Why My First WordPress Plugin Is a Free Malware Scanner

I’ve been building WordPress sites for 25 years. I’ve watched the ecosystem go from a bloggers’ toy to the backbone of 43% of the internet, seen trends come and go, plugins rise and fall, and security threats evolve from script-kiddie defacements to nation-state-grade supply chain attacks. Through all of it, one thing has stayed frustratingly constant:

the security tools that are supposed to protect you are bad at their job.

The Day My Site Got Hacked (While “Protected”)

There was one specific client cleanup that made me start building Nova Scan.

It was a small business site, nothing fancy, running the paid version of Wordfence. The dashboard was a symphony of reassurance, with green checkmarks everywhere, “firewall optimized,” and “scan complete: no issues found.” The site was also completely owned, with three backdoors running at the same time while the most popular security plugin in the WordPress ecosystem was showing everything clear.

What Wordfence Missed

Here is what I found when I actually looked at the files.

Backdoor #1: The Impersonator

A file called wp-content/db.php. WordPress legitimately supports drop-in database files at that path, so Wordfence looked at it and decided everything was normal. It wasn’t. Inside was a single line using PHP’s zip:// stream wrapper to pull executable code out of a hidden zip file. The file contained none of the strings signature scanners look for. It was using a legal PHP function to do something clearly illegal, and that single line was all the attacker needed.

Backdoor #2: The Nesting Doll

Six directories deep: .private/mu-plugins/widgets/twentytwentyfive/Renderer/index.php. That path was specifically crafted to look like a WordPress theme component, but what it actually contained was a full PHP file manager with a hardcoded password, giving the attacker a browser-based GUI to browse, upload, download, and modify any file on the entire server. It amounted to full FTP access through a web browser.

Backdoor #3: The Fake Core File

A file called wp-check.php sitting in the site root. At first glance it looks like a WordPress core file because the project ships things like wp-cron.php, wp-login.php, and wp-mail.php. But wp-check.php has never existed in any version of WordPress, and this one was a dropper stub planted the same day as the other two, whose only job was downloading and installing whatever payload the attacker wanted to run next.

Wordfence didn’t flag a single one of them.

The Moment I Decided to Build Nova Scan

I sat there staring at the Wordfence dashboard giving me an all-green, all-clear “your site is protected” while three backdoors were actively running. The thought that kept circling in my head:

A green-light dashboard with three backdoors behind it is a bedtime story people tell themselves so they don’t have to check under the bed.

I’ve cleaned dozens of hacked sites over 25 years, and every single one of them was running a security plugin with a clean bill of health while the site was actively compromised. At some point you either keep cleaning up other people’s messes forever, or you start building the tool you wish existed. I picked the second option.

Why Free? Actually Free?

The part of the WordPress security industry that kills me is how thoroughly it has turned fear into a subscription model.

“We found 7 critical threats on your site. Upgrade to Premium to see the details.”

Read that again. They found threats, on your site, and they’re hiding the details behind a paywall. That is a hostage situation dressed up as a security product. Your house is on fire and the fire department wants your credit card number before they will tell you which room to avoid.

Nova Scan is free forever and stays free. There is no time-limited trial, no hidden premium tier for the real findings, and no “free for 3 scans then $99 a year” bait-and-switch. You get the full detail on every CVE, every suspicious file, and every recommendation, with no upsell nags in the scan results. If your site is hacked you deserve to know exactly how, without having to type in a credit card first.

What Makes Nova Scan Different

I built Nova Scan because every existing option was missing whatever I was looking for at 2 AM while cleaning up someone else’s mess.

It Actually Reads the Code

Most scanners match filenames and known signatures, which is why they miss things like the db.php backdoor above, because the filename is “safe.” Nova Scan doesn’t care what a file is called. It reads the code inside, analyzes the behavior, and decides whether the file is malicious based on what it does rather than what it happens to be named.

Machine Learning That Earns Its Keep

I built a machine learning engine trained on real-world malware samples, backdoors, and skimmers, which scores every file based on behavioral patterns and catches obfuscated code, zero-day variants, and novel attack patterns that signature-based scanners have never seen. The detection intelligence is encrypted at rest, so attackers cannot read our playbook even if they get file access to your site.

Database Scanning That Understands Context

Your database can be just as compromised as your filesystem, whether through injected JavaScript in post content, rogue admin accounts, or malicious cron jobs. Nova Scan checks all of it, and it is smart enough to know the difference between a page builder storing <?php echo get_the_title(); ?> in a post field and an attacker injecting <?php eval(base64_decode('...')); ?>.

27,000+ CVEs, No API Key Required

Every plugin and theme on your site gets checked against the Wordfence Intelligence CVE database and the WPScan Vulnerability Database, with known vulnerabilities flagged instantly. There is no premium API key required for the core feed.

False Positives? We Obsess Over Them

Nothing destroys trust in a scanner faster than crying wolf. We recently ran Nova Scan on an 83,000-file client site and got 500 findings, every single one of them a false positive. Instead of shrugging, we spent days making the detection logic smarter, and that site now shows zero false positives at medium severity or above. Every rule still runs and nothing gets skipped. The scanner got accurate enough to tell the difference between a real threat and a plugin’s translation file.

What We Just Shipped (The Nerdy Stuff)

Here is what went live this week:

• Vault-encrypted detection intelligence: all signatures, patterns, and rules are encrypted on disk, so if someone gets file access to your site they cannot reverse-engineer the detection logic.
• 36 YARA threat-hunting rules: integrated from the PHP Malware Finder and Elastic security research, catching obfuscation patterns, known webshell families, and packer signatures.
• VirusTotal integration: check suspicious file hashes against 70+ antivirus engines with one click.
• LLM prompt injection detection: in 2026 some attackers are embedding AI prompt injections inside PHP files. We detect 9 different patterns of it.
• Auto-vPatch CVE rules: the firewall now auto-generates WAF rules from CVE data, so when a new vulnerability gets disclosed, protection can be active before the plugin author even wakes up.
• Memory and OPcache integrity scanning: because some attacks live entirely in memory and never touch the filesystem.

The Philosophy

I believe three things about WordPress security:

1. Security shouldn’t cost $99 a year. If a scanner exists to protect people, it should protect all people, not just the ones with budget.
2. You should never need a “premium license” to see what’s wrong with your own website. That business model is ethically bankrupt.
3. A scanner that shows you a clean report while three backdoors are running is worse than no scanner at all, because it gives you false confidence and makes you stop looking.

Nova Scan exists because the alternatives failed me and my clients, and based on the sites I keep getting called in to clean, they are failing you too.

Try It

Nova Scan is free forever.

Create an account, install the plugin, run a scan. If it finds something Wordfence missed, I won’t say I told you so, although I might think it a little.

Get Nova Scan →

Nova Scan is still in early access, maintained by a solo dev, with bugs getting fixed at midnight, but it catches things the big names don’t, and that is why it exists.

~ SephX, founder of Nova Heaven. 25 years of WordPress and zero tolerance for paid fear.