If your site has been hacked, or you think that it may have been hacked, then follow our site cleaning guide here.

General Options

Check if this website is on a domain blocklist

This option is available for Wordfence Premium users to check if your own site is listed on third-party domain blocklists/blacklists. Blocklisting can occur for various reasons, but this scan checks blocklists related to malicious content. This could be a sign of a compromise, or could also be caused by your site linking to sites that are known to be compromised, which would appear as additional scan results.

Check if this website is being “Spamvertised”

If your website has been hacked, spammers will often include a small script on your site that redirects any visitors who hit that script’s URL from your site to a malicious or pornographic website. The reason they do this is because the site they are redirecting to is a known bad site, and spam filters will block any emails containing links to their own site. So instead of emailing links to their own site, they will email out links to another site that is “clean” and which redirects to their bad site.

This is a common tactic they use to defeat spam filters. The problem is that developing a clean site and its reputation takes time. So what spammers do is hack your site and place a script on your site that does the redirection described above. The result is that links to your own website appear in thousands, or even hundreds of thousands, of spam emails.

For this reason, Wordfence offers an additional check to our Premium customers which checks if your website is being included in spam emails (Spamvertized). Checking if your site is being spamvertized is an important step in the early detection of an infection. If this comes up as positive, then it means that you are either currently infected with malware, or you were in the past. Another possible reason is that your own emails campaigns have been too aggressive or have tripped spam filters for another reason and your site has been listed as a URL that often appears in spam emails.

Checking if your site is being spamvertized using regular Wordfence Premium scans is an excellent way to preserve the integrity of your site and email reputation.

Check if this website IP is generating spam

It is important that your site’s own server IP address has not been blocklisted for sending spam or hosting malware. If your server IP address has been blocklisted, then any email originating from your site’s IP address will either disappear and not even reach an inbox or spam filter (be blackholed) or will land in your customer’s spam folders.

Your server IP can become blocklisted if you are on a shared hosting program and another website on your server is infected with malware or is engaging in malicious activity. This feature does a check to see if your IP address is clean or if it is listed as malicious. If you find that your IP address is listed as malicious, log a support call with your hosting provider to have your site moved to a different IP address or have them work to clean the IP address you are hosted on.

Scan for misconfigured How does Wordfence get IPs

This scan checks how Wordfence sees visitors’ IP addresses. If your server or domain is set up to use a “reverse proxy”, this helps Wordfence determine which HTTP Header contains the visitor’s IP address. We recommend keeping this scan enabled. The scan runs once per week and will show “Skipped” in the scan summary when it does not need to run.

Scan for publicly accessible configuration, backup, or log files

This scan will check for files containing sensitive information that could be accessed remotely, such as old WordPress settings in a file name “wp-config.old” for example. Preventing access to these files can keep your database password or other important information secure.

Scan for publicly accessible quarantined files

This scan will check for quarantined files that some hosts produce when they detect possible malware. Usually, these files end in “.suspected”, which can cause the web server to expose the contents of PHP files instead of running them as PHP code when a visitor tries to view them. If a sensitive file such as “wp-config.php” is renamed by the host to “wp-config.php.suspected”, this can expose your database password to the public.

Note that if the file is not hidden when you try to fix this result by clicking the link to hide the file, then this may be caused by having multiple levels of “.htaccess” files. You might need to add “RewriteOption Inherit” to your .htaccess file. Be sure to check any other sites you have in a parent directory or subdirectory of the same host since other “rewrites” can be inherited too.

In general, saving a backup of the file and removing it from the server is the recommended option.

Scan core files against repository version for changes

This scan checks if your core files match what exists in the official WordPress core repository. If your files have changed, then it is likely that you have either modified them yourself (which is highly unusual and not recommended), or your WordPress installation has been infected by malware that has modified your core files. If changes have occurred, Wordfence gives you the opportunity to see what those changes are by using the button to view the differences. We will show you a syntactically highlighted display of the differences between your core files and the official WordPress core files that are distributed by WordPress.org.

Note that this automatically detects which version of WordPress you are running, and will compare your core files to the appropriate version. This version detection and comparison with the correct version in the repository also applies to themes and plugins described below.

Scan theme files against repository versions for changes

As with the core file change detection above, this compares any themes that you have installed on your site with those in the official WordPress theme repository. Note that we automatically detect which theme version you are using and do the comparison with the correct version. This scan applies to all themes installed on your WordPress installation, not just the active theme.

Also, note that this scan does not apply to commercial themes or themes that are not in the official WordPress repository. If you do have any commercial themes on your system, we will still scan those for malware, malicious URLs, backdoors, and many other items, but we do not have the ability to see if your theme files have changed from the original files distributed by the vendor. Many sites customize their commercial theme anyway, so this check in many cases would be pointless because we would still detect those customizations as changes to the theme files.

Scan plugin files against repository versions for changes

As with the core file change detection above, this compares your plugins with what is in the official WordPress repository and will alert you to any changes. Most WordPress sites do not customize their plugins, and most plugins installed on a WordPress site are from the official repository, so this is an excellent way to verify the file integrity of your plugins.

Note that some developers do not follow the official guidelines that WordPress provides for plugin developers, and will modify a “tag” or a version of their plugin that has already been released by adding new code to an existing release. For example, by fixing a small bug or correcting a minor typographical error. WordPress also does not alert customers that there is new code and that they need to upgrade. The result is that this leaves customers with code on their sites that does not match what is in the repository and can be an occasional cause of false positives.

In cases like this Wordfence will alert you to the fact that the plugin code you have does not match what is in the repository. That is why we recommend you always use the feature that Wordfence provides to view changes in your plugin files before taking any action because it may just be a case of a developer who is not managing their code correctly.

In this case, you can simply ignore the plugin file that Wordfence flagged and send the developer a friendly note asking them to not check code into existing “tags” or releases. However, if you do see a plugin file that changed and you see long lines with lots of strange characters, it is likely that the plugin file has been infected by something.

Scan wp-admin and wp-includes for files not bundled with WordPress

The wp-admin and wp-includes directories should typically only include files that are a part of WordPress core, plus possibly some log files or PHP settings files, depending on your hosting company’s configuration and other settings. This scan shows files in wp-admin or wp-includes which are not a normal part of WordPress or other files that we recognize. Sometimes, files from an old version of WordPress may still exist in core folders, and they are generally safe to remove if that is the case.

As usual, be sure that you have a backup before deleting files, especially if you are not sure why they are there. Some plugins or themes may put files in core folders even though that is not a recommended practice, but attackers may place malicious files in these directories as well.

Some “Managed WordPress” hosting plans may prevent you from deleting any core files, including WordPress core files from old WordPress versions. If that is the case, you can ask your host to help remove or evaluate any files found by this scan that do not seem to belong in these locations in the current version of WordPress.

Scan for signatures of known malicious files

This scan will look at entire files and compare their hashes with a large database of known malicious files that we maintain.  This database is continually updated on a daily basis. If we detect a file that is known to be malicious, we will alert you.

Scan file contents for backdoors, Trojans and suspicious code

This scan option provides an excellent level of detection. Wordfence maintains a continually updated list of patterns that match common code and patterns that we see in malicious files. For any files that we do not recognize as known good files (like core files or known theme and plugin files) then we do a deep scan looking for these patterns. If we find a pattern, you will receive a critical alert telling you that we found something malicious in a file.

Some of the common patterns we look for include several techniques that are used by hackers to hide their malicious code, including encoding their code using base64, URL encoding, hex encoding, and others. We also look for patterns that indicate a file contains code that is downloading and executing something without the normal security patterns that you see in WordPress development.

Scan file contents for malicious URLs

Wordfence scans file contents for malicious URLs which may be used by attackers in various ways, such as downloading additional malicious files within malware, or they may be served to visitors in malware or spam campaigns.

Scan posts for known dangerous URLs and suspicious content

This scan goes through all of your site’s posts by directly accessing your database (rather than doing a site crawl, which is slower) and checks if they contain known dangerous URLs that are linked to phishing or hosting malware. It also checks for suspicious content that may have been generated by an infection or a hack.

With this scan option enabled, we always check all posts, rather than only new posts. We do this because the list of known dangerous URLs is constantly changing. A site that you are linking to in a specific post may be safe today, but tomorrow it might get infected with malware, in which case we would start flagging it. If that happened, you would need to remove the URL from your post or risk being blocklisted by Google.

This scan is extremely valuable in preserving your site’s reputation and avoiding a search penalty in Google. The links that appear in each of your posts are indexed by Google, and if you are linking to a site that is blocklisted by Google, then your site will likely fall in the search rankings and your own site may be blocklisted for acting as an intermediary in the distribution of malware. We strongly recommend that site owners enable this scan.

Scan comments for known dangerous URLs and suspicious content

This scans all your comments by directly accessing your database and scanning the comments table. It checks comments that are in a published state for known malicious URLs and other patterns that indicate an infection. As with the posts scan above, we do a full scan every time this scan is performed because the list of known dangerous URLs is constantly changing, so even if a comment has not changed, we need to re-verify that any URLs it contains are clean.

This is an important scan because it prevents your site from linking to known dangerous URLs that have been blocklisted by Google. If you link to these URLs, you may incur a search penalty or be blocklisted yourself. Note that this function is extremely fast, and even if your site has many thousands or tens of thousands of comments, this will execute very quickly, because it is operating directly on your database and using an efficient algorithm.

Scan WordPress core, plugin, and theme options for known dangerous URLs and suspicious content

This scan checks for known malicious content and dangerous URLs stored in WordPress options that are used by WordPress core, plugins, or themes. Any results found could indicate a new compromise, but may also include remnants of old hacks, if a site has been cleaned or if a vulnerable plugin/theme has been removed.

Out of date, abandoned, and vulnerable plugins, themes, and WordPress versions

This simply alerts you via email if you are using any outdated themes or plugins. We strongly recommend you leave this enabled, because upgrading as soon as possible to new versions of WordPress core, or themes and plugins is the most effective way to keep your site secure.

Plugins and themes that have released a new version will appear as a “warning” in the scan results, while any plugins and themes with an update that fixes known vulnerabilities will appear as a “critical” item in the scan results.

Admin users created outside of WordPress

This scan checks for admin users that were created by an alternate method, such as through a vulnerable plugin, instead of through the WordPress “Users” page.

Known passwords

This scan will inspect user passwords and administrator passwords to check if any of your users are using very common passwords. We perform an extended check on administrator accounts and a cursory check on lower-level accounts.

Monitor disk space

If you are using a hosting provider, it is their responsibility to monitor your server disk space. If your provider is reliable, then you should not run out of disk space. However, we do provide this option for users who are using Linode or another self-hosted service, and it is an excellent way to get an email alert if your server is getting close to running out of disk space.

Monitor Web Application Firewall status

This is a quick check that the firewall is running. If a file permissions issue or other server problem causes the firewall’s files to be unreadable, this scan will notify you about it.

Unauthorized DNS changes

This scan was discontinued in November 2019. The scan showed any changes to your site’s DNS records. As hosts and reverse proxy services have evolved, a change in DNS records for legitimate purposes is more common than it once was, and a DNS change alone is no longer a strong sign of malicious activity.

Scan files outside your WordPress installation

This is a very powerful option that lets you broaden your Wordfence scan to also include files outside your WordPress installation.

A regular Wordfence scan looks at the following: “wp-admin”, “wp-content”, “wp-includes”, all subdirectories of those directories, common directories at some hosts like “cgi-bin” and “.well-known”, and all files in your root WordPress directory. When you enable this option, we scan all subdirectories of your WordPress installation, even if they are not a part of WordPress. If you have a directory that is a “phpmyadmin” installation or a “Drupal” installation, we will also scan those directories looking for malicious code and infections.

You should note two caveats. Firstly, enabling this option may cause scans to take significantly longer on some sites and may not finish because they consume too many resources on the server and are killed by the hosting company. Secondly, in rare cases, we see circular symbolic links, device directories, and other files or directories that are not designed to be read as normal files which can lead Wordfence on a circular path and cause it to scan indefinitely. If you are having trouble with your scans taking too long or not finishing then you can disable this option.

Scan images, binary, and other files as if they were executable

We occasionally see malicious code hidden inside files that have an image extension or other extensions. This is rare, but if you are using Wordfence to clean a stubborn infection and suspect that you may have image or binary files that are actually PHP code, you can enable this option and it will help you find the malicious code.

Enable HIGH SENSITIVITY scanning (may give false positives)

This option has been removed as of Wordfence 7.3.6, due to improvements in the default scan. This option enabled searching for patterns that resemble, but may not always be, malicious code. Thus, with this scan option enabled, Wordfence would often give false positives that the site owner needed to investigate, and it was previously recommended to leave it disabled unless working on a difficult infection.

Performance Options

Use low-resource scanning

Low-resource scanning spreads out the scan’s work over a longer period of time to help decrease the chance of high resource usage in a short period of time. This can be helpful on shared hosting providers that have lower resources available to your hosting account, or on lower VPS and dedicated hosting plans. This may make your scan times two to four times longer, but they will be less active while running. The amount of added time depends on your particular host, your Wordfence options, and the number of files scanned. This option is disabled by default.

Limit the number of issues sent in the scan results email

When scan results are sent to you by email at the end of a scan, this option limits the total number of issues that will be sent. The default limit should work well for most sites, but if cleaning an infected site or working on a site with a lot of users who have bad passwords reported in the scan results, you can raise this limit to ensure that all issues are sent, as long as the host has a high enough memory limit. On sites with a low memory limit, it might be necessary to lower this option to allow emails to be sent.

Time limit that a scan can run in seconds

You can set a limit for how long Wordfence scans will run on your site. Some options combined with a large number of files can make scans take a long time, especially on slower servers. If a scan runs out of time before it completes then you will be notified and it will not resume automatically, but the next scheduled scan will still attempt to run. Changing some options to help the scans run within the limit is the best option, but the time limit can also be increased if necessary. Leaving this option blank will allow Wordfence to use the default limit, which is currently 3 hours. You can also set a lower limit to keep tighter control of resource usage.

How much memory should Wordfence request when scanning

Most WordPress sites have a fixed amount of memory allocated by the hosting provider to perform the various functions that WordPress, the theme and plugins provide.

In some cases, a WordPress site has the ability to request an increase in the maximum allowed amount of memory by changing a PHP configuration setting while WordPress is executing. It does this by changing a “php.ini” configuration setting at runtime.

If your site is running out of memory while Wordfence is performing its various tasks and you would like to try to ask PHP to increase the maximum allowed memory when Wordfence executes, you can set the amount of memory you want to request here. On our own site, we have this set to 256, which will request 256 megabytes of memory when Wordfence executes.

Note that Wordfence will not actually use that amount of memory, but setting this will ask PHP to increase the memory limit to whatever you specify so that in case Wordfence does use that amount of memory, PHP will only throw an error if the new maximum you have requested is reached.

On sites that have limited memory, this option does not always work to increase the memory limit. If you have tried to use this option and are still running out of memory, it is best to open a support ticket with your hosting provider to ask them for more memory.

Maximum execution time for each scan stage

Wordfence scans can take several minutes or longer on very large websites. Wordfence runs as a PHP application on your web server. Web servers are not always designed to run long-running processes like Wordfence. So we have designed Wordfence scans to run as a series of requests.

• The web server will connect to itself and generate a new web request to start a scan.
• The scan will run for a few seconds and do some work.
• After an amount of time specified by the setting “Maximum execution time for each scan stage”, Wordfence will pause the scan, save the data and again cause the web server to reconnect to itself to generate a new web request to resume the scan.
• The scan will make more progress and do more work.
• After an amount of time specified by the setting “Maximum execution time for each scan stage”, Wordfence will pause the scan, save the data and again cause the web server to reconnect to itself to generate a new web request to resume the scan.
• This series of loopbacks continues until the Wordfence scan is complete.

This setting controls how long a scan stage will run until it pauses, saves the scan data, and causes the web server to connect back to itself to resume the scan.

If this value is not set, then Wordfence will use the “max_execution_time” in your “php.ini” configuration file divided by two. This ensures that Wordfence does not run longer than the allowed maximum time set by PHP.

If you are having trouble completing scans, then we suggest you try several different values. The value you specify here must be 8 or greater, or Wordfence will use its own default values.

First try 30, save and do a scan. If the scan does not complete, then try 15, save and do a scan. If it still doesn’t complete then try 12. If you still cannot get a scan to complete then there may be another problem, or you may have to ask your hosting provider to increase the amount of time a web server process is allowed to execute.

The goal is to find a value that is long enough to allow Wordfence to do some work, but short enough so that it does not exceed the maximum allowed time that a web server process is allowed to execute.

Advanced Options

Exclude files from scan that match these wildcard patterns

This lets you exclude certain file extensions from your scan. You can use this if Wordfence is getting stuck on large files that you know are not malicious, like certain kinds of backup files. You can use the full path to the file or use * to match any number of any characters. For example wp-content/uploads/image.jpg will only exclude the “image.jpg” file. If you instead enter wp-content/uploads/* all files in the upload folder will be excluded from a scan.

Note that if your hosting provider modifies some core WordPress files for a specific reason, then you won’t be able to exclude these files using this option to prevent scan results for these file modifications.  If your host manages WordPress core files and they are not writable by your own user, you can disable the scan option “Scan core files against repository versions for changes“, or use the “Ignore” option on each scan result to ignore individual files.

Additional scan signatures

In this section you can add scan signatures. They will then be processed by the scanner during the malware checks. This is an advanced feature that can only be used efficiently if you are familiar with the structure and function of malware signatures. A regex should be entered without the pattern delimiter. If you are entering several then separate them on separate lines. As an example, if you are looking for any instance of “X09jkF” and “X6p3Kn” then you would enter:

X09jkF
X6p3Kn

Use only IPv4 to start scans

A site may try to connect to itself using IPv6 when using Cloudflare and possibly other services, which can cause timeouts during Wordfence scans if the host does not support outbound IPv6 connections. Enabling this option may help scans run consistently in this case. This option may have no effect on old PHP, cURL, or WordPress versions.

Maximum number of attempts to resume each scan stage

If your site has intermittent issues connecting back to itself, this can cause Wordfence’s scans to fail. This option will attempt to resume failed scans 2 times by default, but you can set the limit up to 5. You can also set the option to 0 to disable retries.

When this option is restarting scans, you may see messages like “Attempting to resume scan stage (2 attempt(s) remaining)” in the scan log.

This option depends on wp-cron. If your site uses the DISABLE_WP_CRON constant, be sure to run cron via another method. We recommend running cron jobs once per minute to avoid any cron jobs falling too far behind, or at least every 5 minutes if you do not want jobs running quite as often.