A Wordfence scan examines all files on your WordPress website looking for malicious code, backdoors, and shells that hackers have installed. It also scans for known malicious URLs and known patterns of infections.
A Wordfence scan examines all files on your WordPress site looking for malicious code, backdoors, and shells that hackers have installed. It scans for known malicious URLs and known patterns of infections in all your files. It also examines all your posts, pages, and comments looking for malicious code and URLs. It performs several other checks like checking if your IP address is being used for malicious activity, checking for sensitive files that are publicly accessible, and more.
A scan can be either a manual or a scheduled scan. If Wordfence finds problems during your manual scan, you will see those in the scan results. If Wordfence finds problems during a scheduled scan, you will either see the results next time you log in to your website or, if you have set Wordfence to send you alerts about your site, you will receive an email about it.
Depending on the size of your site, a scan may take anywhere from 1 minute to over 10 minutes if you have a very large number of files, comments, or posts. If you are having trouble with your scans, please see Scan Troubleshooting.
If your site has been hacked, or you think that it may have been hacked, then follow our site cleaning guide here.
The scan status circles indicate the current detection capability of your Wordfence scan. If the circles are gray, it means scheduled scanning is disabled. To reach 100% on all Scan status circles:
Enable all Scan options that are part of the “Standard” Scan type. Go to the scan options page and select “Standard Scan,” then press “Save Changes”.
Enable Premium Scan Signatures. The premium scan signatures improve the detection rate. They are enabled automatically when you upgrade to a Premium license key.
Enable Reputation Checks. Reputation checks examine if your site is on any third-party blocklists/blacklists. They are enabled automatically when you upgrade to a Premium license key.
NOTE: If you are on a host with limited resources, you may need to use the “Limited Scan” type. With Wordfence Premium enabled, you will then be at 55% of the circle.
The “Malware Signatures” status circle indicates if you are using the community or Premium version of our malware signatures. Malware signatures are used to detect malware on your site. When the Wordfence team releases new malware signatures, they are pushed out to Premium customers’ sites in real-time. Free customers get the same signatures 30 days later. To get to 100% on this circle, you have to upgrade to a Premium license key.
The “Reputation Checks” status circle indicates whether spam and third-party blocklist/blacklist scan options are enabled. To reach 100% on this circle, you need to upgrade to a Premium license key.
There are four severity levels in scan results. “Critical” severity issues are problems that need to be examined immediately. “High” severity issues are items that should be examined as soon as possible, but may not pose an immediate threat. “Medium” severity issues are problems that we would like to make you aware of, but you can choose not to take any action on them. “Low” severity issues can typically be safely ignored, but you may wish to be aware of them.
A limited scan is suitable for a site that has highly restricted hosting resources. If your site is running out of memory, or your scans will not complete, please try this scan type.
The Standard Scan is recommended for most sites. It includes all checks that are needed to ensure that a typical WordPress site is safe.
Please note that the theme and plugin checks that compare your local files to the files in the WordPress.org repository are not currently included in this option. You may want to enable these. The options are located on the scan options page in the section “General Options”. They are called:
Scan theme files against repository versions for changes
Scan plugin files against repository versions for changes
This scan type is for when you know or strongly suspect that your site has been compromised. It includes the scan option “Scan images, binary, and other files as if they were executable” which examines the source code of images, PDFs and other files as if they were programs that could execute code. This scan type will take a longer time and use more resources than a “Standard Scan”.
If you manually change which checks are included in your scans via the Scan options General Options, you will end up with a “Custom Scan” type.
A Wordfence scan proceeds through a set of stages, with each stage checking specific areas of your site. While scanning, icons will indicate when each scan stage is complete. The icons also indicate whether any issues were found during the specific scan stage. A blue check mark indicates the scan stage passed. A yellow warning sign indicates issues were found. These are the scan stages and their respective options:
Check if this website is being “Spamvertised”
Check if this website IP is generating spam
Check if this website is on a domain blocklist
Scan for unauthorized DNS changes (discontinued)
Monitor disk space
Scan for misconfigured How does Wordfence get IPs
PHP Version Check (cannot be disabled)
Check Web Application Firewall status
Check for paths that are not scanned by default
Scan wp-admin and wp-includes for files not bundled with WordPress
Scan plugin files against repository versions for changes
Scan theme files against repository versions for changes
Scan core files against repository versions for changes
Scan for signatures of known malicious files
Scan file contents for backdoors, trojans, and suspicious code
Scan comments for known dangerous URLs and suspicious content
Scan posts for known dangerous URLs and suspicious content
Scan file contents for malicious URLs
Scan for publicly accessible quarantined files
Scan for publicly accessible configuration, backup, or log files
Check the strength of passwords
Scan for out of date, abandoned, and vulnerable plugins, themes, and WordPress versions
User & Option Audit
Scan WordPress core, plugin, and theme options for known dangerous URLs and suspicious content
Scan for admin users created outside of WordPress
Working With Scan Results
A Wordfence scan result will look a little bit different depending on what was detected. To find out about all the different results that can appear in a scan, please see our full list of Scan results. Each scan result comes with a set of actions you can take to resolve it.
Occasionally, the Wordfence Scanner may report something as suspect or malicious even though according to your findings, it is not. This is called a “false positive”. If you are sure that a scan result is a false positive, you can choose to “ignore” the scan result. It will then be listed under the “Ignored Results” tab in all future scans. Examples of false positives are if you have manually edited a WordPress core file or a theme file yourself. If you have enabled “High Sensitivity”, you may also get false positives, since this scan type is the most thorough.
Any file that has been detected as having an issue in a scan has an option to “View file”. Viewing the file displays the file’s actual source code in a new window. This can be useful to see if it contains code that looks suspicious. Viewing the file like this is safe, as it only prints out the code and does not execute it.
If a file has been detected as “modified”, you have the option to “View Differences”. This option compares the version of the file that Wordfence expected to find to the version that you currently have installed. Inspect “The Modified Version on your WordPress system” to see if code was added.
Files that belong to WordPress core, or a known plugin or theme from wordpress.org, can be repaired using a copy from the Wordfence servers. Be careful when repairing files if you or a developer ever intentionally modified these files, as you may lose your changes. By default, you are prompted to download a copy of each file you repair individually, but you can choose to skip this step on future repairs.
Files detected in a scan can be deleted, with one exception. The WordPress configuration file, “wp-config.php”, cannot be deleted using this method, because deleting this file will inevitably break your WordPress installation.
Wordfence helps you find potential problems on your site, but ultimately we rely on your good judgment to determine if a file should be deleted or restored to its original version. If you view the changes in a core file and see that a lot of garbage-looking text has been added to the file, then it is probably an infection, and restoring the original core file will clear the infection. However, if you see changes in a file where some well-formatted PHP code or HTML has been added, then it is likely that it is not an infection and it may be that your site developer has customized a theme or core file and you should leave the changes in place. In this case, clicking the “ignore” option that Wordfence gives you is likely the best course of action.
You might have old files from a previous version of WordPress, especially if you have ever used a beta version, or your host may have log files with unusual names. But “.php” files in these locations may also be malicious. In most cases, you will want to remove unknown “.php” files found in core locations, but some plugins may place other files there, so remember to keep a backup of files before removing them, if you are not sure whether they are good or bad.
If you are running an alpha or beta version of WordPress, extra core files should not be flagged unless the internal WordPress version number is incorrect.
Delete all deletable files
The button “Delete all deletable files” allows you to bulk delete all files that were detected in a scan (with the exception of “wp-config.php”). This action should be exercised with extreme caution. If you have a premium theme or plugin, or a theme or plugin you have developed yourself, there will not be an option to restore these files. However, deleting them may break your site. If you find infected files in a custom theme or plugin, a safer action will typically be to get a fresh version and reinstall.
The “Delete all deletable files” exists for one specific circumstance only, and that is when there are massive amounts of malicious files that are not part of WordPress core or any of your custom themes or plugins. Again, use this option with caution, and make sure that you know what you are deleting!
Mark as fixed
If you take this action on a scan result, it is hidden from view instantly. You can use this to manage the current view if you are going through and resolving issues one by one until all issues have been resolved. This action does not persist, and if you mark an issue as fixed even though it has not been resolved, it will reappear in the next scan.
Occasionally, depending on your site, resources, and plugins and themes you may get a php error that says something like this:
PHP Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 491520 bytes)
Fatal error: Out of memory (allocated 33292288) (tried to allocate 616 bytes) in...
This issue is not a Wordfence error but simply indicates that you need to contact your hosting provider and ask them to increase your site memory. Usually your hosting provider will edit your php.ini file to increase the memory_limit parameter, and they may also have to increase your web server memory limit along with any operating system limits they have.
Increase PHP Memory
This is an indication that your memory in php.ini is not set high enough. You can define this in your php.ini file (usually found in /etc on linux systems – check your documentation for windows servers, which are currently unsupported by Wordfence). Look through the file for a line like this: memory_limit = 128M. Keep in mind the 128M is probably different. That’s the amount of memory that php is allowed to consume. If you have 10 plugins and combined they consume more memory than you have allocated, you’re going to have problems. You can assign more by increasing this value. (Some of our personal sites have 256M allowed, but these are pretty big sites with a substantial number of hits and plugins). Make sure and restart httpd (apache) after making changes here.
Disable plugins that affect database queries
When the scan is running Wordfence has to make a lot of database queries. If you are using plugins that affect all database queries such as Query Monitor, you may run out of PHP memory. If you have Query Monitor or any similar plugin installed, make sure it’s deactivated while Wordfence scan is running.
Errors about connecting to the Wordfence scanning servers usually mean that your web server cannot connect to our scanning servers. It is possible that your server is blocking outgoing connections or there are some DNS resolution issues.
When you run a scan your web server needs to be able to connect to our scanning server which is noc1.wordfence.com, so that it can send hashes of files and signatures for comparison against known bad items. Your web server must be able to connect to port 443 and port 80 of noc1.wordfence.com. To test if it can do this, you can use an SSH connection to your server and run the following commands. If you do not know how to do this then you can ask your server administrator or your hosting provider.
Depending on what software is installed on your server then one or more of these commands may work:
You can try connecting to port 80 and port 443. As long as you can connect to both then you should be able to use the scanner. You should see the IP 18.104.22.168 returned. If you are seeing anything other than that it’s possible that your host has a caching nameserver that isn’t respecting the TTL (Time To Live). This would mean that it’s keeping old records longer than it should.
You can also try:
Uncheck “Enable ssl verification”. It is found under Tools, on the Diagnostics tab at the bottom of the page.
Make sure your cUrl is not outdated and allows outbound connections. Run the connectivity tester (near bottom of the Wordfence options page) to test. If you receive an error, a ticket with your hosting provider may be required.
Check iptables (linux) to make sure you are accepting those connections.
To set iptables to accept the connections, the following code should be checked and adjusted for your particular site, by an experienced server manager or your hosting company:
You can view the activity log by clicking Scan on the Wordfence menu on the left of your WordPress admin console and then clicking the link “View activity log” below the “Scan Detailed Activity” box. The red errors you see here are not just Wordfence errors, but also errors from other plugins and even WordPress itself in rare cases.
If you see red errors here, they are often just warnings which may not affect the functioning of your site. But you should investigate them and report any errors to the owner of the plugin that is generating the error.
An example of a plugin error is:
Use of undefined constant user_level – assumed ‘user_level’ (8) File: /home/blah/foo/bar/home/wp-content/plugins/the-name-of-the-plugin-here/somefile.php Line: 525
If you look at the filename above, notice where the name of the plugin appears. Use that to determine which plugin is generating the errors you’re seeing, and report the issue to the plugin maker. If Wordfence is generating the error, then report it to us ASAP! If the error is the last error (or close to last) that appears before a scan mysteriously stops running, then send that to us too.