🎉 Use coupon MYXERO to enjoy 20% recurring discount on any plan. View Pricing
XeroWP
Squish Site Patrol

Squish Site Patrol

0/5 (0 ratings) — active installs Updated Apr 12, 2026
login protectionmalware scannersecuritytwo factor authenticationvulnerability scanner
Download v1.5.0 Plugin Website
Complete site health at a glance — performance scores, security checks, scans, and recent activity in one dashboard.

Complete site health at a glance — performance scores, security checks, scans, and recent activity in one dashboard.

Squish Site Patrol gives your WordPress site a complete health check — security hardening, malware scanning, login protection, and page speed in a single clean dashboard.

Two-Factor Authentication (2FA)
* TOTP-based 2FA with QR code setup (Google Authenticator, Authy, etc.)
* Custom branded interstitial login page — replaces the default wp-login.php flow
* Per-user 2FA enrollment with recovery options

Login Protection
* reCAPTCHA v3 on the login page (free tier, no checkbox required)
* Geo IP country blocking — restrict logins by country via ipapi.co
* Magic link login — send a one-time signed login link to your admin email (Patched)
* Failed login attempt monitoring and alerts (Patched)
* Detects predictable “admin” username

Security Checks
* WordPress core version check
* Plugin update status — flags outdated plugins
* SSL / HTTPS detection
* File editor status check (wp-admin editor)
* wp-config.php permissions check (Patched)
* XML-RPC status check (Patched)
* Debug mode detection (Patched)
* Admin account audit — flags inactive admin accounts (Patched)
* Database prefix check — flags default wp_ prefix (Patched)
* Directory listing detection (Patched)
* HTTP security headers check (Patched)

Malware Scanner
* Verifies all 3,000+ WordPress core files against official checksums
* Detects PHP files hidden in your uploads folder
* Scans for dangerous file types (.exe, .sh, .bat) in uploads
* User enumeration vulnerability check
* Flags any modified core files
* Real-time file change monitoring with baseline comparison (Patched)

Email Breach Detection
* Checks admin email addresses against HaveIBeenPwned (Patched)
* Alerts you if any admin account appears in a known breach

Audit Log
* Tracks logins, failed login attempts, plugin installs, settings changes, and scans
* 90-day retention with full event history
* Filter by event type — login, scan, settings, plugin activity and more
* Recent activity strip on the main dashboard

Page Speed & Core Web Vitals
* Live Google PageSpeed Insights score
* Core Web Vitals — LCP, FCP, and CLS
* Mobile performance scoring
* Scan any public URL
* Inline metric explanations

Reporting
* Weekly HTML email reports with a full scan summary (Patched)
* Scheduled automatic daily scans (Patched)
* Email alerts when issues are detected (Patched)
* SSL certificate expiry alerts (Patched)

Dashboard & UX
* Clean two-panel layout — Security on the left, Scans & hardening on the right
* Hardening tab consolidates all Patched checks in one place
* Issues-only toggle on both panels — hide passing checks, focus on what needs fixing
* Rescan button with toast notification (no page reload)
* Dark mode toggle
* Scan spinner and auto-scan status badge
* Score cards hidden by default until first scan runs
* Inline metric tooltips

Performance
* Aggressive transient caching (12–24hr TTL) across all check classes
* Zero front-end footprint — all scans run in wp-admin only

Squish Site Patrol Patched — $15/mo

Upgrade to Patched for automatic monitoring and advanced protection:

  • Scheduled automatic daily scans
  • Weekly HTML email reports
  • Email alerts when issues are found
  • Magic link login — passwordless one-time login links
  • Failed login attempt monitoring
  • SSL certificate expiry alerts
  • Real-time file change monitoring with baseline comparison
  • Reset file monitoring baseline after legitimate updates
  • wp-config.php permissions check
  • XML-RPC status check
  • Debug mode detection
  • HTTP security headers check
  • Admin account audit — flags inactive admin accounts
  • Database prefix check — flags default wp_ prefix
  • Directory listing detection
  • Email breach check via HaveIBeenPwned

External Services

Google PageSpeed Insights API

Used to analyze page speed and Core Web Vitals for any URL entered by the user. Data sent: the URL being scanned. This call is only made when the user clicks “Run scan”.
* Service: https://developers.google.com/speed/docs/insights/v5/about
* Privacy: https://policies.google.com/privacy
* Terms: https://developers.google.com/terms

WordPress.org Checksums API

Used to verify the integrity of WordPress core files by comparing them against official checksums. No user data is sent — only the WordPress version number and locale.
* Service: https://api.wordpress.org/core/checksums/1.0/
* Privacy: https://wordpress.org/about/privacy/

ipapi.co

Used to determine the country of origin for login attempts when Geo IP country blocking is enabled. Data sent: the visitor’s IP address. This check only runs on the login page when the feature is active.
* Service: https://ipapi.co
* Privacy: https://ipapi.co/privacy/

HaveIBeenPwned API (Patched only)

Used to check if admin email addresses appear in known data breach databases. Requires a valid HIBP API key configured in settings.
* Service: https://haveibeenpwned.com/API/v3
* Privacy: https://haveibeenpwned.com/Privacy
* Terms: https://haveibeenpwned.com/API/v3#license

Freemius

Used to manage the Patched premium subscription, licensing, and payments. Data sent upon upgrade: site URL, WordPress version, plugin version, and user email if the user opts in.
* Service: https://freemius.com
* Privacy: https://freemius.com/privacy/
* Terms: https://freemius.com/terms/