File integrity monitoring (FIM) detects when files on your server change unexpectedly. PowerSEC compares your live filesystem against a known-good baseline.
How baselines work
PowerSEC builds a baseline of every file in:
- WordPress core (
wp-admin/,wp-includes/) - All active themes
- All active plugins
For each file we record:
- SHA256 hash of the file content
- File size
- Last modified timestamp
When you legitimately update a plugin or theme, PowerSEC re-baselines automatically.
What FIM detects
✅ Modified core file — usually means an attacker injected code
✅ New file in unusual location — e.g., a PHP file in wp-content/uploads/
✅ Plugin file changed without an update — possible compromise
✅ Deleted core file — could be vandalism or partial cleanup attempt
What FIM doesn't catch
❌ Database content — post_content changes need the content scanner
❌ Cache files, log files — these change constantly; we exclude them
❌ User uploads — uploads to media library are normal user activity
Reading FIM alerts
A FIM alert shows:
- File path — where the change happened
- Change type — modified / added / deleted
- Hash diff — old hash vs new hash
- Risk score — 0-100 based on file location, change pattern, signature matches
Common false positives
- Some plugins write to their own directories (e.g., backup plugins, cache plugins). PowerSEC has an exclusion list for known-safe write patterns.
- Theme customization plugins (e.g., Elementor, Divi Builder) modify theme files when you save changes.
- WP-Cron or scheduled jobs may rotate log files.
If you see repeated false positives, you can add custom exclusions per site.