Plugin-Based · Agent Monitor✓ Works behind Cloudflare

🔌Uptrue WordPress Monitor

External uptime tools only see your homepage. This plugin monitors from inside your WordPress site — detecting file injections, rogue users, and silent compromises before your visitors do.

Free 2-minute install · No inbound ports · Works on shared hosting

Add WordPress Monitor FreeDownload Plugin
100
Health Score
8
Threat Categories
25+
Checks Per Scan
2 min
Setup Time
⚠️

Why external monitoring isn't enough

Standard uptime monitors check whether your website responds to an HTTP request. That tells you if your site is reachable — but nothing about what's happening inside. Most WordPress compromises are invisible to external tools:

🔍
External tools can't see what's inside
External uptime monitors only see your homepage. They can't detect a PHP shell in your uploads folder, a new admin user, or a modified wp-config.php — until it's too late.
🛡️
Works behind any firewall or CDN
Because the plugin pushes data out (not the other way around), it works on any hosting — shared hosting, Cloudflare-protected sites, password-protected staging environments.
Zero impact on site performance
Scans run via WordPress Cron — they happen in the background, staggered across hours. Your visitors never notice.
🤖
AI-powered remediation
Every issue comes with an AI-generated plain-English explanation and step-by-step fix instructions — written for site owners, not developers.
🔍

What Uptrue WordPress Monitor detects

🦠
File Injection AttacksCritical
PHP and JavaScript files planted in your uploads folder — the most common WordPress hack. Attackers upload shells disguised as images to run arbitrary code on your server.
👤
Rogue Admin UsersCritical
New administrator accounts created without your knowledge. Attackers often create hidden admin users after an initial compromise to maintain access even after you change your password.
🔌
Outdated Plugins & ThemesHigh
Over 90% of hacked WordPress sites were running outdated plugins with known vulnerabilities. Uptrue alerts you the moment an update is available — before attackers exploit the gap.
📄
Foreign-Language Content InjectionHigh
SEO spam attacks inject hidden pages with Chinese, Russian, Korean, Arabic, and 6 other scripts to hijack your search rankings. Uptrue scans every published page — title, slug, and body — on each push.
⚙️
.htaccess & wp-config TamperingCritical
Modifications to .htaccess and wp-config.php are a sign of a serious compromise — attackers use these to redirect visitors, hide malware, or extract database credentials.
🔐
Security Configuration WeaknessesHigh
XML-RPC enabled, REST API user enumeration exposed, no 2FA, no backup plugin, world-writable directories, disabled auto-updates — Uptrue checks all of these on every push and scores your configuration.
🚨
Brute Force Login AttacksHigh
Uptrue counts failed login attempts every 24 hours. A spike in failures means your wp-login.php is under attack — alerting you before an account is compromised.
🐛
Debug Mode & MisconfigurationsMedium
WordPress debug mode exposes sensitive error messages, file paths, and database structure to any visitor. It's frequently forgotten after a developer fixes an issue.

Every check Uptrue runs

PHP files in wp-content/uploads
JavaScript files in wp-content/uploads
Executable code patterns in uploads
.htaccess modifications
wp-config.php changes
WordPress core file modifications
Active theme file changes
New administrator accounts
New editor accounts
Recently created pages (last 7 days)
Foreign-language content — 10 scripts (Chinese, Russian, Korean, Arabic, Hindi, Japanese, Thai, Hebrew, Bengali, Georgian)
Outdated plugins (with update available)
Outdated active theme
WordPress core version
PHP version (flags end-of-life)
Debug mode status (WP_DEBUG)
Memory limit
Database size
Failed login attempts (24h brute force detection)
World-writable directories
XML-RPC enabled / disabled
REST API user enumeration exposed
Application passwords in use
WordPress auto-update settings
Spam comment volume
2FA plugin active
Recently modified plugin files (last 24h)
Backup plugin present
Disk usage percentage
⚙️

How it works

1
Install the free plugin
Download uptrue-monitor.php, upload it to your wp-content/plugins folder, and activate it in WordPress Admin. Takes under 2 minutes.
2
Connect to Uptrue
Add your WordPress Monitor in Uptrue. You'll get a secure API token — paste it into Uptrue → Settings in your WordPress Admin.
3
Plugin scans from inside
WordPress Cron runs staggered security scans every hour — PHP files, JS files, .htaccess, core files, theme files. Each scan type runs independently to avoid server load spikes.
4
Findings pushed to Uptrue
The plugin pushes scan results to Uptrue via encrypted HTTPS. It works behind Cloudflare, CDNs, and firewalls — no inbound ports needed.
5
Alerts fire on new threats
Uptrue compares each snapshot to the previous one. New threats trigger alerts. Resolved threats are automatically closed. No noise, just signal.
87GOOD
Live health score dashboard
Every scan updates your site's health score (0–100). Track it over time to see trends — whether security is improving or degrading. Critical findings hit hard: a PHP shell in uploads costs 30 points. Debug mode left on costs 10.
🤖 AI Security Report

On demand, Uptrue generates a plain-English AI security report for your WordPress site — explaining every open issue, ranking them by severity, and providing numbered step-by-step fix instructions. Written for business owners, not developers. Powered by Claude AI.

🔔

When Uptrue alerts you

CriticalPHP or executable file detected in uploads folder
Critical.htaccess file modified since last scan
Criticalwp-config.php file modified since last scan
CriticalWordPress core file modified (may indicate compromise)
HighNew administrator account created
HighForeign-language content injected (Chinese, Russian, Korean, Arabic + 6 more scripts)
HighJavaScript file found in uploads folder
HighActive theme files modified
HighWorld-writable directory detected
HighMore than 20 failed logins in 24 hours (brute force)
HighNo 2FA plugin active on the site
HighNo backup plugin installed
HighPlugin files modified in the last 24 hours
MediumPlugin update available (vulnerabilities exploited in the wild)
MediumActive theme update available
MediumPHP version end-of-life — no longer receiving security patches
MediumXML-RPC enabled (brute force attack surface)
MediumREST API exposes user list publicly
MediumWordPress auto-updates disabled
MediumDisk usage above 80%
LowWordPress debug mode (WP_DEBUG) left enabled
💬

Frequently asked questions

Does this replace my security plugin (Wordfence, Sucuri, etc.)?
It complements them. Security plugins focus on blocking attacks in real time. Uptrue WordPress Monitor is about continuous visibility and alerting — knowing when something changed, getting notified, and having a dashboard that shows your site's health score over time. Many Uptrue users run both.
What happens if my WordPress site goes down?
Uptrue already monitors your site's HTTP uptime separately. If the site goes down, your standard uptime alerts fire. If the WP plugin stops pushing data, Uptrue will alert you after a configurable silence window — so you know the connection is broken.
Will the plugin slow down my WordPress site?
No. All scans run via WordPress Cron — a background task system. File scans are staggered across the day so no single cron run is heavy. Your visitors will never notice.
What PHP version does the plugin require?
PHP 7.4 or higher. The plugin also checks your PHP version and alerts you if you're running an end-of-life version that no longer receives security patches.
I don't have an Uptrue account. Can I still use the plugin?
Yes. The plugin is useful even without Uptrue — it generates a monthly security report emailed to your WordPress admin email address. Connect to Uptrue for real-time alerts, a health score dashboard, and AI-powered fix instructions.
How many WordPress sites can I monitor?
Free plan: 0 sites. Lite plan: 1 site. Builder plan: up to 5 sites. Scale plan: up to 10 sites.
What checks does the plugin run?
File injection (PHP/JS/executables in uploads), .htaccess and wp-config.php changes, core and theme file modifications, new admin/editor users, foreign-language content injection (10 scripts: Chinese, Russian, Korean, Arabic, Hindi, Japanese, Thai, Hebrew, Bengali, Georgian), outdated plugins and themes, debug mode, PHP version, brute force login attempts, world-writable directories, XML-RPC status, REST API user enumeration, application passwords, auto-update settings, spam comment volume, 2FA status, recently modified plugin files, backup plugin presence, and disk usage.
🔗

Pair with these monitors

🌐HTTP Uptime Monitoring🔒SSL Certificate Monitoring🛡️Security Headers Monitoring🔍Keyword Detection
Start monitoring your WordPress site from the inside
Free plan · 2-minute plugin install · No inbound ports · Works on any WordPress host
Create Free Account →Download Plugin