When a WordPress site is compromised, attackers rarely announce themselves. They insert code into existing files, add new files that blend in with the directory structure, and try to stay hidden long enough to use the site for spam distribution, credential harvesting, or serving malware to visitors. File integrity monitoring is the practice of detecting these changes before the damage compounds.
What File Integrity Monitoring Is
File integrity monitoring (FIM) compares the current state of your WordPress files against a known-good baseline or against the official WordPress release. It tracks three types of changes:
- Added files - new files that should not exist
- Modified files - existing files whose contents have changed
- Deleted files - files that were present and are now missing
Any change to a core WordPress file that was not initiated by a WordPress update is suspicious. WordPress core files do not change between updates - if wp-login.php or a file in wp-includes/ has been modified, something is wrong.
Why File Changes Are a Red Flag
After gaining access to a WordPress site, attackers typically do one or more of the following:
- Add a backdoor - a script hidden in a core file or innocuous-seeming filename like
wp-cache-helper.php- that lets them regain access even after their initial entry point is closed - Modify existing files to include malicious redirects that send visitors to phishing or malware sites
- Inject SEO spam into page templates to use your site's domain authority for their own purposes
- Replace legitimate files with versions that log credentials or payment data
File integrity monitoring does not prevent these actions, but it detects them quickly - giving you a window to act before the compromise worsens.
Free Tools for Monitoring File Integrity
Wordfence Security (free plugin) includes a file scanner that compares your WordPress core, plugin, and theme files against the official versions in the WordPress.org repository. Any file that differs from the official version is flagged. Run it under Wordfence > Scan and review the results. Files with "differs from the WordPress.org repository" are worth investigating.
You can also schedule automatic scans in Wordfence settings. The free version scans periodically; the premium version supports real-time monitoring with alerts.
WP Security Audit Log is a plugin focused on activity logging rather than file scanning, but it complements file integrity monitoring well. It records user activity - logins, failed logins, plugin activations, file edits through the admin panel - and gives you a forensic trail to understand how and when a change occurred.
iThemes Security (now SolidSecurity) also includes file change detection in its free tier.
What to Do When a Change Is Detected
Receiving an alert about a changed file is not a reason to panic, but it does require investigation. Changes can be legitimate - a plugin update may modify files in its own directory - but anything touching WordPress core files demands attention.
Step 1: Compare against your backup. If you have a recent backup from before the flagged change, compare the affected files. Your hosting provider's backup tool or a plugin like UpdraftPlus makes this straightforward. Does the current version match your backup? If not, what changed?
Step 2: Compare against the official WordPress source. For core files, you can download the same version of WordPress from wordpress.org and compare file contents directly. Wordfence does this automatically and can restore original versions of core files with one click.
Step 3: Assume compromise if you cannot explain the change. If a core file has been modified and you did not do it and no legitimate update occurred, treat it as a security incident. Restore from a known-good backup, change all passwords (WordPress admin, cPanel, database, FTP), and review access logs.
Step 4: Identify and close the entry point. Restoring clean files without understanding how the attacker got in means they will likely be back. Common entry points include outdated plugins, weak admin passwords, and compromised FTP credentials.
Fitting File Integrity Monitoring into a Broader Security Posture
File integrity monitoring is one layer in a defence-in-depth approach. On its own, it is reactive - it tells you something happened but does not prevent it. Pair it with:
- A Web Application Firewall (WAF) to block attack traffic before it reaches your application
- Automatic plugin and core updates to close known vulnerabilities quickly
- Strong, unique passwords and two-factor authentication on all admin accounts
- Regular offsite backups so you always have a clean restore point
The goal is to reduce both the likelihood of a successful attack and the time between an attack occurring and you discovering it. File integrity monitoring addresses the second part - and for many compromised sites, early detection is the difference between a contained incident and a full rebuild.
