This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Understanding scan results

From Wordfence Documentation
Revision as of 15:01, 15 June 2017 by WFMattr (Talk | contribs)

Jump to: navigation, search

Scan results can require some interpretation, and you might take different actions depending on how you run your WordPress site. Below are details of of some of the scan results.

File appears to be malicious

Wordfence detects known malicious files and files that have suspicious code. In most cases, you will want to repair or remove the file, but you should investigate the contents first.

Example scan result:

File appears to be malicious: wp-content/uploads/footer.php
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "(example)". The infection type is: Example Infection.


Resolution: If you don't know what the file is, we recommend making a backup before you remove it, in case it was a false positive. Some plugins could create files containing code that is similar to malicious files but is not actually malicious, especially backup plugins that produce an installer that you could use to restore the backup.

We always recommend saving a backup copy of the file first, whether making a full backup of the site, or saving only the file and the location where it belongs, so you could replace it if necessary.


Plugin appears to be abandoned

This scan result was added in version 6.3.11.

This scan result means that a plugin has not been updated in 2 years or more. This can be a problem, since it means the plugin author has not made any changes for a long period of time. Sometimes that means it won't be fully compatible with newer WordPress versions, reported bugs may not be fixed, and new security issues might not be addressed.

The scan result also shows if this plugin has a known security issue that has not been fixed. If that is the case, it is recommended that you remove the plugin as soon as possible, and replace it with a different plugin if you need the same functionality.

Example scan result:

The Plugin "Plugin Name" appears to be abandoned.
Plugin has unpatched security issues.
It was last updated 2 years 11 months ago. It has unpatched security issues and may have compatibility problems with the current version of WordPress


Resolution: If you are certain that the plugin is still safe, and the scan result doesn't show unpatched security issues, you can continue to use it, but we recommend that you consider replacing it with a plugin that is currently maintained in most cases. But some small plugins may remain safe and may not need any compatibility changes for new WordPress versions.


Plugin has been removed from wordpress.org

This scan result was added in version 6.3.11.

This is similar to abandoned plugins described above, but in this case, the plugin is no longer available to install from wordpress.org, and it will likely never release updates again.

Plugins can be removed from wordpress.org for a variety of reasons, including the author intentionally stopping development, converting it to a "paid only" plugin, or various other reasons that the wordpress.org staff might remove the plugin.

Example scan result:

The Plugin "Plugin Name" has been removed from wordpress.org.
It may have compatibility problems with the current version of WordPress or unknown security issues.


Resolution: In most cases, we recommend removing the plugin and finding a similar plugin that is currently maintained. Some hosts pre-install plugins on all new WordPress sites, so if you have a plugin installed that you have never used, and it is no longer available on wordpress.org, it is best to remove it.

There may also be rare cases where a plugin you have from another source shares a name with a wordpress.org plugin, so if you know that is the case, it would not be necessary to remove it.


Unknown file in WordPress core

This scan checks your WordPress core files and notifies you about files that do not match the current version of WordPress that you have installed.

Example scan result:

Unknown file in WordPress core: wp-includes/js/info.php
This file is in a WordPress core location but is not distributed with this version of WordPress. This is usually due to it being left over from a previous WordPress update, but it may also have been added by another plugin or a malicious file added by an attacker.


Resolution: If you already know about the listed file, you can click the link to ignore the file until it changes. If you don't know what the file is, it may require some investigation, to find out if your host has placed it there, or if it may have been created by your FTP application or OS, or if it is malicious.

Some "Managed WordPress" hosting plans do not allow you to change core files, and on some hosts, if a new version of WordPress no longer includes a particular file, it may be left in your site's files after they update WordPress. In this case, it is generally safe to ignore the file, or you can contact the host if you believe it should be removed.