A Wordfence scan examines all files on your WordPress website looking for malicious code, backdoors, shells that hackers have installed, known malicious URLs and known patterns of infections. It also examines all your posts, pages and comments looking for malicious code and URLs. It performs several other checks like checking if your IP address is being used for malicious activity, checking for sensitive files that are publicly accessible, and more.
A scan can be either a manual or a scheduled scan. If Wordfence finds problems during your manual scan, you will see those in the scan results. If Wordfence finds problems during a scheduled scan, you will either see the results next time you log in to your website or, if you have set Wordfence to send you alerts about your site, you will receive an email about it.
Depending on the size of your site, a scan may take anywhere from 1 minute to over 10 minutes if you have a very large number of files or comments or posts. If you are having trouble with your scans, please see Scan Troubleshooting.
The Scan status circles indicate the current detection capability of your Wordfence scan. If the circles are gray, it means scheduled scanning is disabled. To reach 100% on all Scan status circles:
- Enable all Scan options that are part of the “Standard” Scan type. Go to the Scan options page and select “Standard Scan,” then press “Save Changes”.
- Enable Premium Scan Signatures. The premium scan signatures improve detection rate. They are enabled automatically when you upgrade to Premium.
- Enable Reputation Checks. Reputation checks examine if your site is blacklisted. They are enabled automatically when you upgrade to Premium.
NOTE: If you are on a host with limited resources, you may need to use the Limited Scan type. With Wordfence Premium enabled, you will then be at 55% of the circle.
The Malware Signatures status circle indicates if you are using the community or Premium version of our malware signatures. Malware signatures are used to detect malware on your site. When the Wordfence team releases new malware signatures, they are pushed out to Premium customers sites in real time. Free customers get the same signatures 30 days later. To get to 100% on this circle, you have to upgrade to Wordfence Premium.
The Reputation Checks status circle indicates whether spam and blacklist scan options are enabled. To reach 100% on this circle, you need to upgrade to Wordfence premium.
There are four severity levels in scan results. Critical issues are problems that need to be examined immediately. High severity issues are items that should be examined as soon as possible, but may not pose an immediate threat. Medium severity issues are problems that we would like to make you aware of, but that you can hold off on, or choose not to take action on, if you so choose. Low severity issues can typically be safely ignored, but you may wish to be aware of them.
To find out more about each severity level, please see this page about alerts.
A limited scan is suitable for a site that has highly restricted hosting resources. If your site is running out of memory, or your scans won’t complete, please try this scan type.
The Standard Scan is recommended for most sites. It includes all checks that are needed to ensure that a typical WordPress site is safe.
Please note that the theme and plugin checks that compare your local files to the files in the WordPress.org repository are not currently included in this option. You may want to enable these. The options are located on the Scan options page in the section “General Options.” They are called:
- Scan theme files against repository versions for changes
- Scan plugin files against repository versions for changes
This scan type is for when you know or strongly suspect that your site has been compromised. It includes the scan option “Scan images, binary, and other files as if they were executable” which examines the source code of images, PDFs and other files as if they were programs that could execute code. This scan type will take longer time and use more resources than a Standard Scan.
If you manually change which checks are included in your scans via the Scan options General Options, you’ll end up with a Custom Scan type.
A Wordfence scan proceeds through a set of stages, with each stage checking specific areas of your site. While scanning, icons will indicate when each scan stage is complete. The icons also indicate whether any issues were found during the specific scan stage. A blue checkmark indicates the scan stage passed. A yellow warning sign indicates issues were found. These are the scan stages and their respective options:
Check if this website is being “Spamvertised”
Check if this website IP is generating spam
Check if this website is on a domain blacklist
Scan for unauthorized DNS changes (discontinued)
Monitor disk space
Scan for misconfigured How does Wordfence get IPs
PHP Version Check (Can not be disabled)
Check Web Application Firewall status
Check for paths that are not scanned by default
Scan wp-admin and wp-includes for files not bundled with WordPress
Scan plugin files against repository versions for changes
Scan theme files against repository versions for changes
Scan core files against repository versions for changes
Scan for signatures of known malicious files
Scan file contents for backdoors, trojans and suspicious code
Scan comments for known dangerous URLs and suspicious content
Scan posts for known dangerous URLs and suspicious content
Scan file contents for malicious URLs
Scan for publicly accessible quarantined files
Scan for publicly accessible configuration, backup, or log files
Check the strength of passwords
Scan for out of date, abandoned, and vulnerable plugins, themes, and WordPress versions
User & Option Audit
Scan WordPress core, plugin, and theme options for known dangerous URLs and suspicious content
Scan for admin users created outside of WordPress
Working With Scan Results
A Wordfence scan result will look a little bit different depending on what was detected. To find out about all the different results that can appear in a scan, please see our full list of Scan results. Each scan result comes with a set of actions you can take to resolve it.
Occasionally, the Wordfence Scanner may report something as suspect or malicious even though according to your findings, it is not. This is called a “false positive.” If you are sure that a scan result is a false positive, you can choose to “ignore” the scan result. It will then be listed under the “Ignored Results” tab in all future scans. Examples of false positives are if you have manually edited a WordPress core or theme file yourself. If you have enabled “High Sensitivity,” you may also get false positives, since this scan type is the most thorough.
Any file that has been detected as having an issue in a scan has an option to “View file.” Viewing the file displays the file’s actual source code in a new window. This can be useful to see if it contains code that looks suspicious. Viewing the file like this is safe, as it only prints out the code and does not execute it.
If a file has been detected as “modified,” you have the option to “View Differences.” This option compares the version of the file that Wordfence expected to find to the version that you currently have installed. Inspect “The Modified Version on your WordPress system” to see if code was added.
Files detected in a scan can be deleted, with one exception. The WordPress configuration file, wp-config.php, cannot be deleted using this method, because deleting this file will inevitably break your WordPress installation.
Wordfence helps you find potential problems on your site, but ultimately we rely on your good judgement to determine if a file should be deleted or restored to its original version. A good rule of thumb is: if you view the changes in a core file and see that a lot of garbage-looking text has been added to the file, then it’s probably an infection, and restoring the original core file will clear the infection. However, if you see changes in a file where some well-formatted PHP code or HTML has been added, then it’s likely that it’s not an infection and it may be that your site developer has customized a theme or core file and you should leave the changes in place. In this case, clicking the ‘ignore’ option that Wordfence gives you is likely the best course of action.
You might have old files from a previous version of WordPress, especially if you have ever used a ‘beta’ version, or your host may have log files with unusual names. But .php files in these locations may also be malicious. In most cases, you will want to remove unknown .php files found in core locations, but some plugins may place other files there, so remember to keep a backup of files before removing them, if you’re not sure whether they are good or bad.
If you are running an alpha or beta version of WordPress, extra core files should not be flagged unless the internal WordPress version number is incorrect.
Delete all deletable files
The button “Delete all deletable files” allows you to bulk delete all files that were detected in scan (with the exception of wp-config.php). This action should be exercised with extreme caution. If you have a premium theme or plugin or a theme or plugin you have developed yourself, there will not be an option to restore these files. However, deleting it may break your site. If you find infected files in a custom theme or plugin, a safer action will typically be to get a fresh version and reinstall.
The “Delete all deletable files” exists for one specific circumstance only, and that is when there are massive amounts of malicious files that are not part of WordPress core or any of your custom themes or plugins. Again – use with caution, and make sure you know what you are deleting!
Mark as fixed
If you take this action on a scan result, it’s hidden from view instantly. You can use this to manage the current view if you are going through and resolving issues one by one until all issues have been resolved. This action does not persist, and if you mark an issue as fixed even though it has not been resolved, it will reappear in the next scan.