Major release adding 2FA, login protection with reCAPTCHA and Geo IP blocking, weekly email reports, and a redesigned dashboard. Recommended for all users.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":1},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3498415,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3498415,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-772x250.png":{"filename":"banner-772x250.png","revision":3498516,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.1.0","1.3.0","1.4.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3500001,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3500001,"resolution":"2","location":"assets","locale":""},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3500001,"resolution":"3","location":"assets","locale":""}},"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[15756,55021,600,1909,139069],"plugin_category":[54],"plugin_contributors":[259384],"plugin_business_model":[],"class_list":["post-292510","plugin","type-plugin","status-publish","hentry","plugin_tags-login-protection","plugin_tags-malware-scanner","plugin_tags-security","plugin_tags-two-factor-authentication","plugin_tags-vulnerability-scanner","plugin_category-security-and-spam-protection","plugin_contributors-squishit","plugin_committers-squishit"],"banners":{"banner":"https:\/\/ps.w.org\/squish-site-patrol\/assets\/banner-772x250.png?rev=3498516","banner_2x":false,"banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/squish-site-patrol\/assets\/icon-128x128.png?rev=3498415","icon_2x":"https:\/\/ps.w.org\/squish-site-patrol\/assets\/icon-256x256.png?rev=3498415","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/squish-site-patrol\/assets\/screenshot-1.png?rev=3500001","caption":""},{"src":"https:\/\/ps.w.org\/squish-site-patrol\/assets\/screenshot-2.png?rev=3500001","caption":""},{"src":"https:\/\/ps.w.org\/squish-site-patrol\/assets\/screenshot-3.png?rev=3500001","caption":""}],"raw_content":"\n
Squish Site Patrol gives your WordPress site a complete health check \u2014 security hardening, malware scanning, login protection, and page speed in a single clean dashboard.<\/p>\n\n
Two-Factor Authentication (2FA)<\/strong>\n* TOTP-based 2FA with QR code setup (Google Authenticator, Authy, etc.)\n* Custom branded interstitial login page \u2014 replaces the default wp-login.php flow\n* Per-user 2FA enrollment with recovery options<\/p>\n\n Login Protection<\/strong>\n* reCAPTCHA v3 on the login page (free tier, no checkbox required)\n* Geo IP country blocking \u2014 restrict logins by country via ipapi.co\n* Failed login attempt monitoring and alerts (Patched)\n* Detects predictable \"admin\" username<\/p>\n\n Security Checks<\/strong>\n* WordPress core version check\n* Plugin update status \u2014 flags outdated plugins\n* SSL \/ HTTPS detection\n* File editor status check (wp-admin editor)\n* wp-config.php permissions check (Patched)\n* XML-RPC status check (Patched)\n* Debug mode detection (Patched)\n* Admin account audit \u2014 flags inactive admin accounts (Patched)\n* Database prefix check \u2014 flags default wp_ prefix (Patched)\n* Directory listing detection (Patched)<\/p>\n\n Malware Scanner<\/strong>\n* Verifies all 3,000+ WordPress core files against official checksums\n* Detects PHP files hidden in your uploads folder\n* Scans for dangerous file types (.exe, .sh, .bat) in uploads\n* User enumeration vulnerability check\n* Flags any modified core files\n* Real-time file change monitoring with baseline comparison (Patched)<\/p>\n\n Email Breach Detection<\/strong>\n* Checks admin email addresses against HaveIBeenPwned (Patched)\n* Alerts you if any admin account appears in a known breach<\/p>\n\n Page Speed & Core Web Vitals<\/strong>\n* Live Google PageSpeed Insights score\n* Core Web Vitals \u2014 LCP, FCP, and CLS\n* Mobile performance scoring\n* Scan any public URL\n* Inline metric explanations<\/p>\n\n Reporting<\/strong>\n* Weekly HTML email reports with a full scan summary (Patched)\n* Scheduled automatic daily scans (Patched)\n* Email alerts when issues are detected (Patched)\n* SSL certificate expiry alerts (Patched)<\/p>\n\n Dashboard & UX<\/strong>\n* Categorized check panels \u2014 Login, Server, and Files (collapsible)\n* Issues-only toggle \u2014 hide passing checks, focus on what needs fixing\n* Rescan button with toast notification (no page reload)\n* Card-based Settings UI with masked API keys\n* Dark mode toggle\n* Scan spinner and auto-scan status badge\n* Inline metric tooltips<\/p>\n\n Performance<\/strong>\n* Aggressive transient caching (12\u201324hr TTL) across all check classes\n* Zero front-end footprint \u2014 all scans run in wp-admin only<\/p>\n\n\n\n Upgrade to Patched for automatic monitoring and advanced protection:<\/p>\n\n Used to analyze page speed and Core Web Vitals for any URL entered by the user. Data sent: the URL being scanned. This call is only made when the user clicks \"Run scan\".\n* Service: https:\/\/developers.google.com\/speed\/docs\/insights\/v5\/about\n* Privacy: https:\/\/policies.google.com\/privacy\n* Terms: https:\/\/developers.google.com\/terms<\/p>\n\n Used to verify the integrity of WordPress core files by comparing them against official checksums. No user data is sent \u2014 only the WordPress version number and locale.\n* Service: https:\/\/api.wordpress.org\/core\/checksums\/1.0\/\n* Privacy: https:\/\/wordpress.org\/about\/privacy\/<\/p>\n\n Used to determine the country of origin for login attempts when Geo IP country blocking is enabled. Data sent: the visitor's IP address. This check only runs on the login page when the feature is active.\n* Service: https:\/\/ipapi.co\n* Privacy: https:\/\/ipapi.co\/privacy\/<\/p>\n\n Used to check if admin email addresses appear in known data breach databases. Requires a valid HIBP API key configured in settings.\n* Service: https:\/\/haveibeenpwned.com\/API\/v3\n* Privacy: https:\/\/haveibeenpwned.com\/Privacy\n* Terms: https:\/\/haveibeenpwned.com\/API\/v3#license<\/p>\n\n Used to manage the Patched premium subscription, licensing, and payments. Data sent upon upgrade: site URL, WordPress version, plugin version, and user email if the user opts in.\n* Service: https:\/\/freemius.com\n* Privacy: https:\/\/freemius.com\/privacy\/\n* Terms: https:\/\/freemius.com\/terms\/<\/p>\n\n\n Go to console.cloud.google.com, create a project, enable the PageSpeed Insights API, and generate an API key under Credentials. It's free.<\/p>\n\n\n No. Scans only run when you manually click \"Run scan\" in the admin panel. Nothing runs on the front end.<\/p><\/dd>\n In the free version, scans run on demand. Scheduled automatic daily scanning is available in Squish Site Patrol Patched.<\/p><\/dd>\n It compares every WordPress core file on your server against the official checksums published by WordPress.org. Any file that does not match gets flagged. It also scans your uploads folder for PHP files, dangerous file types, and checks for user enumeration vulnerabilities.<\/p><\/dd>\n Patched users get a baseline snapshot of all plugin and theme files. On every scheduled scan, Squish Site Patrol compares current files against that baseline and alerts you to any unexpected changes \u2014 modified, added, or removed files.<\/p><\/dd>\n When enabled, Squish Site Patrol adds a TOTP-based second factor to your WordPress login. After entering your password, you'll see a custom interstitial page prompting for your authenticator code. Works with any TOTP app including Google Authenticator and Authy.<\/p><\/dd>\n When enabled in Settings, login attempts from countries outside your allowed list are blocked before they reach wp-login.php. Country detection is handled via ipapi.co. No user data is stored.<\/p><\/dd>\n A dashboard control that hides all passing checks and shows only the items that need attention \u2014 useful on sites with many checks configured.<\/p><\/dd>\n All sales are final. We recommend trying the free version thoroughly before upgrading to Patched.<\/p><\/dd>\n Patched is the paid tier of Squish Site Patrol at $15\/month. It adds automatic scheduled scans, weekly HTML email reports, login monitoring, SSL expiry alerts, file change monitoring, breach detection, and much more.<\/p><\/dd>\n\n<\/dl>\n\n\nSquish Site Patrol Patched \u2014 $15\/mo<\/h4>\n\n
\n
External Services<\/h3>\n\n
Google PageSpeed Insights API<\/h4>\n\n
WordPress.org Checksums API<\/h4>\n\n
ipapi.co<\/h4>\n\n
HaveIBeenPwned API (Patched only)<\/h4>\n\n
Freemius<\/h4>\n\n
\n
\/wp-content\/plugins\/squish-site-patrol<\/code><\/li>\nWhere do I get a Google API key?<\/h4>\n\n
\n
Does this plugin slow down my site?<\/h3><\/dt>\n
Is the malware scan automatic?<\/h3><\/dt>\n
What does the malware scanner actually check?<\/h3><\/dt>\n
What is file change monitoring?<\/h3><\/dt>\n
How does 2FA work?<\/h3><\/dt>\n
How does Geo IP country blocking work?<\/h3><\/dt>\n
What is the issues-only toggle?<\/h3><\/dt>\n
Do you offer refunds?<\/h3><\/dt>\n
What is Squish Site Patrol Patched?<\/h3><\/dt>\n
1.4.0<\/h4>\n\n
\n
1.3.0<\/h4>\n\n
\n
1.1.0<\/h4>\n\n
\n
1.0.0<\/h4>\n\n
\n