Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

How the Wordfence Scanner Protects Your Site

This entry was posted in Wordfence, WordPress Security on May 21, 2018 by Dan Moen   8 Replies

When we think about Wordfence and how it improves your WordPress security posture, there are two core features we tend to focus on: the firewall, and the security scanner. As the first layer of defense, the Wordfence firewall gets the most attention because it blocks hackers from gaining access. But, the scanner plays an equally important role, alerting you to myriad of security findings that help you keep your site secure and respond quickly if you get hacked.

In today’s post we’re doing a deep dive on the Wordfence security scan. We walk you through everything it does and explain why each step is important.

Our malware scanner is the best in the industry

The Wordfence security scan performs a variety of functions, but perhaps the most important is malware detection. Wordfence scan checks your site to ensure you have not been infected with malware.

As the leader in WordPress security, we see more WordPress malware than anyone else. We see tens of millions of attacks every day, giving us unrivaled access to the latest threat information. We also clean hundreds of hacked websites every month, giving us visibility into the latest malware variants and exploits.

Our team has a workflow where we collect malware samples in a repository for analysis. Then we test to see if our malware scanner already detects the variant. If it does then we move on. If not, then we create a new malware signature to detect the new malware variant. We run the signature through quality assurance to make sure it does not detect things it should not (known as ‘false positives’). Once the malware signature passes QA, we release it to our Premium customers immediately and then 30 days later our free customers receive the signature. That way we constantly release detection capability for new WordPress threats to our customers.

Unlike many companies in our space, our analysts and developers are completely focused on WordPress. We don’t have to divide our time securing desktop systems, mobile devices or network hardware. Ensuring that publishers can securely run their websites using WordPress is all we do.

Our scanner runs on your server, giving it access to your website’s source code. Malware detection rates for remote scanners are significantly worse than server based scans like ours. Remote scanners cannot access site source code. Ours does scan source code – and many malware variants hide in site source code.

Our scanner was built from the ground up to protect WordPress. Our depth of knowledge, coupled with our singular focus on WordPress has allowed us to produce the best WordPress malware scanning capability in the industry.

Checking for suspect files and changes makes it hard for attackers to hide their malware

In addition to looking for known malware, the Wordfence scanner compares your site’s files against the official WordPress.org repository. Any files that have been changed or appear to be out of place are reported to you. This additional step makes it very difficult for attackers to avoid detection.

We even give you the ability to revert changed files to the pristine version that is in the official WordPress repository when you detect a change.

Malware scanning so good, we added it to the firewall

In fall of 2016 we added a break-through feature, integrating our malware scanning capabilities into the Wordfence firewall. As traffic passes through the firewall and before it hits your website it is inspected using our malware scanner, blocking any requests that include malicious code.

This was a leap forward in detection capability. Many competitor products don’t have a firewall at all. And many don’t have a malware scanner. We provide both and instead of just a rule based firewall that blocks exploits, we actually detect and block malware payloads too with the scanning capability we integrated in 2016.

The safety of your content matters

Linking to spammy or malicious content can adversely impact your search engine rankings and reputation. For many sites, search traffic is a critical part of their marketing strategy.

It is difficult to stay on top of the quality of your outbound links for several reasons. First, the content on pages you link to can change over time, so even if the content was fine when you published the link, it can end up hurting you down the road.

Second, most active sites have more than one contributor, making it very difficult to stay on top of changes. And even if you have your posts and pages under control, malicious and spammy links can creep in via comments.

Wordfence helps you weed out links that harm your reputation by scanning your pages, posts and comments for malicious content and known malicious URLs. We alert you in the scan results to these problems in a timely manner. That gives you the ability to go in and remove the links to malicious sites before Google notices them and penalizes your search rankings.

Blacklist checks

Domain and IP blacklists are a powerful tool used by search engines, email providers and many others to keep their users safe. As a website owner, landing on a blacklist can have a lasting impact on your site traffic, SEO rankings and email delivery. And there a lot of ways to land on a blacklist, even if your site hasn’t been hacked.

If your site is running on shared hosting with a shared IP address, for example, your site can be blacklisted based on your neighbor’s behavior.

Wordfence Premium helps you protect your site’s reputation, alerting you quickly should your domain or IP be blacklisted. By reacting quickly you can minimize any adverse impact. The fix may be as simple as moving your site to another IP address or fixing content on your site that Google thinks is malicious.

Fixing the issue quickly is key because this will avoid your site visitors seeing a browser warning and will avoid search engine penalties. Wordfence provides early detection which leads to early fixes.

Sensitive File Checks

It’s much easier than you think to accidentally leave sensitive files lying around on your server. It only takes one misplaced configuration or backup file with the wrong permissions to arm an attacker with the information they need to compromise your site. Last year on this blog we wrote reported that 12.8% of sites scanned had at least one sensitive file visible to anyone on the internet.

Running regular Wordfence scans protects you from this risk by alerting you quickly to any issues, locking down or removing sensitive files before they fall into the wrong hands.

Removed and Abandoned Plugins

Last summer (2017) we added an important feature that alerts you when plugins have either been abandoned or removed from the WordPress.org plugin directory.

We define an abandoned plugin as one that hasn’t been updated in over two years. While it is possible that the plugin author is still engaged at that point and available to react to any security issues that arise, it’s not likely the case. We generally recommend that site owners replace or remove abandoned plugins if possible.

The WordPress.org team removes plugins for a variety of reasons. Unfortunately when they do so they rarely disclose why, and in many cases it is due to a security issue that hasn’t been addressed. If you’re unable to determine why a plugin was removed or you’ve confirmed that it was removed for security reasons you should remove it from your site. In cases where it was removed for non-security reasons, it may be okay to continue to run the plugin, but finding a well-maintained replacement is likely a better bet.

We tell you about weak passwords

The security of your website is only as strong as its weakest link. Every time you grant a user access to your site, especially administrators, you are relying on them to keep your site safe. Unfortunately not everyone uses strong passwords, putting your website at risk. Wordfence scan checks if any of your users are using very common passwords and performs an extended check on admin level accounts.

We let you know about core, plugin or theme vulnerabilities

A couple of years ago we published research showing that plugin vulnerabilities were the most common way attackers compromise WordPress websites. The third and fourth most common reasons were core and theme vulnerabilities. It goes without saying that staying on top of vulnerabilities in WordPress core, plugins and themes is critical.

Every time the Wordfence scanner runs it checks to see if you are running software with known security vulnerabilities. It also warns you about any other updates that are needed, just in case the author quietly slipped in a security fix, which happens more often than it should.

We keep making it better and faster

Our development team is always working on ways to make the scanner perform better. Over the last couple of years we delivered a number of innovative updates that improved performance and speed significantly. In Fall of 2016 we released a new version of the scanner that performed up to 18x faster than the previous version. In Summer of 2017 we introduced lightweight scanning and optimized scan timing across VPS instances. In a subsequent release that same summer we introduced short-circuit scan signatures, improving performance by up to 6x.

It’s even better with Premium

The malware scanner relies on threat intelligence developed by our awesome team of security analysts in the form of malware signatures. Premium customers receive updates in real-time as they are developed (free sites receive updates 30 days later). Detecting the latest malware lets you react quickly to a compromised website. In addition, Wordfence Premium delivers real-time updates to firewall rules and enables the real-time IP blacklist.

Conclusion

The Wordfence scanner is a critical component in a layered security strategy. Wordfence scan alerts you quickly to malware, blacklist issues, security vulnerabilities, important updates and other security issues. To take detection to the next level you can upgrade to Wordfence Premium and receive malware signature updates in real-time.

As always we welcome your feedback in the comments below and we’ll be around to reply.

Did you enjoy this post? Share it!


4.50 (12 votes) Your rating:

8 Comments on "How the Wordfence Scanner Protects Your Site"

Bahawalpur May 21, 2018 at 9:54 am • Reply

Great Tool and tutorials also. Thanks for everything.

Dave R May 21, 2018 at 10:23 am • Reply

Since installing WordFence on my sites, I've never had a problem with intruders, real or cyber. Thanks, WordFence Team, AWESOME!

Ron May 21, 2018 at 10:27 am • Reply

Great security, scanner and firewall tools. Suggestion for scanner: look for page embedded css that falls outside "reasonable" viewing area, as sometimes used to hide nefarious urls by hackers.

Mark Maunder May 21, 2018 at 11:37 am • Reply

That's an interesting challenge. We'd have to render the page to determine if anything falls outside the viewport. Would require a headless browser as part of the scan. Will give this some thought.

Ron May 21, 2018 at 11:59 am • Reply

If it's there the result of a hack, it's usually done in such a way to affect all pages, so perhaps rendering and checking 1 page reveals a hack or its remnants. Anyway, just a thought. Thanks to the WF Team for its work in this area.

Mark May 22, 2018 at 1:40 am • Reply

I'm a premium user. Wordfence is for me the most valuable plugin hands down. It saved me once already.

Brad May 22, 2018 at 7:17 am • Reply

Thanks for all you guys do! My 1st step after installing WordPress is always installing WF. Just curious: Is there anything WF does that could help protect against or mitigate a DDoS attack on a site?

Mark Maunder May 22, 2018 at 10:31 am • Reply

Hi Brad. We do not currently offer DDoS mitigation, however many good hosting providers do offer it. DDoS attacks as a percentage of total attacks we see are rare.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.