{{gtag}} {{> threat/free_common.html }}
{{> threat/nav.html }}
BitFire PRO only

Threat Hunter for WordPress persistence

Threat Hunter is BitFire PRO's persistence-focused investigation surface. It is built to explain why a cleaned WordPress site becomes infected again by checking the startup chain, cron tasks, mu-plugins, running PHP processes, content injections, and privileged access paths.

Main capability: the Startup Chain hunter is the core view because it finds malicious code injected into the WordPress boot path before the site fully loads. The other tabs extend that investigation into cron persistence, must-use plugins, server processes, stored content, and attacker access. Purchase BitFire PRO to unlock the full toolkit.
01 · What Threat Hunter includes

Six persistence-focused investigation tabs

Each tab explains a different way malware survives cleanup and keeps access to the CMS or server.

Startup Chain

Tracks the code that runs before WordPress finishes loading to find early malicious loaders and reinfection roots.

Cron Audit

Finds scheduled WordPress and system tasks that can re-download, rewrite, or restore malware after cleanup.

mu-plugins

Reviews the auto-loaded must-use plugin path where attackers often hide persistence that never appears in the normal plugin list.

Processes

Looks for PHP still running from /tmp or other off-path locations that can re-infect the site outside WordPress.

Content

Scans stored CMS content for injected scripts, redirectors, and malicious links that survive file cleanup.

Admin Users

Audits high-privilege accounts, sessions, app passwords, and database persistence indicators that can keep attackers in control.

02 · Why it helps detect threats

Built for reinfection and persistence hunting

Most malware cleanup efforts fail because only the visible payload is removed. Threat Hunter focuses on the code or access path that restores it.

  1. Find the loader: Startup Chain shows where malicious code enters the WordPress boot path.
  2. Find the timer: Cron Audit reveals whether a scheduled task is bringing the infection back.
  3. Find the hidden autoload file: mu-plugins catches persistence in paths many defenders forget to inspect.
  4. Find the external runner: Processes identifies PHP executing outside the web root or outside the normal FPM worker pool.
  5. Find the stored payload: Content reveals injected scripts and links living in the database.
  6. Find the access persistence: Admin audit exposes rogue privileged access and suspicious database logic.

Unlock Threat Hunter in BitFire PRO

Purchase BitFire PRO to access the full startup-chain threat hunter and the supporting cron, mu-plugin, process, content, and admin persistence views.

Designed for compromised WordPress sites, cleanup validation, and stubborn reinfection cases.
Purchase BitFire PRO