{{> header.html page_title="WordPress Startup Scan" header_widgets="" }} {{> threat/free_common.html }}
{{> threat/nav.html }}

Startup Chain threat hunter

The startup chain maps the code that runs before WordPress finishes loading, where persistent malware hides so it can re-infect a cleaned site on every request.

Why this matters: attackers rarely depend on one infected file. They hide in the early boot path instead: auto_prepend, wp-config.php, drop-ins, and mu-plugins. BitFire PRO traces that chain, highlights unexpected files, and helps you find the loader that keeps bringing the malware back. Purchase PRO to unlock the live startup analysis.
Startup audit coverage

What the live startup scan checks

The original Startup Chain audit walks these checks in boot order. In this preview, every test is shown as not checked until the live PRO scan is unlocked.

1
auto_prepend_file (php.ini) not checked
Checks whether PHP is configured to run a file before every request, which is one of the most dangerous persistence points on a compromised site.
php.ini directive: auto_prepend_file
2
.user.ini auto_prepend not checked
Checks per-directory PHP configuration for an auto_prepend_file override that can silently load malware before WordPress.
file: .user.ini
3
.htaccess auto_prepend not checked
Checks Apache-level PHP directives for an injected preload file that executes before normal WordPress bootstrap.
file: .htaccess
4
mu-plugins not checked
Checks every PHP file inside wp-content/mu-plugins/, because must-use plugins run automatically on every request.
Enumerate each PHP file in mu-plugins Reviews autoloaded must-use plugin files that can re-infect themes, plugins, or uploads on every page load.
not checked
5
Drop-ins not checked
Checks the special WordPress drop-in files that load earlier than standard plugins and are common persistence targets.
object-cache.php Persistent object cache bootstrap file.
not checked
advanced-cache.php Early cache loader that runs before normal plugins.
not checked
db.php Database drop-in with direct influence over bootstrap and queries.
not checked
sunrise.php Multisite/domain mapping bootstrap path that attackers sometimes abuse.
not checked
6
Active plugins not checked
Checks each plugin entry listed in WordPress active_plugins so early reinfection code hiding in active plugin bootstrap files can be traced.
Every active plugin bootstrap file Reviews the main file for each currently active plugin.
not checked
7
Theme functions.php not checked
Checks the active theme's functions.php, a common place for loaders, injected includes, and redirect code.
path pattern: wp-content/themes/<active-theme>/functions.php
8
auto_append_file not checked
Checks whether PHP is configured to run a file after every request via php.ini, .user.ini, or .htaccess.
directives: auto_append_file in php.ini, .user.ini, and .htaccess
9
WordPress core integrity not checked
Checks WordPress core files flagged by the malware scan so modified bootstrap code and hidden persistence in core can be reviewed first.
Flagged core files from the latest malware scan Surfaces suspicious or modified core files that should be verified against a clean WordPress release.
not checked

Unlock the full Startup Chain hunter

For compromised WordPress sites, this is usually the first Threat Hunter tab to check. Purchase BitFire PRO to trace the startup path and locate the code that is re-infecting the CMS.

Purchase BitFire PRO