dashboard<\/h4>\n\n\n- Navigate to Plugins > Add New<\/strong><\/li>\n
- Click Upload Plugin<\/strong><\/li>\n
- Upload the downloaded ZIP file<\/li>\n
- Click Install Now<\/strong>, then Activate<\/strong><\/li>\n<\/ol>\n\n
From FTP or File Manager<\/h4>\n\n\n- Upload the extracted
vulntitan<\/code> folder to the \/wp-content\/plugins\/<\/code> directory<\/li>\n- Go to your WordPress dashboard<\/li>\n
- Navigate to Plugins > Installed Plugins<\/strong><\/li>\n
- Find VulnTitan<\/strong> and click Activate<\/strong><\/li>\n<\/ol>\n\n
Once activated<\/h4>\n\n\n- Go to VulnTitan<\/strong> in your admin menu<\/li>\n
- Click Scan Now<\/strong> to run a malware and vulnerability scan<\/li>\n
- Review detected vulnerabilities, malware infections, and file integrity issues<\/li>\n
- Apply guided safe fixes where needed<\/li>\n<\/ul>\n\n\n
\nWho owns the VulnTitan API?<\/h3><\/dt>\nThe VulnTitan API is developed, owned, and maintained by the same team behind this plugin. It is not a third-party service. The API is operated solely to provide accurate and real-time vulnerability intelligence for WordPress sites.<\/p><\/dd>\n
What data does the plugin send to the API?<\/h3><\/dt>\nThe plugin sends only non-personal technical information such as plugin slugs, theme slugs, and WordPress core version numbers. No personal data, login credentials, email addresses, or sensitive information is transmitted or stored.<\/p><\/dd>\n
Why is the API connection required?<\/h3><\/dt>\nThe API provides up-to-date vulnerability data needed to detect known security issues affecting WordPress core, plugins, and themes. Without this connection, vulnerability detection would not function correctly.<\/p><\/dd>\n
Does VulnTitan remove malware?<\/h3><\/dt>\nYes. When malware is detected, VulnTitan provides a guided safe-fix workflow with backup protection so you can review and safely remove infected files.<\/p><\/dd>\n
Does VulnTitan support WP-CLI?<\/h3><\/dt>\nYes. VulnTitan includes WP-CLI commands for malware, integrity, vulnerability, and combined scans.<\/p>\n\n
Examples:<\/p>\n\n
\nwp vulntitan scan malware<\/code><\/li>\nwp vulntitan scan integrity<\/code><\/li>\nwp vulntitan scan vulnerability<\/code><\/li>\nwp vulntitan scan all<\/code><\/li>\nwp vulntitan scan malware --scope=plugins<\/code><\/li>\nwp vulntitan scan all --format=json<\/code><\/li>\nwp vulntitan scan vulnerability --fail-on-findings<\/code><\/li>\n<\/ul><\/dd>\nMy site is behind a proxy or CDN. How do I configure IP detection?<\/h3><\/dt>\nIf you use Cloudflare, enable \"Trust Cloudflare\" in VulnTitan > Firewall > Access Shield > Proxy & CDN<\/strong>. For other reverse proxies or load balancers, add their IP addresses to \"Trusted Proxy IPs\". If your site is not behind a proxy or CDN, leave these settings disabled to avoid spoofed IP addresses in logs and lockouts.<\/p><\/dd>\nDoes VulnTitan protect contact forms from spam?<\/h3><\/dt>\nYes. VulnTitan currently supports spam protection for Contact Form 7 and Fluent Forms, alongside native WordPress comment anti-spam controls.<\/p><\/dd>\n\n<\/dl>\n\n\n
v2.1.17 - 31 Mar, 2026<\/h4>\n\n\n- Hardened malware and integrity scan actions with stricter capability checks, boundary-safe path validation, and server-side verification of auto-fix targets.<\/li>\n
- Closed the conditional REST comment bypass by enforcing signed anti-spam tokens and comment CAPTCHA on REST comment submissions as well.<\/li>\n
- Added stronger 2FA challenge throttling, tighter proxy trust handling, bounded anti-spam token lifetimes, and reduced hot-path maintenance overhead.<\/li>\n
- Expanded release metadata and readme coverage for comment moderation, digest reporting, and hardening updates.<\/li>\n<\/ul>\n\n
v2.1.16 - 25 Mar, 2026<\/h4>\n\n\n- Tightened Comment Shield spam detection with casino, betting, gambling, promotional-link, repeated-domain, and thin-link comment heuristics for guest comments.<\/li>\n
- Added firewall logging when suspicious comments are held and when WordPress routes comments into the pending moderation queue.<\/li>\n
- Expanded the weekly executive security digest with form spam, comment queue, and broader protection-profile coverage.<\/li>\n
- Improved the HTML digest layout on mobile by stacking compressed two-column sections into a readable single-column flow.<\/li>\n<\/ul>\n\n
v2.1.15 - 18 Mar, 2026<\/h4>\n\n\n- Added \u201cNot installed\u201d provider messaging in Spam Protection and disabled unavailable form provider toggles until Contact Form 7 or Fluent Forms is activated.<\/li>\n<\/ul>\n\n
v2.1.14 - 18 Mar, 2026<\/h4>\n\n\n- Fixed the Firewall settings save flow after the Spam Protection UI refactor by removing stale legacy comment-field JavaScript references.<\/li>\n<\/ul>\n\n
v2.1.13 - 18 Mar, 2026<\/h4>\n\n\n- Added form anti-spam protection for Contact Form 7 and Fluent Forms with honeypot, signed submit tokens, link heuristics, repeated-domain detection, and rate limiting.<\/li>\n
- Added a dedicated Spam Protection UI with separate Comments and Forms controls plus provider toggles.<\/li>\n
- Logged supported form spam blocks into the WAF\/live feed with provider-aware source labels and separated form blocks from general WAF blocks in the live feed.<\/li>\n<\/ul>\n\n
v2.1.12 - 16 Mar, 2026<\/h4>\n\n\n- Added vulnerability detail fields: fixed version, affected versions, CVSS score\/vector, published date, and exploit status.<\/li>\n
- Added risk score (severity + exposure) badges in vulnerability findings.<\/li>\n
- Added risk decisions (\u201cAccept risk\u201d \/ \u201cIgnore\u201d) with expiry and audit log entries.<\/li>\n
- Persisted risk decisions in a dedicated table and return decisions in scan results.<\/li>\n
- Added robust formatting for affected version ranges, including Wordfence-style range objects.<\/li>\n
- Mapped API fields (patched_versions, published, etc.) to UI-friendly names.<\/li>\n
- Added inline update\/deactivate actions that run without leaving the scan view.<\/li>\n
- Added post-update rescan to refresh vulnerability cards in place.<\/li>\n
- Refreshed update transients before building scan items so update actions appear consistently.<\/li>\n<\/ul>\n\n
v2.1.11 - 16 Mar, 2026<\/h4>\n\n\n- Normalized slug handling for single-file plugins and edge cases to improve scan accuracy.<\/li>\n
- Continued scans when individual items fail instead of aborting the entire run.<\/li>\n
- Added timeout\/backoff handling with clear 429\/503 messaging for vulnerability data requests.<\/li>\n
- Added short server-side cache per (type, slug, version) and surfaced \u201cdata age\u201d in the overview.<\/li>\n
- Added filters and sorting for severity, component type, active status, and fix availability.<\/li>\n
- Added direct actions for \u201cUpdate now\u201d, \u201cDeactivate\u201d, and \u201cOpen plugin page\u201d.<\/li>\n
- Added \u201cLast scan at\u201d, \u201cErrors count\u201d, and \u201cData age\u201d to the scan overview.<\/li>\n
- Improved scan flow with \u201cRetry failed\u201d, \u201cStop scan\u201d, and smart auto-scroll.<\/li>\n
- Styled scan output filter dropdowns to match the dashboard theme and remove white backgrounds.<\/li>\n<\/ul>\n\n
v2.1.10 - 16 Mar, 2026<\/h4>\n\n\n- Added Learning Mode suggestions for WAF whitelisting, with configurable thresholds and review-only approvals.<\/li>\n
- Added a Learning Suggestions panel and actions to approve or dismiss suggested patterns.<\/li>\n
- Fixed a PHP 8.4 deprecation warning by making trusted proxy settings nullable explicitly.<\/li>\n<\/ul>\n\n
v2.1.9 - 16 Mar, 2026<\/h4>\n\n\n- Added Proxy\/CDN configuration in Firewall settings, including Trust Cloudflare and trusted proxy IPs.<\/li>\n
- Added in-dashboard warnings when proxy headers are detected but trust is not configured.<\/li>\n
- Updated IP detection to trust forwarded headers only for configured proxies.<\/li>\n
- Restricted malware, integrity, and vulnerability scan actions to administrators only.<\/li>\n
- Hardened integrity scan file handling to prevent unsafe path traversal.<\/li>\n<\/ul>\n\n
v2.1.8 - 16 Mar, 2026<\/h4>\n\n\n- Fixed PHP 7.4 compatibility by replacing PHP 8-only syntax in scanner, CAPTCHA, and login-security flows.<\/li>\n<\/ul>\n\n
v2.1.7 - 16 Mar, 2026<\/h4>\n\n\n- Added an approvals workflow for WAF-blocked admin-ajax and REST requests, including targeted whitelist patterns and approve\/dismiss actions.<\/li>\n
- Added admin alerts and a menu badge for pending approvals, with direct links to the Approvals tab.<\/li>\n
- Moved the Clear Logs action into the Live Security Feed toolbar.<\/li>\n<\/ul>\n\n
v2.1.6 - 15 Mar, 2026<\/h4>\n\n\n- Added scan progress status notes that highlight the current component or file during Malware, Vulnerability, and Integrity scans.<\/li>\n<\/ul>\n\n
v2.1.5 - 15 Mar, 2026<\/h4>\n\n\n- Added role-based 2FA enforcement so selected roles must enroll before using the admin dashboard, with a direct setup shortcut.<\/li>\n
- Moved the live Firewall security feed into its own submenu and replaced pagination with a Load more flow.<\/li>\n
- Added quick actions to unblock or allowlist locked-out IPs from the Firewall feed.<\/li>\n<\/ul>\n\n
v2.1.4 - 14 Mar, 2026<\/h4>\n\n\n- Added a Login Security Pack with TOTP-based 2FA, recovery codes, trusted devices, CAPTCHA form protection, XML-RPC policy controls, and weak-password blocking.<\/li>\n
- Reworked the 2FA setup UX into a clearer step-by-step profile flow with QR provisioning and inline activation feedback.<\/li>\n
- Fixed 2FA setup and challenge-screen issues so activation errors return to the verification step and the public login flow no longer depends on admin-only helpers.<\/li>\n<\/ul>\n\n
v2.1.3 - 14 Mar, 2026<\/h4>\n\n\n- Added WP-CLI scan commands for malware, integrity, vulnerability, and combined scan execution.<\/li>\n
- Added readme documentation and FAQ examples for running VulnTitan scans from the terminal.<\/li>\n<\/ul>\n\n
v2.1.2 - 14 Mar, 2026<\/h4>\n\n\n- Refined the Vulnerability scanner UI with a more professional overview and findings layout.<\/li>\n
- Moved the Vulnerability Overview panel outside the scrolling results area so it stays sticky as a separate summary block.<\/li>\n
- Improved clean-result messaging so results now explicitly reference the scanned plugin, theme, or WordPress core component.<\/li>\n<\/ul>\n\n
v2.1.1 - 14 Mar, 2026<\/h4>\n\n\n- Added a live-updating Firewall security feed with auto-refresh, pause\/resume controls, quick filters, search, and per-event forensic detail panels.<\/li>\n
- Expanded Firewall feed event data so administrators can inspect richer request, actor, and rule context directly in the admin UI.<\/li>\n
- Improved live refresh behavior so recent event polling no longer overwrites unsaved Firewall settings while the page is open.<\/li>\n<\/ul>\n\n
v2.1.0 - 13 Mar, 2026<\/h4>\n\n\n- Added Comment Shield anti-spam protection for WordPress comments with honeypot, submit-time validation, duplicate detection, link controls, and IP rate limiting.<\/li>\n
- Added Firewall dashboard and weekly digest statistics for blocked or moderated comment spam activity.<\/li>\n
- Changed Firewall MU loader status to show WordPress-relative paths such as
wp-content\/mu-plugins\/vulntitan-firewall.php<\/code> instead of absolute server filesystem paths.<\/li>\n<\/ul>\n\nv2.0.8 - 13 Mar, 2026<\/h4>\n\n\n- Added a weekly executive security digest email with 7-day firewall telemetry, login abuse summaries, WAF detections, and top targeted paths\/rules.<\/li>\n
- Added Firewall settings for enabling the weekly digest and overriding the recipient email address.<\/li>\n
- Upgraded the digest into a professional branded HTML email template with VulnTitan logo, metric cards, timeline, and protection profile summary.<\/li>\n<\/ul>\n\n
v2.0.7 - 13 Mar, 2026<\/h4>\n\n\n- Fixed custom login logout requests on some Nginx-backed WordPress sites so hidden login logout no longer triggers
502 Bad Gateway<\/code> responses.<\/li>\n- Stabilized hidden login request bootstrapping and canonical custom login route handling for logout\/login flows.<\/li>\n<\/ul>\n\n
v2.0.6 - 12 Mar, 2026<\/h4>\n\n\n- Added configurable custom login slug support so administrators can use a private login URL instead of the default
wp-login.php<\/code> path.<\/li>\n- Hidden direct guest access to default
wp-login.php<\/code> and wp-admin<\/code> entry points when custom login protection is enabled.<\/li>\n- Reworked the Firewall page with a tabbed settings layout, a wider recent events section, and toast-style action feedback.<\/li>\n<\/ul>\n\n
v2.0.4 - 10 Mar, 2026<\/h4>\n\n\n- Redesigned the VulnTitan Dashboard into an elite, professional security command center layout.<\/li>\n
- Redesigned the Firewall page into a professional command center layout.<\/li>\n
- Removed the dashboard sidebar to keep the UI focused on scan operations.<\/li>\n
- Redesigned the top navigation bar to match the new elite dashboard and firewall style.<\/li>\n
- Fixed scan progress indicator layout in the redesigned dashboard.<\/li>\n<\/ul>\n\n
v2.0.3 - 10 Mar, 2026<\/h4>\n\n\n- Reduced false positives for benign decode-only utilities (e.g., base64 + gzuncompress).<\/li>\n
- Reduced false positives for safe data:image\/svg+xml;base64 payloads.<\/li>\n
- Disabled auto-fix for low-risk malware findings to prevent accidental code removal.<\/li>\n<\/ul>\n\n
v2.0.2 - 10 Mar, 2026<\/h4>\n\n\n- Reduced malware scanner false positives for base64-decoded signature and key material.<\/li>\n
- Avoided false positives from benign data:image base64 CSS payloads embedded in PHP\/JS strings.<\/li>\n
- Prevented false positives on large serialized option blobs without execution or file-write patterns.<\/li>\n<\/ul>\n\n
v2.0.1 - 03 Mar, 2026<\/h4>\n\n\n- Fixed Vulnerability scanner UI so the \"Vulnerability Overview\" section stays pinned at the top while results are scrolled.<\/li>\n
- Reduced Malware scanner false positives for benign CSS
content:<\/code> strings and similar static string-literal matches.<\/li>\n<\/ul>\n\nv2.0.0 - 25 Feb, 2026<\/h4>\n\n\n- Major release with redesigned Malware, Vulnerability, and File Integrity scan UX.<\/li>\n
- Improved malware scanner with detailed problematic-files panel and guided safe-fix actions.<\/li>\n
- Enhanced vulnerability detection powered by updated API intelligence.<\/li>\n
- Improved file integrity scanner with clearer legends and performance tuning.<\/li>\n
- Added dedicated Firewall module with MU runtime guards and login lockout protection.<\/li>\n
- Added WAF payload protection for SQL injection and command injection.<\/li>\n
- Security hardening for backup storage and automated cleanup routines.<\/li>\n<\/ul>\n\n
For full release history, see CHANGELOG.md<\/code> included in the plugin package.<\/p>","raw_excerpt":"VulnTitan security toolkit for WordPress sites. Detect and remove malware, vulnerable plugins, risky file changes, and comment or form spam.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/232662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=232662"}],"author":[{"embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/jerryscg"}],"wp:attachment":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=232662"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=232662"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=232662"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=232662"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=232662"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=232662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}