BrandBees Malware Guardian

Overview

BrandBees Malware Guardian is a local-first WordPress malware scanner that inspects files and selected database records for malicious patterns, SEO spam payloads, and defacement signatures. The plugin focuses on practical remediation by combining detection quality with clear risk context.

This documentation is intended for implementers who need to configure scans, tune behavior through hooks, and integrate signature feed management into operational workflows.

• Designed for agencies and technical site owners who need signal-driven scanning, not noisy reports.
• Supports file and database scanning with severity + confidence based triage.
• Includes scheduled scans, scan history, and guided remediation workflows.
• Can be extended through filters for scan scope, risk scoring, and signature synchronization behavior.

Quick Start

1. Install and activate the plugin.
2. Open BB Malware Guard in wp-admin.
3. Run an initial manual scan and review findings by severity.
4. Enable schedule for recurring scans.
5. If using external signatures, configure feed source and sync policy.

Scanner Architecture

• File scanning engine: traverses configured roots and evaluates signatures/patterns on content.
• Database scanning engine: checks selected record types for injections and suspicious code fragments.
• Pattern matcher: computes risk thresholds and final detection scores.
• Signature provider: supports local defaults plus remote feed synchronization and caching controls.
• Operational layer: scheduler, progress state handling, and stale scan protections.

Installation & Activation

1. Upload the plugin folder to /wp-content/plugins/.
2. Activate from Plugins in wp-admin.
3. Open BB Malware Guard in the admin menu.
4. Run a manual scan to verify setup.

Scan Workflow

1. Start a manual scan or wait for scheduled execution.
2. Review detections by severity, confidence, and location context.
3. Inspect detection details (location, category, pattern context).
4. Apply remediation where appropriate, then verify no regression.
5. Run verification scan post-cleanup.

Detection Model & Risk Logic

Malware Guardian combines signature matching with risk scoring to improve signal quality. Instead of treating every pattern hit equally, detections are classified by severity and confidence so teams can prioritize critical incidents first.

• Signature categories: php_malware, javascript, html, seo_spam, defacement.
• Risk thresholding: configurable through filter hooks for project-specific tuning.
• False-positive reduction: confidence/risk context helps avoid low-value cleanup actions.
• Verification pass: remediation can be validated by immediate follow-up scans.

Operations, Scheduling & Cache Behavior

• Scheduled scanning: supports recurring scan execution via WP-Cron.
• Manual scanning: available for immediate verification after deployments or cleanup.
• Progress state: scan lifecycle tracks progress and handles stale/hung scan safeguards.
• Signature cache: signature feed responses are cached with TTL and cooldown handling.
• Cache refresh: after signature updates, feed cache clear ensures next scan uses fresh data.

Signature Feed Workflow (GitHub)

For teams using the MU signature manager:

• Define repository settings (owner/repo/branch/path).
• Load signature JSON from GitHub into draft.
• Add/edit/delete signatures via UI.
• Save back to GitHub using token-authenticated API request.
• Scanner cache is cleared so fresh feed is used on next scan.

Privacy & External Services

• Core scanning runs locally on your server.
• Scan results are stored in the WordPress database.
• Optional integrations (if enabled) may perform third-party threat lookups

License & Author

• License: GPL v2 or later
• Author: Hassan Ejaz
• Website: brandbees.net
• Plugin URI: wordpress.org/plugins/brandbees-malware-guardian