Malroot Security -- WordPress 插件

开发者	nirajpal
更新时间	2026年6月10日 01:02
PHP版本:	7.4 及以上
WordPress版本:	7.0
版权:	GPLv2 or later
版权网址:	版权信息

Malroot Security is a WordPress malware scanner built specifically to catch the threats that file-based scanners miss. It was created after a real-world investigation of compromised WordPress sites where Wordfence and similar tools failed to detect database-resident malware, rogue REST API endpoints, malicious MySQL triggers, and self-healing rootkit patterns. What makes Malroot different Most security plugins only scan files on disk. Malroot also looks at:

Database content — wp_options, wp_posts, wp_postmeta for injected PHP/JS payloads
MySQL triggers and events — catches rootkits that recreate fake admins on every spam comment
REST API routes — flags non-standard namespaces with dangerous capabilities
mu-plugins — detects self-healing loaders that reinstall malware after deletion
Bot-cloaked content — compares Googlebot vs human page output to detect SEO spam
Outbound connections — logs every external HTTP request and alerts on known C2 hosts

Core features

Eight independent scanner modules with severity-based findings
One-click incident response that replays a complete malware cleanup
Auto-quarantine with full restore for files, options, postmeta, users, triggers, events
Real-time hooks block rogue admin creation and eval-based option injection
WordPress.org checksum verification — official files auto-accept silently
Login security with IP throttling, automated-tool detection, geo-aware new-origin alerts
Built-in 2FA (TOTP, RFC 6238 — works with Google Authenticator, Authy, 1Password)
Spam registration shield with honeypot, pattern blocklist, and bulk subscriber cleanup
Email and Slack alerting with deduplication
CSV export of findings for audit trails
Self-integrity check — Malroot detects tampering with its own code

Plain-language Simple View Findings are translated from technical rule IDs into plain English with clear actions:

"Hidden trap found in your database" instead of "TR-005: Trigger after_insert_comment"
"Fake admin account found" instead of "UA-010: Known malware admin name"
"Hacker tool found on your site" instead of "MAL-005: WSO/FilesMan webshell signature"

Each finding card answers three questions: what happened, why it matters, what to do. How verified-safe checking works When a file changes, Malroot looks up its MD5 hash in:

The official WordPress.org core checksums API
The official plugin checksums at downloads.wordpress.org
A recent plugin/theme update window from the operator's own update history

Files that match an official checksum auto-accept silently — the user never sees them. Files that match a malware signature get flagged as critical regardless of any update window. Custom files and theme edits surface for manual review. Real-world validation Malroot was developed during the cleanup of compromised WordPress sites, including sites where the rogue plugin had embedded a MySQL trigger that recreated a newsfeed admin user every time a spam comment was posted. That attack pattern is now a built-in detection.

1.0.6

Privacy: Two-Factor Authentication no longer sends the TOTP secret to an external QR-code image service (api.qrserver.com). The setup key is now shown as text for manual entry into any authenticator app, so the secret never leaves your server.
Privacy: IP geolocation (ipapi.co) is now strictly opt-in and OFF by default. No IP address is sent anywhere unless an administrator enables "IP geolocation" on the Settings page.
Quarantine no longer stores removed files in the uploads/plugin folder and no longer writes a PHP stub over files. Removed files are now backed up as inert data in a private database table and deleted from disk with wp_delete_file(); restore writes them back via the WordPress filesystem API.
Use wp_get_upload_dir() / wp_upload_dir() for the uploads location instead of a hardcoded WP_CONTENT_DIR/uploads fallback.
Removed the dead Terms/Privacy link to goqr.me from the readme (the QR service is no longer used).

1.0.5

Important safety fix: the "Remove all" bulk action and automatic quarantine can no longer touch files that belong to WordPress core, an installed plugin, or an installed theme. A heuristic false positive on legitimate code previously could be bulk-removed, blanking a required file and taking the site down. Such findings are now surfaced for deliberate, one-at-a-time review instead of one-click deletion. (mu-plugins stay removable, as self-healing loaders there are a known malware trick.)
Fewer false positives: .sql schema/template files bundled inside a plugin or theme (e.g. LiteSpeed Cache's data_structure files) are no longer flagged as public database dumps. PHP files inside recognised plugin-managed uploads folders (Sucuri, WP-Staging, UpdraftPlus, BackWPup) are now listed as low-priority "review" items rather than critical.
Individual, explicitly-confirmed removals are unchanged and still able to remove a genuine malicious file from anywhere.

1.0.4

Removing a finding (file, user, option, trigger) is now instant and in-page — it uses a background request instead of reloading the whole admin screen, so the page no longer hangs while a file is being neutralised. The card fades out and the severity counters update live.
Added a "Remove all" bulk action to the "Action required" list. It cleans up every auto-removable critical/high finding in one click, processed one at a time with a live progress bar (REST-route findings, which need manual action, are excluded).
Each removal still backs the item up to Quarantine and is fully reversible.

1.0.3

New Admin Guard module: enforces an allowlist of approved administrators on every request. Catches rogue admins injected directly into the database by a MySQL trigger or SQL backdoor (e.g. wp_feed, newsfood, and duplicate wppanel accounts) — accounts that bypass every normal WordPress creation hook and that a login-name blocklist can never keep up with. Unapproved admins are demoted and signed out automatically, and the last approved administrator is never removed.
Admin Guard allowlist is seeded automatically from the current clean administrators on first run; admins created by an approved admin through wp-admin are approved automatically.
Redesigned the Incident Response screen in plain language: a clear "what will happen" card with friendly per-step descriptions, a reassurance banner linking to Quarantine, a "when should I run this?" help section, and a readable last-run summary with a threat count.
Fixed the Incident Response last-run report rendering as unstyled text (the markup used malroot-ir-* class names while the stylesheet defined mr-ir-*).
REST scanner: added the official mailchimp-for-woocommerce/ namespace to the known-safe allowlist (fixes a false-positive RT-001 critical on the Mailchimp for WooCommerce plugin's sync routes).
Expanded the built-in rogue-admin name list (wp_feed, newsfood, wppanel) used by the real-time and login-security blocklists as a secondary layer.
Annotated four Plugin Check WriteFile.ABSPATHDetected warnings in the quarantine module. These writes intentionally target a file at its real webroot location — neutralising a malware file in place, and restoring a quarantined file to its original path — so they cannot use wp_upload_dir(). Each is now documented with a sniff-specific phpcs:ignore and a justification.
Annotated five Plugin Check SlowDBQuery (meta_key/meta_value) warnings in the incident-response and quarantine modules. None is a slow WP_Query meta lookup — one is a plain report-array key, and the database operations are INSERT/DELETE on the already-indexed meta_key column — so each is documented with a sniff-specific phpcs:ignore and a justification.

1.0.2

Added an "External services" section to readme documenting every outbound request the plugin makes and linking to each provider's privacy policy and terms.
Replaced inline <style> and <script> blocks on the 2FA login and setup screens with wp_register_style / wp_register_script and wp_add_inline_style / wp_add_inline_script.
Quarantine directory moved to wp_upload_dir()['basedir'] . '/malroot-security/quarantine' instead of a hardcoded WP_CONTENT_DIR path.
Incident-response cleanup no longer changes the activation status of other plugins. It now only detects a malicious system-control plugin and reports it so the administrator can deactivate it manually from the Plugins screen.
Admin top-level menu repositioned from position 3 to 80 to integrate cleanly with the standard WordPress admin hierarchy.
wp_verify_nonce() calls now run their input through sanitize_text_field( wp_unslash() ) for defence-in-depth (the function is pluggable).
$_SERVER array values are sanitised before being passed to explode().

1.0.0

First public release.
Auto-accept of files matching official WordPress.org and plugin checksums.
Simple View as the default dashboard.
Eight scanner modules: files, database, users, triggers, REST API, mu-plugins, bot-cloak, file integrity.
Built-in TOTP 2FA with QR code setup and recovery codes.
GeoIP enrichment of login records with 30-day caching.
CSV export, "Ignore finding" workflow, and self-integrity check.

Malroot Security

标签

下载

详情介绍:

安装:

屏幕截图:

升级注意事项:

常见问题:

更新日志: