WordPress Security: Remote Scanning vs Source Code Scanning
After chatting to old and new friends at WordCamp San Francisco over the weekend about WordPress security I realized there’s some confusion about what the real value is of scanning your website source code vs remote scanning for infections on your website. So I’ve put together a quick post on what some of the differences are to try and help you improve your WordPress security as a whole.
Wordfence scan’s your website source code. We can do this because you install our WordPress security plugin on your WordPress website and we execute PHP code in your native hosting environment to do the scan. This service is completely free and the Wordfence plugin that does the scan is open source, just like WordPress itself. We also don’t try to “upsell” you during the process – we simply do the scan and present the data.
This allows us to take a deep look at every piece of source code on your website. We can even examine code that is not part of your WordPress site but is on your web server – for example if you enable the option in Wordfence to “Scan files outside your WordPress installation”.
But we go further than that – we can even treat image files as if they are PHP executable files and do a deep scan on those if you enable the option to “Scan image files as if they were executable”. This lets us catch those nasty infections that hide executable source code in files named to appear as image files.
We also have full access to your database so we can scan database table structure and table contents. Some of our customer sites have over a quarter million approved comments in their WordPres database, so this lets us rapidly scan those comments for malicious code. Imagine doing that by accessing every page that contains those comments – it would consume the resources to render an entire page for each page accessed.
If you’ve watched the video on our home page, you’ve probably heard the narrator mention “remote scanners are better than nothing”. I asked our producer to put that in there because I’ve always taken issue with remote scanners.
Lets use a metaphor: Imagine you ask someone to check your home for a rat infestation. They arrive at your house, but they don’t get out of their car. They’re parked on the other side of the street and they’re examining your front door, front garden, porch, the walls on the front of your home, parts of the basement windows that they can see. Once they don’t find anything they honk the horn, shout out the car window “Yo, your home is clean” and drive off. Doesn’t sound very effective does it?
Remote scanners don’t even know what your internal directory structure looks like so to find all the pages on your site they have to do a googlebot-like crawl of your site. This generates a large amount of load on sites with many pages and even after they’ve done the crawl there is no way for them to be sure they have scanned every page and URL on your site. They can’t be sure they have scanned every comment. They don’t know if they got every post. And they definitely didn’t take a look at any of your PHP or other executable server source code.
If a remote scanner does not generate a large number of page requests, then it’s probably only doing a very simplistic scan like taking a quick look at your home page and any included code for infections.
Because Wordfence is able to examine server source code we do some pretty cool stuff like compare your core, theme and plugin files to what exists in the official WordPress repository and tell you what has changed. Then we let you do a “diff” to actually see a syntactically highlighted visual of what the changes in each file are.
Then we go on to scan for malware, malicious URL’s, known infection heuristics and much more.
Wordfence is the only service that is designed specifically for WordPress security and that does a complete scan on all your theme, plugin and core files and does a deep scan on all other files for malware and infections. We’ve been providing core, theme and plugin verification for over 3 years since our 1.1 release (Current version is 5.2.7) and we’ve learned a lot about efficient scanning and WordPress security and made many improvements to make our scan faster and more accurate.
I hope this short description of the differences between remote and source code scanning has helped you gain a better understanding of how to verify that your site does not have an infection and to improve your WordPress security.
Mark Maunder – Wordfence Founder.