100
Health Score
8
Threat Categories
25+
Checks Per Scan
2 min
Setup Time
Why external monitoring isn't enough
Standard uptime monitors check whether your website responds to an HTTP request. That tells you if your site is reachable — but nothing about what's happening inside. Most WordPress compromises are invisible to external tools:
External tools can't see what's inside
External uptime monitors only see your homepage. They can't detect a PHP shell in your uploads folder, a new admin user, or a modified wp-config.php — until it's too late.
Works behind any firewall or CDN
Because the plugin pushes data out (not the other way around), it works on any hosting — shared hosting, Cloudflare-protected sites, password-protected staging environments.
Zero impact on site performance
Scans run via WordPress Cron — they happen in the background, staggered across hours. Your visitors never notice.
AI-powered remediation
Every issue comes with an AI-generated plain-English explanation and step-by-step fix instructions — written for site owners, not developers.
What Uptrue WordPress Monitor detects
Critical
File Injection Attacks
PHP and JavaScript files planted in your uploads folder — the most common WordPress hack. Attackers upload shells disguised as images to run arbitrary code on your server.
Critical
Rogue Admin Users
New administrator accounts created without your knowledge. Attackers often create hidden admin users after an initial compromise to maintain access even after you change your password.
High
Outdated Plugins & Themes
Over 90% of hacked WordPress sites were running outdated plugins with known vulnerabilities. Uptrue alerts you the moment an update is available — before attackers exploit the gap.
High
Foreign-Language Content Injection
SEO spam attacks inject hidden pages with Chinese, Russian, Korean, Arabic, and 6 other scripts to hijack your search rankings. Uptrue scans every published page — title, slug, and body — on each push.
Critical
.htaccess & wp-config Tampering
Modifications to .htaccess and wp-config.php are a sign of a serious compromise — attackers use these to redirect visitors, hide malware, or extract database credentials.
High
Security Configuration Weaknesses
XML-RPC enabled, REST API user enumeration exposed, no 2FA, no backup plugin, world-writable directories, disabled auto-updates — Uptrue checks all of these on every push and scores your configuration.
High
Brute Force Login Attacks
Uptrue counts failed login attempts every 24 hours. A spike in failures means your wp-login.php is under attack — alerting you before an account is compromised.
Medium
Debug Mode & Misconfigurations
WordPress debug mode exposes sensitive error messages, file paths, and database structure to any visitor. It's frequently forgotten after a developer fixes an issue.
Every check Uptrue runs
How it works
1Install the free plugin
Download uptrue-monitor.php, upload it to your wp-content/plugins folder, and activate it in WordPress Admin. Takes under 2 minutes.
2Connect to Uptrue
Add your WordPress Monitor in Uptrue. You'll get a secure API token — paste it into Uptrue → Settings in your WordPress Admin.
3Plugin scans from inside
WordPress Cron runs staggered security scans every hour — PHP files, JS files, .htaccess, core files, theme files. Each scan type runs independently to avoid server load spikes.
4Findings pushed to Uptrue
The plugin pushes scan results to Uptrue via encrypted HTTPS. It works behind Cloudflare, CDNs, and firewalls — no inbound ports needed.
5Alerts fire on new threats
Uptrue compares each snapshot to the previous one. New threats trigger alerts. Resolved threats are automatically closed. No noise, just signal.
87GOOD
Live health score dashboard
Every scan updates your site's health score (0–100). Track it over time to see trends — whether security is improving or degrading. Critical findings hit hard: a PHP shell in uploads costs 30 points. Debug mode left on costs 10.
AI Security Report
On demand, Uptrue generates a plain-English AI security report for your WordPress site — explaining every open issue, ranking them by severity, and providing numbered step-by-step fix instructions. Written for business owners, not developers. Powered by Claude AI.
When Uptrue alerts you
Critical· 4 conditions
PHP or executable file detected in uploads folder
.htaccess file modified since last scan
wp-config.php file modified since last scan
WordPress core file modified (may indicate compromise)
High· 9 conditions
New administrator account created
Foreign-language content injected (Chinese, Russian, Korean, Arabic + 6 more scripts)
JavaScript file found in uploads folder
Active theme files modified
World-writable directory detected
More than 20 failed logins in 24 hours (brute force)
No 2FA plugin active on the site
No backup plugin installed
Plugin files modified in the last 24 hours
Medium· 7 conditions
Plugin update available (vulnerabilities exploited in the wild)
Active theme update available
PHP version end-of-life — no longer receiving security patches
XML-RPC enabled (brute force attack surface)
REST API exposes user list publicly
WordPress auto-updates disabled
Disk usage above 80%
Low· 1 condition
WordPress debug mode (WP_DEBUG) left enabled
Got questions?
Frequently asked questions
Everything you need to know about Uptrue — no fluff.
Does this replace my security plugin (Wordfence, Sucuri, etc.)?
It complements them. Security plugins focus on blocking attacks in real time. Uptrue WordPress Monitor is about continuous visibility and alerting — knowing when something changed, getting notified, and having a dashboard that shows your site's health score over time. Many Uptrue users run both.
What happens if my WordPress site goes down?
Uptrue already monitors your site's HTTP uptime separately. If the site goes down, your standard uptime alerts fire. If the WP plugin stops pushing data, Uptrue will alert you after a configurable silence window — so you know the connection is broken.
Will the plugin slow down my WordPress site?
No. All scans run via WordPress Cron — a background task system. File scans are staggered across the day so no single cron run is heavy. Your visitors will never notice.
What PHP version does the plugin require?
PHP 7.4 or higher. The plugin also checks your PHP version and alerts you if you're running an end-of-life version that no longer receives security patches.
I don't have an Uptrue account. Can I still use the plugin?
Yes. The plugin is useful even without Uptrue — it generates a monthly security report emailed to your WordPress admin email address. Connect to Uptrue for real-time alerts, a health score dashboard, and AI-powered fix instructions.
How many WordPress sites can I monitor?
Free plan: 0 sites. Lite plan: 1 site. Builder plan: up to 5 sites. Scale plan: up to 10 sites.
What checks does the plugin run?
File injection (PHP/JS/executables in uploads), .htaccess and wp-config.php changes, core and theme file modifications, new admin/editor users, foreign-language content injection (10 scripts: Chinese, Russian, Korean, Arabic, Hindi, Japanese, Thai, Hebrew, Bengali, Georgian), outdated plugins and themes, debug mode, PHP version, brute force login attempts, world-writable directories, XML-RPC status, REST API user enumeration, application passwords, auto-update settings, spam comment volume, 2FA status, recently modified plugin files, backup plugin presence, and disk usage.