VulnTitan - Malware Scanner, Vulnerability Scanner & Security
详情介绍:
VulnTitan is a WordPress security plugin focused on malware scanning and removal, vulnerability detection, file integrity monitoring, firewall protection, and anti-spam controls for comments and supported forms.
Instantly scan your WordPress site for malware infections and known vulnerabilities, review detailed results, and clean or remove malware safely using a guided fix workflow with automatic backups.
VulnTitan focuses on practical protection: vulnerability detection, malware scanning and removal, file integrity monitoring, firewall protection, anti-spam defense for comments and supported forms, hidden custom login access, and a weekly executive security digest every 7 days.
Malware Scanner
The WordPress malware scanner inspects your site files for suspicious code patterns and known malicious signatures.
- Detect malware infections in core, plugins, and themes
- Review problematic files with contextual code preview
- Safe-fix workflow with automatic backups
- Clear severity indicators and actionable recommendations
- Detect vulnerable plugins and themes
- Identify outdated components with known security risks
- Real-time vulnerability intelligence
- Clear risk explanations and remediation guidance
- Baseline comparison for WordPress files
- Queue-based processing for performance safety
- Visual status legends for fast review
- Actionable next steps for suspicious changes
- Early MU-plugin runtime request guards
- SQL injection (SQLi) payload protection
- Command injection detection
- Suspicious path traversal blocking
- Endpoint whitelisting controls
- Login lockout protection against brute-force attacks
- TOTP-based two-factor authentication for selected roles
- Recovery codes and trusted-device support for enrolled accounts
- CAPTCHA protection for login, registration, lost-password, and optional comment forms
- XML-RPC allow, disable, or rate-limit policy controls with IP allowlisting
- Weak-password blocking during profile updates, password resets, and compatible registrations
- Comment Shield with honeypot, signed tokens, submit-time validation, duplicate detection, guest link limits, IP rate limiting, and moderation-aware logging
- Form Shield for Contact Form 7 and Fluent Forms with honeypot, signed submit tokens, link heuristics, repeated-domain detection, and IP rate limiting
- Form spam blocks are logged into the WAF/live feed with provider-aware source labels for easier review
- Suspicious comments can be held for moderation or blocked immediately
- REST comments can enforce signed anti-spam tokens and CAPTCHA when anonymous REST commenting is enabled elsewhere
- Configurable custom login slug so administrators can use a private login URL instead of the default
wp-login.php - Default
wp-login.phpand guestwp-adminaccess can be hidden behind a404response when custom login is enabled - Weekly executive security report email with 7-day firewall, login abuse, WAF, form spam, and comment moderation statistics
- Secure storage and cleanup of scan queues and logs
- Hardened backup handling outside
ABSPATHby default - Hardened malware and integrity scan actions with stricter capability checks and in-root path validation
- Adaptive performance tuning for safe large-site scanning
wp vulntitan scan malwarewp vulntitan scan integritywp vulntitan scan vulnerabilitywp vulntitan scan all- Optional flags:
--scope=plugins,--format=json,--fail-on-findings
安装:
From your WordPress dashboard
- Navigate to Plugins > Add New
- Click Upload Plugin
- Upload the downloaded ZIP file
- Click Install Now, then Activate
- Upload the extracted
vulntitanfolder to the/wp-content/plugins/directory - Go to your WordPress dashboard
- Navigate to Plugins > Installed Plugins
- Find VulnTitan and click Activate
- Go to VulnTitan in your admin menu
- Click Scan Now to run a malware and vulnerability scan
- Review detected vulnerabilities, malware infections, and file integrity issues
- Apply guided safe fixes where needed
屏幕截图:
常见问题:
Who owns the VulnTitan API?
The VulnTitan API is developed, owned, and maintained by the same team behind this plugin. It is not a third-party service. The API is operated solely to provide accurate and real-time vulnerability intelligence for WordPress sites.
What data does the plugin send to the API?
The plugin sends only non-personal technical information such as plugin slugs, theme slugs, and WordPress core version numbers. No personal data, login credentials, email addresses, or sensitive information is transmitted or stored.
Why is the API connection required?
The API provides up-to-date vulnerability data needed to detect known security issues affecting WordPress core, plugins, and themes. Without this connection, vulnerability detection would not function correctly.
Does VulnTitan remove malware?
Yes. When malware is detected, VulnTitan provides a guided safe-fix workflow with backup protection so you can review and safely remove infected files.
Does VulnTitan support WP-CLI?
Yes. VulnTitan includes WP-CLI commands for malware, integrity, vulnerability, and combined scans. Examples:
wp vulntitan scan malwarewp vulntitan scan integritywp vulntitan scan vulnerabilitywp vulntitan scan allwp vulntitan scan malware --scope=pluginswp vulntitan scan all --format=jsonwp vulntitan scan vulnerability --fail-on-findings
My site is behind a proxy or CDN. How do I configure IP detection?
If you use Cloudflare, enable "Trust Cloudflare" in VulnTitan > Firewall > Access Shield > Proxy & CDN. For other reverse proxies or load balancers, add their IP addresses to "Trusted Proxy IPs". If your site is not behind a proxy or CDN, leave these settings disabled to avoid spoofed IP addresses in logs and lockouts.
Does VulnTitan protect contact forms from spam?
Yes. VulnTitan currently supports spam protection for Contact Form 7 and Fluent Forms, alongside native WordPress comment anti-spam controls.
更新日志:
v2.1.17 - 31 Mar, 2026
- Hardened malware and integrity scan actions with stricter capability checks, boundary-safe path validation, and server-side verification of auto-fix targets.
- Closed the conditional REST comment bypass by enforcing signed anti-spam tokens and comment CAPTCHA on REST comment submissions as well.
- Added stronger 2FA challenge throttling, tighter proxy trust handling, bounded anti-spam token lifetimes, and reduced hot-path maintenance overhead.
- Expanded release metadata and readme coverage for comment moderation, digest reporting, and hardening updates.
- Tightened Comment Shield spam detection with casino, betting, gambling, promotional-link, repeated-domain, and thin-link comment heuristics for guest comments.
- Added firewall logging when suspicious comments are held and when WordPress routes comments into the pending moderation queue.
- Expanded the weekly executive security digest with form spam, comment queue, and broader protection-profile coverage.
- Improved the HTML digest layout on mobile by stacking compressed two-column sections into a readable single-column flow.
- Added “Not installed” provider messaging in Spam Protection and disabled unavailable form provider toggles until Contact Form 7 or Fluent Forms is activated.
- Fixed the Firewall settings save flow after the Spam Protection UI refactor by removing stale legacy comment-field JavaScript references.
- Added form anti-spam protection for Contact Form 7 and Fluent Forms with honeypot, signed submit tokens, link heuristics, repeated-domain detection, and rate limiting.
- Added a dedicated Spam Protection UI with separate Comments and Forms controls plus provider toggles.
- Logged supported form spam blocks into the WAF/live feed with provider-aware source labels and separated form blocks from general WAF blocks in the live feed.
- Added vulnerability detail fields: fixed version, affected versions, CVSS score/vector, published date, and exploit status.
- Added risk score (severity + exposure) badges in vulnerability findings.
- Added risk decisions (“Accept risk” / “Ignore”) with expiry and audit log entries.
- Persisted risk decisions in a dedicated table and return decisions in scan results.
- Added robust formatting for affected version ranges, including Wordfence-style range objects.
- Mapped API fields (patched_versions, published, etc.) to UI-friendly names.
- Added inline update/deactivate actions that run without leaving the scan view.
- Added post-update rescan to refresh vulnerability cards in place.
- Refreshed update transients before building scan items so update actions appear consistently.
- Normalized slug handling for single-file plugins and edge cases to improve scan accuracy.
- Continued scans when individual items fail instead of aborting the entire run.
- Added timeout/backoff handling with clear 429/503 messaging for vulnerability data requests.
- Added short server-side cache per (type, slug, version) and surfaced “data age” in the overview.
- Added filters and sorting for severity, component type, active status, and fix availability.
- Added direct actions for “Update now”, “Deactivate”, and “Open plugin page”.
- Added “Last scan at”, “Errors count”, and “Data age” to the scan overview.
- Improved scan flow with “Retry failed”, “Stop scan”, and smart auto-scroll.
- Styled scan output filter dropdowns to match the dashboard theme and remove white backgrounds.
- Added Learning Mode suggestions for WAF whitelisting, with configurable thresholds and review-only approvals.
- Added a Learning Suggestions panel and actions to approve or dismiss suggested patterns.
- Fixed a PHP 8.4 deprecation warning by making trusted proxy settings nullable explicitly.
- Added Proxy/CDN configuration in Firewall settings, including Trust Cloudflare and trusted proxy IPs.
- Added in-dashboard warnings when proxy headers are detected but trust is not configured.
- Updated IP detection to trust forwarded headers only for configured proxies.
- Restricted malware, integrity, and vulnerability scan actions to administrators only.
- Hardened integrity scan file handling to prevent unsafe path traversal.
- Fixed PHP 7.4 compatibility by replacing PHP 8-only syntax in scanner, CAPTCHA, and login-security flows.
- Added an approvals workflow for WAF-blocked admin-ajax and REST requests, including targeted whitelist patterns and approve/dismiss actions.
- Added admin alerts and a menu badge for pending approvals, with direct links to the Approvals tab.
- Moved the Clear Logs action into the Live Security Feed toolbar.
- Added scan progress status notes that highlight the current component or file during Malware, Vulnerability, and Integrity scans.
- Added role-based 2FA enforcement so selected roles must enroll before using the admin dashboard, with a direct setup shortcut.
- Moved the live Firewall security feed into its own submenu and replaced pagination with a Load more flow.
- Added quick actions to unblock or allowlist locked-out IPs from the Firewall feed.
- Added a Login Security Pack with TOTP-based 2FA, recovery codes, trusted devices, CAPTCHA form protection, XML-RPC policy controls, and weak-password blocking.
- Reworked the 2FA setup UX into a clearer step-by-step profile flow with QR provisioning and inline activation feedback.
- Fixed 2FA setup and challenge-screen issues so activation errors return to the verification step and the public login flow no longer depends on admin-only helpers.
- Added WP-CLI scan commands for malware, integrity, vulnerability, and combined scan execution.
- Added readme documentation and FAQ examples for running VulnTitan scans from the terminal.
- Refined the Vulnerability scanner UI with a more professional overview and findings layout.
- Moved the Vulnerability Overview panel outside the scrolling results area so it stays sticky as a separate summary block.
- Improved clean-result messaging so results now explicitly reference the scanned plugin, theme, or WordPress core component.
- Added a live-updating Firewall security feed with auto-refresh, pause/resume controls, quick filters, search, and per-event forensic detail panels.
- Expanded Firewall feed event data so administrators can inspect richer request, actor, and rule context directly in the admin UI.
- Improved live refresh behavior so recent event polling no longer overwrites unsaved Firewall settings while the page is open.
- Added Comment Shield anti-spam protection for WordPress comments with honeypot, submit-time validation, duplicate detection, link controls, and IP rate limiting.
- Added Firewall dashboard and weekly digest statistics for blocked or moderated comment spam activity.
- Changed Firewall MU loader status to show WordPress-relative paths such as
wp-content/mu-plugins/vulntitan-firewall.phpinstead of absolute server filesystem paths.
- Added a weekly executive security digest email with 7-day firewall telemetry, login abuse summaries, WAF detections, and top targeted paths/rules.
- Added Firewall settings for enabling the weekly digest and overriding the recipient email address.
- Upgraded the digest into a professional branded HTML email template with VulnTitan logo, metric cards, timeline, and protection profile summary.
- Fixed custom login logout requests on some Nginx-backed WordPress sites so hidden login logout no longer triggers
502 Bad Gatewayresponses. - Stabilized hidden login request bootstrapping and canonical custom login route handling for logout/login flows.
- Added configurable custom login slug support so administrators can use a private login URL instead of the default
wp-login.phppath. - Hidden direct guest access to default
wp-login.phpandwp-adminentry points when custom login protection is enabled. - Reworked the Firewall page with a tabbed settings layout, a wider recent events section, and toast-style action feedback.
- Redesigned the VulnTitan Dashboard into an elite, professional security command center layout.
- Redesigned the Firewall page into a professional command center layout.
- Removed the dashboard sidebar to keep the UI focused on scan operations.
- Redesigned the top navigation bar to match the new elite dashboard and firewall style.
- Fixed scan progress indicator layout in the redesigned dashboard.
- Reduced false positives for benign decode-only utilities (e.g., base64 + gzuncompress).
- Reduced false positives for safe data:image/svg+xml;base64 payloads.
- Disabled auto-fix for low-risk malware findings to prevent accidental code removal.
- Reduced malware scanner false positives for base64-decoded signature and key material.
- Avoided false positives from benign data:image base64 CSS payloads embedded in PHP/JS strings.
- Prevented false positives on large serialized option blobs without execution or file-write patterns.
- Fixed Vulnerability scanner UI so the "Vulnerability Overview" section stays pinned at the top while results are scrolled.
- Reduced Malware scanner false positives for benign CSS
content:strings and similar static string-literal matches.
- Major release with redesigned Malware, Vulnerability, and File Integrity scan UX.
- Improved malware scanner with detailed problematic-files panel and guided safe-fix actions.
- Enhanced vulnerability detection powered by updated API intelligence.
- Improved file integrity scanner with clearer legends and performance tuning.
- Added dedicated Firewall module with MU runtime guards and login lockout protection.
- Added WAF payload protection for SQL injection and command injection.
- Security hardening for backup storage and automated cleanup routines.
For full release history, see
CHANGELOG.mdincluded in the plugin package.