=== Deep Malware Cleaner ===
Contributors: themepaste, habibnote
Tags: malware, scanner, security, login-protection, attack, website-security, website-protection, secure-login, alert, scan, backdoor, malware-scanner, deep-cleaner
Requires at least: 5.6
Tested up to: 6.9
Stable tag: 1.0.1
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Lightweight deep malware scanner for WordPress — deep cleanup scan, backdoor fixer, redirect hack fix, and malware auto-purge with login protection and instant alerts.

== Description ==

**Deep Malware Cleaner** is a lightweight deep malware scanner built for WordPress. It performs a thorough deep cleanup scan of your `wp-content` directory, detects backdoors, cleans injected site scripts, fixes redirect hacks, and triggers malware auto-purge — all from your WordPress admin dashboard with no external service, no subscription, and no data ever leaving your server.

Whether you're dealing with a live attack, a hidden backdoor, or a redirect hack silently sending visitors to malicious sites, Deep Malware Cleaner gives you the tools to scan, alert, and act — fast.

= Core Capabilities =

**Deep Cleanup Scan**
Walks your entire `wp-content` directory, inspecting every PHP file for known malware signatures, obfuscated code, and injected payloads. Results are sorted by severity so the worst threats surface first.

**Backdoor Fixer**
Detects PHP backdoors uploaded through vulnerable plugins or themes — including webshells, remote-execution scripts, and hidden PHP files inside the uploads folder where no PHP should ever exist.

**Site Script Cleaner**
Identifies injected JavaScript and malicious `<script>` tags, hidden iframes, and obfuscated code blocks embedded in your theme or plugin files.

**Redirect Hack Fix**
Flags the PHP patterns most commonly responsible for redirect hacks — including `header()` injection, variable-based shell execution, and compressed payload backdoors used to silently redirect visitors to attack sites.

**Malware Auto-Purge**
Remove confirmed threats directly from the scan results screen without touching FTP or cPanel. Quarantine or delete flagged files in one click.

**Login Protection**
Hardens your WordPress login against brute-force attacks and unauthorized access attempts — an essential layer of website protection alongside active scanning.

**Instant Alerts**
Get notified the moment a scan finds a threat. Real-time alerts keep you informed so you can respond before an attack escalates.

= What the Scanner Detects =

* **eval(base64_decode(...))** — the most widespread PHP malware obfuscation and attack vector.
* **eval(gzinflate(...))** / **eval(gzuncompress(...))** — compressed-payload backdoors.
* **eval(str_rot13(...))** — rotation-cipher obfuscated malware.
* **Shell execution with dynamic arguments** — `shell_exec`, `passthru`, `proc_open`, `popen`, and `system` called with a variable, a classic attack pattern for remote code execution.
* **Hidden iframes** — `<iframe>` elements injected with `display:none` used to load malicious content invisibly.
* **Long base64 strings** — unusually large base64 blobs embedded in PHP, a common technique for hiding large attack payloads.
* **PHP files inside the uploads directory** — any `.php` file in `wp-content/uploads/` is flagged High severity; legitimate uploads are never PHP files.

= Key Features =

* **Lightweight deep malware scanner** — scans up to 500 files per run in under 25 seconds, safe on shared hosting.
* **On-demand scan** — runs only when you click Start Scan, never in the background.
* **Deep Cleaner dashboard** — at-a-glance stats: threats found, files scanned, time since last scan.
* **Website Security & Website Protection** — comprehensive coverage against the most common WordPress attack types.
* **Troubleshoot mode** — detailed per-file reporting to help you understand exactly what was found and why it was flagged.
* **Secure login** hardening included.
* **All scan history** stored in your own database — nothing leaves your server.
* **No account, no API key, no external requests.**
* **Translatable** — full `.pot` file included.

= Who Is This For? =

* Site owners who received a "this site may be hacked" alert from Google.
* Developers who need to troubleshoot a suspected redirect hack or injected script.
* Agencies that manage multiple WordPress sites and need a fast, lightweight scanner with no SaaS dependency.
* Anyone who wants ongoing website security and website protection without a monthly fee.

= Privacy =

This plugin makes **zero** external HTTP requests. No data is sent to any third-party server. Scan results are stored only in your own WordPress database and are removed when you uninstall the plugin (if that option is enabled in Settings).

== Installation ==

= Automatic Installation =

1. In your WordPress admin, go to **Plugins → Add New**.
2. Search for **Deep Malware Cleaner**.
3. Click **Install Now**, then **Activate**.

= Manual Installation =

1. Download the plugin zip file.
2. In your WordPress admin, go to **Plugins → Add New → Upload Plugin**.
3. Choose the zip file and click **Install Now**, then **Activate**.

= After Activation =

1. Go to **Malware Cleaner → Settings** to configure login protection, alerts, and data-management options.
2. Go to **Malware Cleaner → Run Scan** and click **Start Scan** to run your first deep cleanup scan.

== Frequently Asked Questions ==

= Will this plugin slow down my site for visitors? =

No. The scanner runs only when you click Start Scan in the admin. It does not hook into page loads or run any background cron jobs. Visitor-facing performance is completely unaffected.

= Which files does the deep cleanup scan inspect? =

The scanner reads PHP files with extensions `.php`, `.php3`, `.php4`, `.php5`, `.php7`, `.phtml`, and `.phar` inside your `wp-content` directory. It skips files larger than 512 KB and enforces a 25-second time budget and a 500-file cap per run to protect shared-hosting environments.

= What does "PHP file in uploads" mean? =

Legitimate image, video, and document uploads are never `.php` files. If the scanner finds any PHP file inside `wp-content/uploads/`, it is almost certainly a backdoor uploaded through a vulnerable plugin or theme — a High severity threat that should be removed immediately.

= Can it fix or delete infected files? =

Yes — the malware auto-purge feature lets you delete or quarantine flagged files directly from the scan results screen. Always review the file path and threat type before purging.

= Is any data sent outside my site? =

No. The plugin makes zero external HTTP requests. All scan results and alert history live only in your WordPress database.

= How does login protection work? =

Login protection limits repeated failed login attempts and helps prevent brute-force attacks against your `wp-login.php` endpoint — a key layer of website security that works alongside the malware scanner.

= How do I troubleshoot a scan that flagged an unexpected file? =

Go to **Malware Cleaner → Scan Results** and click the file path to view the matched pattern. The troubleshoot view shows the exact line and rule that triggered the alert, so you can decide whether it is a false positive or a real threat.

= How do I remove all plugin data when I uninstall? =

Go to **Malware Cleaner → Settings**, enable **Remove all data on uninstall**, then deactivate and delete the plugin. All database tables, scan history, and plugin options will be removed automatically.

= The scan finished but I expected more files to be checked. Why? =

The scanner caps each run at 500 files and 25 seconds to be safe on resource-constrained servers. If your `wp-content` directory is very large, only the first 500 PHP files encountered will be inspected per run. Future versions will support paginated / batch scanning.

== Screenshots ==

1. **Dashboard** — At-a-glance security overview showing a threat alert notice, scan statistics (total scans run, threats found, files scanned, time since last scan), and quick-access buttons to run a new scan or open Settings.
2. **Malware Scanner** — One-click scan launcher with a live progress indicator, followed by the Last Scan Results section displaying a threat detection notice and the full results table.
3. **Scan Results** — Detailed results table listing each flagged file with its full path, threat type (e.g. `eval_base64`), and severity badge (HIGH / MEDIUM) so you know exactly what was found and where.
4. **Settings** — Configure email alert notifications, set the alert recipient address, and manage scan data retention with the Remove Data on Uninstall option.

== Changelog ==

= 1.0.1 =
* Added malware auto-purge (delete / quarantine flagged files from the results screen).
* Added login protection module.
* Added real-time threat alerts.
* Improved site script cleaner detection for injected JavaScript and hidden iframes.
* Enhanced redirect hack fix detection patterns.

= 1.0.0 =
* Initial release.
* On-demand deep cleanup scan covering eight malware pattern types.
* Backdoor fixer, site script cleaner, and redirect hack fix detection.
* Admin dashboard with scan statistics.
* Settings page with data-management option.

== Upgrade Notice ==

= 1.0.1 =
Adds malware auto-purge, login protection, and real-time alerts. No database migration required — simply update and activate.

= 1.0.0 =
Initial release — no upgrade steps required.
