Scan Results

How to interpret results from the Wordfence Scan.

Scan Results Actions

A number of different actions can be taken on each type of scan result. These are described below.

When using the actions to “repair” or “delete” a file we recommend that you create a backup of the file first unless you are familiar with the file.

REPAIR

The “repair” action will only be available for modified WordPress core files and files belonging to plugins and themes available from the wordpress.org repository. Clicking the button to “repair” a file will replace it with an original copy of that file. Please note that if any legitimate code customization of any files on your site have been carried out then you will lose any custom functionality. For example, if legitimate code has been added to your theme’s functions.php file then this custom code will be lost if you repair this file.

IGNORE

Choosing to “ignore” a scan result means it will not appear in subsequent scans under “Results Found”. Ignored scan results instead appear under the “Ignored Results” tab.

Scan results for files have two further “ignore” actions available that apply as follows:

Ignore until file changes: This will cause the scan result to reappear in “Results Found” the next time the file changes. Use this action if you have added custom code to a file such as your theme’s functions.php file. It will then be ignored until further code modifications are detected.

Always ignore: This option will ignore the file permanently, regardless of any further file changes.

HIDE FILE

The “hide file” button will appear when a scan result shows that a publicly accessible configuration, backup, or log file is found. You can use this action to prevent the file from being publicly accessible. Note that some web server configurations may require this to be fixed manually; either by changing permissions on the file, or blocking access to it via a configuration file such as .htaccess. Please refer to the Publicly accessible config, backup, or log file found section below for more information on how to do this.

DETAILS

This option will expand the scan result and provide further information about the scan result. At the bottom of the details section there will be further actions as follows:

VIEW FILE

This will open a new browser tab allowing you to inspect the code in the file.

DELETE FILE

This allows you to delete the file. Be very cautious of deleting files. If you are not sure whether a file should be deleted then create a backup of the file first. Running a HIGH SENSITIVITY scan can generate false positive scan results and you could potentially delete legitimate theme or plugin files.

MARK AS FIXED

This button will remove the scan result from the current list of scan results. Scan results that have been marked as fixed will reappear in subsequent scans. This action is useful when you have a long list of scan results. For example, you could “mark as fixed” all results for plugins that have an update available. This will tidy up the list and help you to concentrate on the other scan results that you want to investigate.

VIEW DIFFERENCES

This action will only be available for WordPress core files and files belonging to themes and plugins that are available in the wordpress.org repository. It allows you to view the code that contains modifications and compare it to the code in the original copy of that file. File changes are color coded as follows:

  • Green – Code added to your modified version of the file will be highlighted in green.
  • Yellow – Code that has been changed in an existing section of code in your modified version of the file will be highlighted in yellow.
  • Red – Code that has been removed from your modified version of the file will be highlighted in red.

VIEW UPDATES

This action is only available in scan results that indicate an update is available for a theme or plugin in the wordpress.org repository. This button will take you to your WordPress admin Updates page so that you can view all available updates.

MANAGE PLUGINS

This action will be present when an installed theme or plugin appears to have been abandoned or has been removed from the wordpress.org repository. Please refer to the Plugin appears to be abandoned and Plugin has been removed from WordPress.org sections below for more information.

Scan results can require some interpretation, and you might need to take different actions depending on how you run your WordPress site. Below are details of of some of the scan results.

File appears to be malicious

Wordfence detects known malicious files and files that have suspicious code. In most cases, you will want to repair or remove the file, but you should investigate the contents first.

Example scan result
File appears to be malicious: wp-content/uploads/footer.php
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "(example)". The infection type is: Example Infection.

Resolution
If you don’t know what the file is, we recommend making a backup before you remove it, in case it was a false positive. Some plugins could create files containing code that appears similar to malicious files but is not actually malicious, especially backup plugins that produce an installer that you could use to restore the backup. We always recommend saving a backup copy of the file first, whether by making a full backup of the site, or by saving only the file and the location where it belongs, so you can replace it if necessary.

Option contains a suspected malware URL

Some attacks affect WordPress options or options from plugins and themes that are stored in the WordPress “options” table. This result indicates that an option contains a potentially malicious URL, which could be the result of an infection.

Example scan result
Option contains a suspected malware URL: td_011
This option contains a URL that is currently listed on Wordfence's domain blacklist. It may indicate your site is infected with malware.

Resolution
To clean affected options, you will need to determine which plugin, theme, or core feature uses the option listed in the scan results.

The most likely case is an option with a name like “td_###” (any three digits) and a URL including “traffictrade”, which is related to an issue with the Newspaper theme and derived themes. These themes had a vulnerability in July/August 2017. To remove the affected code, go to the Newspaper theme’s menu, click the “Theme Panel” submenu, click the “Ads” tab, and go through the list of ad positions to find and remove the “traffictrade” scripts that do not belong. Be sure to also update the theme to the latest version and clean any additional affected files.

Also check WordPress’s Settings->General page. Two options may have been changed: the “Anyone can register” checkbox should be off if you don’t allow user registration on your site, and the “New User Default Role” should not be set to “Administrator,” where the default is usually “Subscriber” on single-site WordPress installations.

Plugin appears to be abandoned

This scan result means that a plugin has not been updated in 2 years or more. This can be a problem, because it means that the plugin author has not made any changes for a long period of time. Sometimes that means it won’t be fully compatible with newer WordPress versions, reported bugs may not be fixed, and new security issues might not be addressed.

The scan result also shows if this plugin has a known security issue that has not been fixed. If that is the case, it is recommended that you remove the plugin as soon as possible, and replace it with a different plugin if you need the same functionality.

There are two types of alerts for abandoned plugins: warning and critical warning. An abandoned plugin will generate a warning. If the plugin also has unpatched security vulnerabilities, the scan result will be critical. Plugins that are abandoned should be evaluated in terms of what risk they may pose. Unless you know that the code in the plugin is safe, you should start looking for a replacement. Plugins with unpatched vulnerabilities should always be removed.

Example scan results
The Plugin "Plugin Name" appears to be abandoned (updated April 20, 2015, tested to WP 4.1.18).
It was last updated 2 years 2 months ago and tested up to WordPress 4.1.18. It may have compatibility problems with the current version of WordPress or unknown security issues.

Resolution
If you are certain that the plugin is still safe, and the scan result doesn’t show unpatched security issues, you can continue to use it. Some small plugins may remain safe and may not need any compatibility changes for new WordPress versions. However, in most cases, we recommend that you consider replacing it with a plugin that is being actively maintained.

Plugin has been removed from WordPress.org

This means that a plugin is no longer available to install from WordPress.org. Plugins can be removed from WordPress.org for a variety of reasons, including that the author intentionally stopped its development or converted it to a “paid only” plugin. A plugin can also be removed if it violates WordPress.orgs terms of service or if it contains vulnerabilities. If it contains vulnerabilities, it may be restored to the repository within a few days. As a general recommendation, unless you are familiar with the code in the plugin, we suggest that plugins that have been removed from the WordPress.org repository are removed from your site.

Example scan result
The Plugin "Plugin Name" has been removed from wordpress.org.
It may have compatibility problems with the current version of WordPress or unknown security issues.

Resolution
In most cases, we recommend removing the plugin and finding a similar plugin that is being actively maintained. Some hosts pre-install some plugins on all new WordPress sites, so if you have a plugin installed that you have never used, and it is no longer available on WordPress.org, it is best to remove it.

There may also be rare cases where a plugin you have from another source shares a name with a WordPress.org plugin, so if you know that is the case, it would not be necessary to remove it.

Publicly accessible config, backup, or log file found

This result shows files that may contain sensitive information that can be served by the web server. This may be backup copies of files, like a copy of wp-config.php under another name, log files, or configuration files.

Example scan result
Publicly accessible config, backup, or log file found: .user.ini
http://example.com/.user.ini is publicly accessible and may expose sensitive information about your site or allow administrative functions to be performed by anyone. Files such as this one are commonly checked for by both attackers and scanners such as WPScan and should be made inaccessible. Alternately, some can be removed if you are certain your site does not need them. Sites using the nginx web server may need manual configuration changes to protect such files.

Resolution
If you know that the file is not needed by your site, you can simply remove the file. This is often the case with files like “wp-config.bak”, which may be a backup copy of your wp-config.php. Do not remove files like “.user.ini” that may be required for your site to work properly.

If in doubt, the scan result includes the option to “Hide this file in .htaccess”, which will add a section to your .htaccess file to prevent Apache from serving this file, if you leave the file in place. This is recommended for .user.ini and similar files. You can run another scan after making the change, to make sure your server correctly blocks public access.

If you need to manually add the htaccess code, this should work for apache 2.2 and 2.4:

<Files ".user.ini">
<IfModule mod_authz_core.c>
         Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
           Order deny,allow
           Deny from all
</IfModule>
</Files>

If your site uses the NGINX web server, then you or your host may need to configure NGINX to block access to the file, whether NGINX is set up as a reverse proxy in front of Apache or if NGINX handles all requests directly. The method of blocking these files in NGINX varies depending on your current configuration, but one simple example is placing a “location” block like this, in the same file as your other “location” blocks:

location ~ \.user\.ini$ {
              deny all;
}

Make sure to restart NGINX or reload its config after making any changes to its config files, and then check that the .user.ini file is no longer visible in a web browser.

Unknown file in WordPress core

This scan checks your WordPress core files and notifies you about files that do not match the current version of WordPress that you have installed.

Example scan result
Unknown file in WordPress core: wp-includes/js/info.php
This file is in a WordPress core location but is not distributed with this version of WordPress. This is usually due to it being left over from a previous WordPress update, but it may also have been added by another plugin or a malicious file added by an attacker.

Resolution
If you already know about the listed file, you can click the link to ignore the file until it changes. If you don’t know what the file is, it may require some investigation to find out if your host has placed it there, or if it may have been created by your FTP application or OS, or if it is malicious.

Some “Managed WordPress” hosting plans do not allow you to change core files, and on some hosts, if a new version of WordPress no longer includes a particular file, it may be left in your site’s files after they update WordPress. In this case, it is generally safe to ignore the file, or you can contact the host if you believe it should be removed.

In a few cases, we have seen that a host’s support staff or a host’s control panel may place “php.ini” files in every subdirectory of WordPress’s core files. Typically, this is to change PHP settings throughout the site.

  • If that occurs, we recommend checking the contents of some of these files to make sure they are safe. If you’re not sure if the files are safe, please reach out to our support staff, either in the free forums or the ticketing system for Premium users.
  • Assuming that they are safe, your host may have a better way to set the same PHP settings without adding additional files – depending on the server configuration, it is usually done through the PHPRC environment variable or by using .user.ini.
  • Alternatively, if you are sure they are safe, you can use the “ignore all new issues” link at the top of the scan results list to ignore all of these files. You may need to resolve other scan results that you do not want to ignore first.

Frequently Asked Questions

  • Plugin “” needs an upgrade

    If you get an email from Wordfence that says The plugin “” needs an upgrade and lists a version number, don’t panic. One reason this can happen is if plugins are embedded in your theme. When plugins are embedded in a theme you often don’t get notified when those plugins have updates available. The easiest way to find out if this is the cause of your warning is to google the version number you received in the email and the theme name. Most often a theme developer has already released an update and if not, a forum post in their support area may help speed the process up.

    Contact us if you see this happening under any other circumstances than the ones described above.

  • ‘How does Wordfence get IPs’ setting is misconfigured

    When Wordfence detects that your site is behind a “reverse proxy”, you may need to adjust the option How does Wordfence get IPs on the Dashboard > Global Options page in the “General Wordfence Options” section, or by clicking the link in the admin notice that warns you about the issue. This includes the following message, followed by a recommendation:

    Your 'How does Wordfence get IPs' setting is misconfigured

    Solution: You can click the link in the message to apply the recommended setting, or you can adjust the setting manually.

    Additional Options
    If you do not want this scan to run, this can be disabled on the options page at Scan for misconfigured How does Wordfence get IPs. Wordfence also runs this check upon activation, to ensure that your settings are correct.

    For advanced users, there are two constants that can be set to control this feature. (See Wordfence constants for advanced configuration: WORDFENCE_DISABLE_MISCONFIGURED_HOWGETIPS and WORDFENCE_CHECKHOWGETIPS_TIMEOUT.)

    If you have dismissed the admin notice about this option being misconfigured, it can reappear when a new version of Wordfence is installed, to be sure you are aware of the issue. If you do not want the admin notice to reappear, you can use the constant above to disable the notice permanently.