Select which aspects of your site the scan should investigate, adjust scan performance and configure advanced options.
Check if this website is on a domain blacklist
This option is available for Wordfence Premium users to check if your own site is listed on domain blacklists. Blacklisting can occur for various reasons, but this scan checks blacklists related to malicious content. This could be a sign of a compromise, or could also be caused by your site linking to sites that are known to be compromised, which would appear as additional scan results.
Check if this website is being “Spamvertised”
If your website has been hacked, spammers will often include a small script on your site that redirects any visitors who hit that script’s URL from your site to a malicious or pornographic website. The reason they do this is because the site they are redirecting to is a known bad site, and spam filters will block any emails containing links to their own site. So instead of emailing links to their own site, they will email out links to another site which is “clean” and which redirects to their bad site.
This is a common tactic they use to defeat spam filters. The problem is that developing a clean site and its reputation takes time. So what spammers do is, they hack your site and place a script on your site that does the redirection described above. The result is that links to your own website appear in thousands, or even hundreds of thousands, of spam emails.
For this reason, Wordfence offers the additional check to our Premium customers which checks if your website is being included in spam emails (Spamvertized). Checking if your site is being spamvertized is an important step in early detection of an infection. If this comes up as positive, then it means that you are either currently infected with malware, or you were in the past. Another possible reason is that your own emails campaigns have been too aggressive or have tripped spam filters from another reason and your website has been listed as a URL that often appears in spam email.
Checking if your site is being spamvertized using regular Wordfence Premium scans is an excellent way to preserve the integrity of your website and email reputation.
Check if this website IP is generating spam
It is important that your website’s own IP address has not been blacklisted for sending spam or hosting malware. If your IP address has been blacklisted, then any email originating from your website IP address will either disappear and not even reach an inbox or spam filter (be blackholed) or will land in your customer’s spam folders.
Your IP can become blacklisted if you are on a shared hosting program and another website on your server is infected with malware or is engaging in malicious activity. This feature does a check to see if your IP address is clean or if it is listed as malicious. If you find that your IP address is listed as malicious, log a support call with your hosting provider to have your site moved to a different IP address or have them work to clean the IP you are hosted on.
Scan for misconfigured How does Wordfence get IPs
This scan checks how Wordfence sees visitors’ IPs. If your server or domain is set up to use a “reverse proxy,” this helps Wordfence determine which Http Header contains the visitor’s IP. We recommend keeping this scan enabled. The scan runs once per week and will show “Skipped” in the scan summary when it does not need to run.
Scan for publicly accessible configuration, backup, or log files
This scan will check for files containing sensitive information that could be accessed remotely, such as old WordPress settings in a file name wp-config.old. Preventing access to these files can keep your database password or other important information secure.
Scan for publicly accessible quarantined files
This scan will check for quarantined files that some hosts produce when they detect possible malware. Usually these files end in “.suspected”, which can cause the web server to expose the contents of PHP files instead of running them as PHP code when a visitor tries to view them. If a sensitive file such as wp-config.php is renamed by the host to wp-config.php.suspected, this can expose your database password to the public.
Note: If the file is not hidden when you try to fix this result by clicking the link to hide the file, this may be caused by having multiple levels of .htaccess files. You might need to add “RewriteOption Inherit” to your .htaccess file. Be sure to check any other sites you have in a parent directory or subdirectory of the same host, since other “rewrites” can be inherited too.
In general, saving a backup of the file and removing it from the server is the recommended option.
Scan core files against repository version for changes
This scan checks if your core files match what exists in the official WordPress core repository. If your files have changed, then it’s likely that either you have modified them yourself (which is highly unusual and not recommended), or your WordPress installation has been infected by malware which has modified your core files. If changes have occurred, Wordfence gives you the opportunity to see what those changes are being doing a “diff” which is short for “differences.” We will show you a syntactically highlighted display of the differences between your core files and the official WordPress core files that are distributed.
Note that this automatically detects which version of WordPress you are running, and will compare your core files to the appropriate version. This version detection and comparison with the correct version in the repository also applies to theme and plugins below.
Scan theme files against repository versions for changes
As with the core file change detection above, this compares any themes that you have installed on your site with those in the official WordPress theme repository. Note that we automatically detect which theme version you’re running and do the comparison with the correct version. This scan applies to all themes installed on your WordPress installation, not just the active theme.
Also note that this scan does not apply to commercial themes, or themes that are not in the official WordPress repository. If you do have any commercial themes on your system, we will still scan those for malware, malicious URLs, backdoors and many other items, but we don’t have the ability to see if your theme files have changed from the original files distributed by the vendor. Many websites heavily customize their commercial themes anyway, so this check in many cases would be pointless because we would still detect those customizations as changes to the theme files.
Scan plugin files against repository versions for changes
As with the core file change detection above, this compares your plugins with what is in the official WordPress repository, and will alert you to any changes. Most WordPress websites don’t customize their plugins, and most plugins installed on a WordPress website are from the official repository, so this is an excellent way to verify the file integrity of your plugins.
Note that some developers do not follow the official guidelines that WordPress provides for plugin developers, and will modify a “tag” or a version of their plugin that has already been released by adding new code to an existing release – for example, fixing a small bug or correcting a minor typo. WordPress also does not alert customers that there is new code and they need to upgrade. The result is that this leaves customers with code on their sites that does not match what is in the repository, and may be an occasional cause of false positives.
In cases like this Wordfence will alert you to the fact that the plugin code you have does not match what is in the repository. That is why we recommend you always use the feature that Wordfence provides to view changes in your plugin files before take any action – because it may just be a case of a developer who is not managing their code correctly.
In this case, you can simply ignore the plugin file that Wordfence flagged and send the developer a friendly note asking them to not check code into existing “tags” or releases. However, if you do see a plugin file that changed and you see long lines with lots of strange characters, it’s likely that the plugin file has been infected by something.
Scan wp-admin and wp-includes for files not bundled with WordPress
The wp-admin and wp-includes directories should typically only include files that are a part of WordPress core, plus possibly some log files or files related to file uploads, depending on your hosting company’s configuration and other settings. This scan shows files in wp-admin or wp-includes which are not a normal part of WordPress or other files that we recognize. Sometimes, files from an old version of WordPress may still exist in core folders, and they are generally safe to remove, if that is the case.
As usual, be sure that you have a backup before deleting files, especially if you’re not sure why they are there. Some plugins or themes may put files in core folders even though that’s not a recommended practice, but attackers may place malicious files in these folders as well.
Some “Managed WordPress” hosting plans may prevent you from deleting any core files, including WordPress core files from old WordPress versions. If that is the case, you can ask your host to help remove or evaluate any files found by this scan that don’t seem to belong in these locations in the current version of WordPress.
Scan for signatures of known malicious files
This scan will look at entire files and compare their hashes with a large database of known malicious files that we maintain and that is continually updated on a daily basis. If we detect a file that is known to be malicious, we’ll alert you.
Scan file contents for backdoors, Trojans and suspicious code
This scan option provides an excellent level of detection. Wordfence maintains a continually updated list of patterns that match common code and patterns that we see in malicious files. When you perform a scan, for any files that we don’t recognize as known good files (like core files or known theme and plugin files) we do a deep scan looking for these patterns. If we find a pattern, you’ll receive a critical alert telling you that we found something malicious in a file.
Some of the common patterns we look for include several techniques that are used by hackers to hide their malicious code, including encoding their code using base64, URL encoding, hex encoding and others. We also look for patterns that indicate a file contains code that is downloading and executing something without the normal security patterns that you see in WordPress development.
Scan file contents for malicious URLs
Wordfence scans file contents for malicious URLs which may be used by attackers in various ways, such as downloading additional malicious files within malware, or they may be served to visitors in malware or spam campaigns.
Scan posts for known dangerous URLs and suspicious content
This scan goes through all your website’s posts by directly accessing your database (rather than doing a site crawl, which is slower) and checks if they contain known dangerous URLs that are linked to phishing or hosting malware. It also checks for suspicious content that may have been generated by an infection or a hack.
With this scan option enabled, we always check all posts, rather than only new posts. We do this is because the list of known dangerous URLs is constantly changing. A site that you are linking to in a specific post may be safe today, but tomorrow it might get infected with malware, in which case we would start flagging it. If that happened, you would need to remove the URL from your post or risk being blacklisted by Google.
This scan is extremely valuable in preserving your site reputation and avoiding a search penalty in Google. The links that appear in each of your posts are indexed by Google, and if you are linking to a site that is blacklisted by Google, then your site will likely fall in the search rankings and your own site may be blacklisted for acting as an intermediary in the distribution of malware. So, we strongly recommend that site owners enable this scan.
Scan comments for known dangerous URLs and suspicious content
This scans all your comments by directly accessing your database and scanning the comments table. It checks comments that are in a published state for known malicious URLs and other patterns that indicate an infection. As with the posts scan above, we do a full scan every time this scan is performed because the list of known dangerous URLs is constantly changing, so even if a comment has not changed, we need to re-verify that any URLs it contains are clean.
This is an important scan because it prevents your site from linking to known dangerous URLs that have been blacklisted by Google. If you link to these URLs, you may incur a search penalty or be blacklisted yourself. Note that this function is extremely fast, and even if your site has many thousands or tens of thousands of comments, this will execute very quickly, because it’s operating directly on your database and using an efficient algorithm.
Scan WordPress core, plugin, and theme options for known dangerous URLs and suspicious content
This scan checks for known malicious content and dangerous URLs stored in WordPress options that are used by WordPress core, plugins, or themes. Any results found could indicate a new compromise, but may also include remnants of old hacks, if a site has been cleaned or if a vulnerable plugin/theme has been removed.
Out of date, abandoned, and vulnerable plugins, themes, and WordPress versions
This simply alerts you via email if you are using any out-of-date themes or plugins. We strongly recommend you leave this enabled, because upgrading as soon as possible to new versions of WordPress core, or themes and plugins is the most effective way to keep your site secure.
Plugins and themes that have released a new version will appear as a “warning” in the scan results, while any plugins and themes with an update that fixes known vulnerabilities will appear as a “critical” item in the scan results.
Admin users created outside of WordPress
This scan checks for admin users that were created by an alternate method, such as through a vulnerable plugin, instead of through the WordPress Users page.
This scan will inspect user passwords and admin passwords to check if any of your users are using very common passwords. We perform an extended check on admin-level accounts, and a cursory check on user-level accounts.
Monitor disk space
If you are using a hosting provider, it is their responsibility to keep an eye on your server disk space, and if your provider is reliable, then you won’t run out. However, we do provide this option for users who are using Linode or another self-hosted service, and it’s an excellent way to get an email alert if your server is getting close to running out of space.
Unauthorized DNS changes
This scan will alert you to any changes to your website DNS. What that means is that if your website domain name is suddenly pointed to a different IP address, or if another more subtle change is made to your website DNS, we will alert you. We monitor this because it’s possible that a hacker can access your DNS administration system, e.g., by hacking into your GoDaddy account. They can then point your website to their own IP address and hijack your site. This check helps provide an early warning if your DNS changes.
Scan files outside your WordPress installation
This is a very powerful option that lets you broaden your Wordfence scan to also include files outside your WordPress installation.
A regular Wordfence scan looks at the following: wp-admin, wp-content, wp-includes, all subdirectories of the those directories – all files in your base WordPress directory. But when you enable this option, we scan all subdirectories of your WordPress installation, even if they aren’t part of WordPress. So if you have a directory that is a phpmyadmin installation or a Drupal installation, we will dive down into those directories looking for malicious code and infections, too.
You should note two caveats: First, enabling this may cause scans to take significantly longer, and in some cases they may never finish, because they consume too many resources on the server and are killed by the hosting company. Secondly, in rare cases, we see circular symbolink links, device directories and other files or directories that are not designed to be read as normal files or can lead Wordfence on a circular path and cause it to scan indefinitely. If you are having trouble with your scans taking too long or not finishing, make sure you disable this option.
In general, we recommend you leave this option disabled, unless you are trying to clean an already infected site, or we have suggested you turn this on for another reason.
Scan images, binary, and other files as if they were executable
We occasionally see malicious code hidden inside files that have an image extension. This is rare, but if you’re using Wordfence to clean a stubborn infection and suspect you may have image files that are actually PHP code, you can enable this option and it will help you find the malicious code.
Enable HIGH SENSITIVITY scanning (may give false positives)
This will enable several options internally in Wordfence that causes it to do a more thorough scan. It will cause Wordfence to scan file types like log files and backup files that it would normally ignore. Additionally, the scan will search for patterns that resemble, but may not always be, malicious code. Thus, with this scan option enabled, Wordfence will often give false positives. Readme.txt files and readme.md files will be skipped unless “high sensitivity” is enabled. Some plugin authors change these files to indicate their plugin is compatible with a new version of WordPress, or to make other changes, without releasing a new version of the plugin.
We recommend you normally leave this option off. However, if you are using Wordfence to clean a site and don’t mind seeing several false positives, then you can enable this, as it may help you find a stubborn infection.
Use low-resource scanning
Low-resource scanning spreads out the scan’s work over a longer period of time to help decrease the chance of high resource usage in a short period of time. This can be helpful on shared hosting providers that have lower resources available to your hosting account, or on lower VPS and dedicated hosting plans. This may make your scans take two to four times as long, but they will be less active while running. The amount of added time depends on your particular host, your Wordfence options, and the number of files scanned. This option is disabled by default.
Limit the number of issues sent in the scan results email
When scan results are sent to you by email at the end of a scan, this option limits the total number of issues that will be sent. The default limit should work well for most sites, but if cleaning an infected site or working on a site with a lot of users who have bad passwords reported in the scan results, you can raise this limit to ensure that all issues are sent, as long as the host has a high enough memory limit. On sites with a low memory limit, it might be necessary to lower this option to allow emails to be sent.
Time limit that a scan can run in seconds
You can set a limit for how long Wordfence scans will run on your site. Some options combined with a large number of files can make scans take a long time, especially on slower servers. If a scan runs out of time before it is finished, you will be notified and it will not resume automatically, but the next scheduled scan will still attempt to run. Changing some options to help the scans run within the limit is the best option, but the time limit can also be increased if necessary. Leaving this option blank will allow Wordfence to use the default limit, which is currently 3 hours. You can also set a lower limit to keep tighter control of resource usage. See the Scan time limit page for more details.
How much memory should Wordfence request when scanning
Most WordPress websites have a fixed amount of memory allocated by the hosting provider to perform the various functions that WordPress and its themes and plugins provide.
In some cases, a WordPress website has the ability to request an increase in the maximum allowed amount of memory by changing a PHP configuration setting while WordPress is executing. It does this by changing a php.ini configuration setting at runtime.
If your site is running out of memory while Wordfence is performing its various tasks and you would like to try to ask PHP to increase the maximum allowed memory when Wordfence executes, you can set the amount of memory you want to request here. On our own site, we have this set to ‘256’ without quotes, which will request 256 megabytes of memory when Wordfence executes.
Note that Wordfence won’t actually use that amount of memory, but setting this will ask PHP to increase the memory limit to whatever you specify so that in case Wordfence does use that amount of memory, PHP will only throw an error if the new maximum you have requested is reached.
On sites that have limited memory, this option does not always work to increase the memory limit. If you have tried to use this option and are still running out of memory, it is best to open a support ticket with your hosting provider to ask them for more memory.
Maximum execution time for each scan stage
Wordfence scans can take several minutes or longer on very large websites. Wordfence runs as a PHP application on your web server. Web servers are not always designed to run long-running processes like Wordfence. So we have designed Wordfence scans to run as a series of requests.
- The web server will connect to itself and kick off a new web request to start a scan.
- The scan will run for a few seconds and do some work.
- After an amount of time determined by this setting (Max execution time per scan stage) Wordfence will pause the scan, save the data and again cause the web server to reconnect to itself to kick off the next stage.
- The scan will make more progress and do more work.
- After an amount of time specified by this setting the web server will again pause the scan, save the data and connect back to itself to do the next stage.
- This series of loopbacks continues until the Wordfence scan is complete.
This setting controls how long a scan stage will run until it pauses, saves the scan data and causes the web server to connect back to itself to kick off the next stage.
If this value is not set, then Wordfence will use the max_execution_time in your PHP.ini configuration file divided by two. This ensures that Wordfence does not run longer than the allowed maximum by PHP.
If you are having trouble completing scans, then we suggest you try several different values. The value you specify here must be greater than 10 or Wordfence will use its own default values.
First try 30, save and do a scan. If the scan does not complete, then try 15, save and do a scan. If it still doesn’t complete then try 12. If you still don’t have any luck getting a scan to complete, then there may be another problem, or you may have to ask your hosting provider to increase the amount of time a web server process is allowed to execute.
The goal is to find a value that is long enough to allow Wordfence to do some work, but short enough so that it does not exceed the maximum allowed time that a web server process is allowed to execute.
Exclude files from scan that match these wildcard patterns
This lets you exclude certain file extensions from your scan. You can use this if Wordfence is getting stuck on large files that you know are not malicious, like certain kinds of backup files. You can use the full path to the file or use * to match any number of any characters. For example
/wp-content/uploads/image.jpg will only exclude the image.jpg file. If you instead enter
/wp-content/uploads/* all files in the upload folder will be excluded from scan.
Additional scan signatures
In this section you can add scan signatures. They will then be processed by the scanner during the malware checks. This is an advanced feature that can only be used efficiently if you are familiar with the structure and function of malware signatures. A regex should be entered without the pattern delimiter. If you are entering several, separate them with linefeed. As an example, if you are looking for any instance of X09jkF and X6p3Kn, you would enter: