Plugin-Based · Agent Monitor Works behind Cloudflare

Uptrue WordPress Monitor

External uptime tools only see your homepage. This plugin monitors from inside your WordPress site — detecting file injections, rogue users, and silent compromises before your visitors do.

Free 2-minute install · No inbound ports · Works on shared hosting

Add WordPress Monitor FreeDownload Plugin
100
Health Score
8
Threat Categories
25+
Checks Per Scan
2 min
Setup Time

Why external monitoring isn't enough

Standard uptime monitors check whether your website responds to an HTTP request. That tells you if your site is reachable — but nothing about what's happening inside. Most WordPress compromises are invisible to external tools:

External tools can't see what's inside
External uptime monitors only see your homepage. They can't detect a PHP shell in your uploads folder, a new admin user, or a modified wp-config.php — until it's too late.
Works behind any firewall or CDN
Because the plugin pushes data out (not the other way around), it works on any hosting — shared hosting, Cloudflare-protected sites, password-protected staging environments.
Zero impact on site performance
Scans run via WordPress Cron — they happen in the background, staggered across hours. Your visitors never notice.
AI-powered remediation
Every issue comes with an AI-generated plain-English explanation and step-by-step fix instructions — written for site owners, not developers.

What Uptrue WordPress Monitor detects

Critical
File Injection Attacks
PHP and JavaScript files planted in your uploads folder — the most common WordPress hack. Attackers upload shells disguised as images to run arbitrary code on your server.
Critical
Rogue Admin Users
New administrator accounts created without your knowledge. Attackers often create hidden admin users after an initial compromise to maintain access even after you change your password.
High
Outdated Plugins & Themes
Over 90% of hacked WordPress sites were running outdated plugins with known vulnerabilities. Uptrue alerts you the moment an update is available — before attackers exploit the gap.
High
Foreign-Language Content Injection
SEO spam attacks inject hidden pages with Chinese, Russian, Korean, Arabic, and 6 other scripts to hijack your search rankings. Uptrue scans every published page — title, slug, and body — on each push.
Critical
.htaccess & wp-config Tampering
Modifications to .htaccess and wp-config.php are a sign of a serious compromise — attackers use these to redirect visitors, hide malware, or extract database credentials.
High
Security Configuration Weaknesses
XML-RPC enabled, REST API user enumeration exposed, no 2FA, no backup plugin, world-writable directories, disabled auto-updates — Uptrue checks all of these on every push and scores your configuration.
High
Brute Force Login Attacks
Uptrue counts failed login attempts every 24 hours. A spike in failures means your wp-login.php is under attack — alerting you before an account is compromised.
Medium
Debug Mode & Misconfigurations
WordPress debug mode exposes sensitive error messages, file paths, and database structure to any visitor. It's frequently forgotten after a developer fixes an issue.

Every check Uptrue runs

PHP files in uploadsJS files in uploadsExecutable code patterns.htaccess modificationswp-config.php changesCore file modificationsActive theme file changesNew administrator accountsNew editor accountsRecently created pagesForeign-language contentApplication passwords2FA plugin activeOutdated pluginsOutdated active themePHP files in uploadsJS files in uploadsExecutable code patterns.htaccess modificationswp-config.php changesCore file modificationsActive theme file changesNew administrator accountsNew editor accountsRecently created pagesForeign-language contentApplication passwords2FA plugin activeOutdated pluginsOutdated active theme
WordPress core versionPHP version (EOL check)Modified plugin filesDebug mode statusWorld-writable directoriesXML-RPC statusREST API enumerationAuto-update settingsBackup plugin presentFailed login attemptsMemory limitDatabase sizeSpam comment volumeDisk usage percentageWordPress core versionPHP version (EOL check)Modified plugin filesDebug mode statusWorld-writable directoriesXML-RPC statusREST API enumerationAuto-update settingsBackup plugin presentFailed login attemptsMemory limitDatabase sizeSpam comment volumeDisk usage percentage

How it works

1Install the free plugin
Download uptrue-monitor.php, upload it to your wp-content/plugins folder, and activate it in WordPress Admin. Takes under 2 minutes.
2Connect to Uptrue
Add your WordPress Monitor in Uptrue. You'll get a secure API token — paste it into Uptrue → Settings in your WordPress Admin.
3Plugin scans from inside
WordPress Cron runs staggered security scans every hour — PHP files, JS files, .htaccess, core files, theme files. Each scan type runs independently to avoid server load spikes.
4Findings pushed to Uptrue
The plugin pushes scan results to Uptrue via encrypted HTTPS. It works behind Cloudflare, CDNs, and firewalls — no inbound ports needed.
5Alerts fire on new threats
Uptrue compares each snapshot to the previous one. New threats trigger alerts. Resolved threats are automatically closed. No noise, just signal.
87GOOD
Live health score dashboard
Every scan updates your site's health score (0–100). Track it over time to see trends — whether security is improving or degrading. Critical findings hit hard: a PHP shell in uploads costs 30 points. Debug mode left on costs 10.
AI Security Report

On demand, Uptrue generates a plain-English AI security report for your WordPress site — explaining every open issue, ranking them by severity, and providing numbered step-by-step fix instructions. Written for business owners, not developers. Powered by Claude AI.

When Uptrue alerts you

Critical· 4 conditions
PHP or executable file detected in uploads folder
.htaccess file modified since last scan
wp-config.php file modified since last scan
WordPress core file modified (may indicate compromise)
New administrator account created
Foreign-language content injected (Chinese, Russian, Korean, Arabic + 6 more scripts)
JavaScript file found in uploads folder
Active theme files modified
World-writable directory detected
More than 20 failed logins in 24 hours (brute force)
No 2FA plugin active on the site
No backup plugin installed
Plugin files modified in the last 24 hours
Plugin update available (vulnerabilities exploited in the wild)
Active theme update available
PHP version end-of-life — no longer receiving security patches
XML-RPC enabled (brute force attack surface)
REST API exposes user list publicly
WordPress auto-updates disabled
Disk usage above 80%
WordPress debug mode (WP_DEBUG) left enabled
Got questions?

Frequently asked questions

Everything you need to know about Uptrue — no fluff.

Does this replace my security plugin (Wordfence, Sucuri, etc.)?
It complements them. Security plugins focus on blocking attacks in real time. Uptrue WordPress Monitor is about continuous visibility and alerting — knowing when something changed, getting notified, and having a dashboard that shows your site's health score over time. Many Uptrue users run both.
Uptrue already monitors your site's HTTP uptime separately. If the site goes down, your standard uptime alerts fire. If the WP plugin stops pushing data, Uptrue will alert you after a configurable silence window — so you know the connection is broken.
No. All scans run via WordPress Cron — a background task system. File scans are staggered across the day so no single cron run is heavy. Your visitors will never notice.
PHP 7.4 or higher. The plugin also checks your PHP version and alerts you if you're running an end-of-life version that no longer receives security patches.
Yes. The plugin is useful even without Uptrue — it generates a monthly security report emailed to your WordPress admin email address. Connect to Uptrue for real-time alerts, a health score dashboard, and AI-powered fix instructions.
Free plan: 0 sites. Lite plan: 1 site. Builder plan: up to 5 sites. Scale plan: up to 10 sites.
File injection (PHP/JS/executables in uploads), .htaccess and wp-config.php changes, core and theme file modifications, new admin/editor users, foreign-language content injection (10 scripts: Chinese, Russian, Korean, Arabic, Hindi, Japanese, Thai, Hebrew, Bengali, Georgian), outdated plugins and themes, debug mode, PHP version, brute force login attempts, world-writable directories, XML-RPC status, REST API user enumeration, application passwords, auto-update settings, spam comment volume, 2FA status, recently modified plugin files, backup plugin presence, and disk usage.

Pair with these monitors

Free plugin
Start monitoring your WordPress site from the inside
Free plan · 2-minute plugin install · No inbound ports · Works on any WordPress host