This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Understanding scan results

From Wordfence Documentation
Revision as of 13:43, 13 October 2017 by Wfadmin (Talk | contribs)

Jump to: navigation, search

Scan results can require some interpretation, and you might take different actions depending on how you run your WordPress site. Below are details of of some of the scan results.

File appears to be malicious

Wordfence detects known malicious files and files that have suspicious code. In most cases, you will want to repair or remove the file, but you should investigate the contents first.

Example scan result:

File appears to be malicious: wp-content/uploads/footer.php
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "(example)". The infection type is: Example Infection.


Resolution: If you don't know what the file is, we recommend making a backup before you remove it, in case it was a false positive. Some plugins could create files containing code that is similar to malicious files but is not actually malicious, especially backup plugins that produce an installer that you could use to restore the backup.

We always recommend saving a backup copy of the file first, whether making a full backup of the site, or saving only the file and the location where it belongs, so you could replace it if necessary.


Option contains a suspected malware URL

Some attacks affect WordPress options or options from plugins and themes that are stored in the WordPress "options" table. This result indicates that an option contains a potentially malicious URL, which could be the result of an infection.

Example scan result:

Option contains a suspected malware URL: td_011
This option contains a URL that is currently listed on Wordfence's domain blacklist. It may indicate your site is infected with malware.


Resolution: To clean affected options, you will need to determine which plugin, theme, or core feature uses the option listed in the scan results.

The most likely case is an option with a name like "td_###" (any three digits) and a URL including "traffictrade", which is related to an issue with the Newspaper theme and derived themes. These themes had a vulnerability in July/August 2017. To remove the affected code, go to the Newspaper theme's menu, click the "Theme Panel" submenu, click the "Ads" tab, and go through the list of ad positions to find and remove the "traffictrade" scripts that do not belong. Be sure to also update the theme to the latest version and clean any additional affected files. Also check WordPress's Settings->General page. Two options may have been changed: the "Anyone can register" checkbox should be off if you don't allow user registration on your site, and the "New User Default Role" should not be set to "Administrator," where the default is usually "Subscriber" on single-site WordPress installations.


Plugin appears to be abandoned

This scan result was added in version 6.3.11.

This scan result means that a plugin has not been updated in 2 years or more. This can be a problem, since it means the plugin author has not made any changes for a long period of time. Sometimes that means it won't be fully compatible with newer WordPress versions, reported bugs may not be fixed, and new security issues might not be addressed.

The scan result also shows if this plugin has a known security issue that has not been fixed. If that is the case, it is recommended that you remove the plugin as soon as possible, and replace it with a different plugin if you need the same functionality.

Example scan results:

The Plugin "Plugin Name" appears to be abandoned (updated April 20, 2015, tested to WP 4.1.18).
It was last updated 2 years 2 months ago and tested up to WordPress 4.1.18. It may have compatibility problems with the current version of WordPress or unknown security issues.


Resolution: If you are certain that the plugin is still safe, and the scan result doesn't show unpatched security issues, you can continue to use it, but we recommend that you consider replacing it with a plugin that is currently maintained in most cases. But some small plugins may remain safe and may not need any compatibility changes for new WordPress versions.


Plugin has been removed from wordpress.org

This scan result was added in version 6.3.11.

This is similar to abandoned plugins described above, but in this case, the plugin is no longer available to install from wordpress.org, and it will likely never release updates again.

Plugins can be removed from wordpress.org for a variety of reasons, including the author intentionally stopping development, converting it to a "paid only" plugin, or various other reasons that the wordpress.org staff might remove the plugin.

Example scan result:

The Plugin "Plugin Name" has been removed from wordpress.org.
It may have compatibility problems with the current version of WordPress or unknown security issues.


Resolution: In most cases, we recommend removing the plugin and finding a similar plugin that is currently maintained. Some hosts pre-install plugins on all new WordPress sites, so if you have a plugin installed that you have never used, and it is no longer available on wordpress.org, it is best to remove it.

There may also be rare cases where a plugin you have from another source shares a name with a wordpress.org plugin, so if you know that is the case, it would not be necessary to remove it.

The "Display Widgets" plugin had malicious code in the 2.6.x versions. The plugin will no longer be maintained, but you can update to Version 2.7, which is the same as the last safe version. See the plugin's support forum here: https://wordpress.org/support/plugin/display-widgets
The author of the plugin "Contact Form 7 to Database Extension" has moved it to a separate site. Updates are available at https://cfdbplugin.com/


Publicly accessible config, backup, or log file found

This result shows files that may contain sensitive information that can be served by the web server. This may be backup copies of files, like a copy of wp-config.php under another name, log files, or configuration files.

Example scan result:

Publicly accessible config, backup, or log file found: .user.ini
http://example.com/.user.ini is publicly accessible and may expose sensitive information about your site or allow administrative functions to be performed by anyone. Files such as this one are commonly checked for by both attackers and scanners such as WPScan and should be made inaccessible. Alternately, some can be removed if you are certain your site does not need them. Sites using the nginx web server may need manual configuration changes to protect such files.

Resolution: If you know that the file is not needed by your site, you can simply remove the file. This is often the case with files like "wp-config.bak", which may be a backup copy of your wp-config.php. Do not remove files like ".user.ini" that may be required for your site to work properly.

If in doubt, the scan result includes the option to, "Hide this file in .htaccess", which will add a section to your .htaccess file to prevent Apache from serving this file, if you leave the file in place. This is recommended for .user.ini and similar files. You can run another scan after making the change, to make sure your server correctly blocks public access.

If you need to manually add the htaccess code, this should work for apache 2.2 and 2.4

<Files ".user.ini">
<IfModule mod_authz_core.c>
        Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
</IfModule>
</Files>

If your site uses the Nginx web server, then you or your host may need to configure Nginx to block access to the file, whether Nginx is set up as a reverse proxy in front of Apache or if Nginx handles all requests directly. The method of blocking these files in Nginx varies depending on your current configuration, but one simple example is placing a "location" block like this, in the same file as your other "location" blocks:

location ~ \.user\.ini$ {
	deny all;
}
Make sure to restart Nginx or reload its config after making any changes to its config files, and then check that the .user.ini file is no longer visible in a web browser.


Unknown file in WordPress core

This scan checks your WordPress core files and notifies you about files that do not match the current version of WordPress that you have installed.

Example scan result:

Unknown file in WordPress core: wp-includes/js/info.php
This file is in a WordPress core location but is not distributed with this version of WordPress. This is usually due to it being left over from a previous WordPress update, but it may also have been added by another plugin or a malicious file added by an attacker.


Resolution: If you already know about the listed file, you can click the link to ignore the file until it changes. If you don't know what the file is, it may require some investigation, to find out if your host has placed it there, or if it may have been created by your FTP application or OS, or if it is malicious.

Some "Managed WordPress" hosting plans do not allow you to change core files, and on some hosts, if a new version of WordPress no longer includes a particular file, it may be left in your site's files after they update WordPress. In this case, it is generally safe to ignore the file, or you can contact the host if you believe it should be removed.

In a few cases, we have seen that a host's support staff or a host's control panel may place "php.ini" files in every subdirectory of WordPress's core files, most likely to change PHP settings throughout the site.

  • If that occurs, we recommend checking the contents of some of these files to make sure they are safe. We can help if you're not sure whether the files are safe or not.
  • Assuming that they are safe, they your host may have a better way to set the same PHP settings without adding additional files -- usually through the PHPRC environment variable or by using .user.ini, depending on the server configuration.
  • Alternately, if you are sure they are safe, you can use the "ignore all new issues" link at the top of the scan results list to ignore all of these files. You may need to resolve other scan results that you do not want to ignore, first.