Content Guard Pro uses a comprehensive set of detection patterns to identify security threats. Understanding these patterns helps you interpret findings and reduce false positives.

Pattern Categories #

1. External Resources #

Detects scripts, iframes, and embeds from non-allowlisted domains.

What It Catches:

• Malicious JavaScript injection
• Malvertising (malicious advertisements)
• Phishing frame embeds
• Unauthorized tracking scripts

What Gets Flagged:

• Script tags pointing to unknown external domains
• Iframe tags embedding non-allowlisted sources
• Embed and object tags with external URLs

False Positive Risk: Medium – legitimate third-party services may trigger

Reduce False Positives: Add your trusted services to the allowlist

2. URL Shorteners #

Detects shortened URLs that can mask malicious destinations.

Detected Services:

• bit.ly, t.co, tinyurl.com
• goo.gl, ow.ly, buff.ly
• is.gd, cutt.ly, lnkd.in
• grabify (IP logging), iplogger

Why Flagged:

• Shorteners hide the true destination
• Commonly used in spam campaigns
• Can redirect to malware

False Positive Risk: Low – shorteners rarely needed in content

3. Hidden Content #

Detects content hidden using CSS that contains external resources.

CSS Patterns Detected:

• display: none
• visibility: hidden
• opacity: 0
• font-size: 0
• Negative positioning (left: -9999px)
• text-indent: -9999px
• clip: rect(0,0,0,0)
• z-index: -1
• max-height: 0 with overflow: hidden

Why Flagged: Attackers hide malicious links from users while search engines still see them.

False Positive Risk: Medium – legitimate accessibility hiding uses similar techniques

Reduce False Positives: Accessibility classes like sr-only, visually-hidden are automatically excluded

4. Obfuscation #

Detects attempts to hide malicious code through encoding or manipulation.

Patterns Detected:

• Character code conversion functions
• Base64 encoding/decoding functions
• Eval with encoded strings
• Large Base64 data URLs
• String concatenation patterns

Why Flagged: Obfuscation is a classic technique to hide malicious payloads from simple scanners.

False Positive Risk: Low – obfuscation is rarely legitimate in content

5. SEO Spam Keywords #

Detects common spam phrases used in content injection attacks.

Categories Detected:

• Pharma: Prescription drug names, online pharmacy terms
• Gambling: Casino, betting, poker terms
• Adult: Explicit content terminology
• Financial: Predatory loan terms, get-rich-quick phrases
• Academic: Essay writing service promotions
• Counterfeit: Replica product terms
• Crypto scams: Fake giveaway and recovery service terms

False Positive Risk: Medium – legitimate content may use these terms

Reduce False Positives: Patterns use word boundaries and context to minimize false matches

6. JavaScript Injection #

Detects inline JavaScript that could execute malicious code.

Patterns Detected:

• Inline event handler attributes (onclick, onerror, onload, etc.)
• Dynamic content writing methods
• JavaScript protocol URIs in links
• Location manipulation for redirects

False Positive Risk: Medium – some legitimate widgets use inline handlers

7. PHP Function Patterns #

Detects dangerous PHP functions that might appear in serialized data or injected content.

Functions Detected:

• Code execution functions (eval, assert, exec, system)
• Shell command functions
• File operation functions
• Encoding/decoding functions often used in exploits

False Positive Risk: Low – these shouldn’t appear in content

8. Cryptocurrency Miners #

Detects known cryptojacking scripts that mine cryptocurrency using visitors’ browsers.

What Gets Flagged:

• References to known mining service domains
• Mining library file references
• Mining initialization patterns

False Positive Risk: Very low – mining scripts are rarely legitimate

9. SVG Scripts #

Detects SVG images containing executable JavaScript.

Patterns Detected:

• SVG tags with event handler attributes
• Script tags nested within SVG elements
• ForeignObject elements that could contain HTML

False Positive Risk: Low – legitimate SVGs rarely need scripts

10. Redirect Patterns #

Detects automatic redirects that could send users to malicious sites.

Patterns Detected:

• Meta refresh tags with URLs
• JavaScript location assignments
• Document location changes

False Positive Risk: Medium – some legitimate uses exist

Pattern Updates #

Detection patterns are updated regularly to address new threats:

• Automatic updates: Plugin checks daily for pattern updates
• Manual check: Settings → Check for Pattern Updates
• Update notifications: Admin notice when patterns update

Custom Patterns #

You can add custom detection patterns:

1. Go to Content Guard Pro → Patterns
2. Add domains to Denylist
3. Add regex patterns for custom detection

See Managing Allow/Deny Lists for details.