Wordfence scanning

From Wordfence Documentation
Jump to: navigation, search

Scans and their results are shown on the Scan page on the Wordfence menu.

This page is a description of Wordfence scanning, how it works and what it does. You may also want to read our documentation on scan scheduling which explains when scans are scheduled for free customers and how premium customers can schedule their own scan times.

You can launch a Wordfence scan by signing into your WordPress website and going to the Wordfence 'scan' menu. From there simply hit the 'Scan' button and you will start a scan.

A Wordfence scan examines all files on your WordPress website looking for malicious code, backdoors, shells that hackers have installed, known malicious URLs and known patterns of infections. It also examines all your posts, pages and comments looking for malicious code and URLs. It does several other checks like checking if your IP address is being used for malicious activity, checking if your web server is vulnerable to things like the HeartBleed vulnerability, checking for any unauthorized DNS changes and more.

If Wordfence finds any problems it will display them below the two yellow status boxes on the scan page once the scan completes. Each issue will have some detail on what the problem was and what to do about it. You'll also notice there is an "Ignored issues" tab which contains any issues you've chosen to ignore from previous scans.

"Critical" issues are problems that need to be examined by you immediately. They are marked with a red X. "Warning" issues are items that we would like to make you aware of but which may not need you to take any action.

Depending on the size of your site, a scan may take anything from 1 minute to over 10 minutes if you have a very large number of files or comments or posts.

What should I do with the scan results?

Wordfence shows your scan results as either 'critical' or 'warning' level issues. In either case you are given a helpful description of what the problem is and what to do about it. Depending on what the problem is we give you several options. For example if we see a Wordpress core file that has changed, we give you the option to view the file and to see how the file has changed from the original.

We also give you several options to resolve the issue. These vary depending on what the problem is that we've found. In the case of a malicious script, we give you the option to delete it. If we see one of your core files has changed or a known theme or plugin file has changed, we give you the option to restore the original.

Should I delete or restore files when I see a file has changed or a malicious file is found?

Wordfence helps you find potential problems on your site but we rely on your good judgement to determine if a file should be deleted or restored to its original version. If you view the changes in a core file and see that a lot of garbage looking text has been added to the file, then it's probably an infection and restoring the original core file will clear the infection. However if you see changes in a file where some well formatted PHP code or HTML has been added, then it's likely that it's not an infection and it may be that your site developer has customized a theme or core file and you should leave the changes in place. In this case clicking the 'ignore' option that Wordfence gives you is likely the best course of action.

What if scan results show an "Unknown file in WordPress core"?

You might have old files from a previous version of WordPress, especially if you have ever used a 'beta' version, or your host may have log files with unusual names. But .php files in these locations may also be malicious. In most cases, you will want to remove .php files found in core locations, but some plugins may place other files there, so remember to keep a backup of files before removing them, if you're not sure whether they are good or bad.

If you are running an alpha or beta version of WordPress, extra core files should not be flagged unless the internal WordPress version number is incorrect.

What if a scan stops?

If you notice that neither of the yellow status boxes are being updated, please use the "kill" link below the "Scan" button to terminate the scan and start it again. If the yellow boxes are not being updated but you see the scan animation moving in those boxes, it means that the scan has probably stopped for some reason. To be clear: Even though you see an animation moving in one of the yellow boxes, nothing is happening on your server and no CPU or memory is being used by Wordfence. The scan has stopped if there is no new activity in those boxes. Using the "kill" link clears any old scan data and allows you to start a new scan.

What each scan does

Please note that the Wordfence options page contains detailed information under the "Scans to include" heading on what each scan does. Please visit that page to get more info on each scan item and to decide which scans to enable on your system.

How do scans work internally? (Warning: This is for a technical audience)

When you click the 'Scan' button Wordfence sends an AJAX request to your web server asking it to start a scan. That request in turn spawns another request which asks your web server to connect back to itself and run a scan. The scan process will then run as a separate HTTP thread or process so that it is not subject to normal HTTP request time limits.

Even though the scan process is now running as a separate HTTP request, there is a maximum amount of time web servers will let a process or thread run an HTTP request. So instead of trying to do the whole scan, Wordfence will run for a certain amount of time which is the maximum allowed PHP execution time divide by two. When it hits this time limit, it will save the scan data so far, then again ask the server to connect back to itself, spawning another HTTP process and the scan will pick up where it left off.

Once the scan is complete, the currently scanning HTTP process saves the scan results and exists.

On the client side (browser side) the browser is sending AJAX requests to the server periodically if you are viewing the scan page to update the yellow status boxes. If the browser receives data it renders it and immediately sends another request. If there is no new data then it will wait a few seconds before sending another request to avoid overwhelming your server. Once the scan is complete the browser will show the scan results below the two yellow boxes.

Scan CPU and memory usage

Wordfence scans have been made to be as efficient as possible. To illustrate the effort we've put into making Wordfence efficient, look at the code in lib/wfArray.php. This is a class we've designed to store large arrays. Internally we store large arrays as strings and the reason we do this is because PHP is very memory inefficient when storing large multi-dimensional arrays. So to avoid overwhelming your server we store our own large arrays using packed binary strings.

We also offload memory hungry items to our own scanning servers to avoid overwhelming your server or database. For example, rather than having your server download the Google Safe Browsing data to look up a URL to see if it is a known bad URL, which requires significant storage space, we store that data on our servers and have your server send us summary hashes of your URL's which we then check to see if they may be flagged as malicious. If a summary hash appears to be malicious then we request the full URL from your server and do a second check to verify that URL is malicious. This is a very resource sensitive way to scan for known malicious URLs.

If you are having trouble with scans not completing or running too slowly, it's likely that your hosting provider has limited the amount of server resources you have. They may have provided you with limited memory or CPU and you may have to request that they increase this. You may also have an unusually large website with a large number of files or posts, pages or comments. In this case please contact us because we may be able to help. You can try selectively disabling scan items and then retry scanning. If the scan completes then you have isolated what the problem is.