Scan Results

How to interpret results from the Wordfence Scan.

Scan Results Actions

A number of different actions can be taken on each type of scan result. These are described below.

When using the actions to “repair” or “delete” a file we recommend that you create a backup of the file first unless you are familiar with the file.


The “repair” action will only be available for modified WordPress core files and files belonging to plugins and themes available from the repository. Clicking the button to “repair” a file will replace it with an original copy of that file. Please note that if any legitimate code customization of any files on your site have been carried out then you will lose any custom functionality. For example, if legitimate code has been added to your theme’s functions.php file then this custom code will be lost if you repair this file.


Choosing to “ignore” a scan result means it will not appear in subsequent scans under “Results Found”. Ignored scan results instead appear under the “Ignored Results” tab.

Scan results for files have two further “ignore” actions available that apply as follows:

Ignore until file changes: This will cause the scan result to reappear in “Results Found” the next time the file changes. Use this action if you have added custom code to a file such as your theme’s functions.php file. It will then be ignored until further code modifications are detected.

Always ignore: This option will ignore the file permanently, regardless of any further file changes.


The “hide file” button will appear when a scan result shows that a publicly accessible configuration, backup, or log file is found. You can use this action to prevent the file from being publicly accessible. Note that some web server configurations may require this to be fixed manually; either by changing permissions on the file, or blocking access to it via a configuration file such as .htaccess. Please refer to the Publicly accessible config, backup, or log file found section below for more information on how to do this.


This option will expand the scan result and provide further information about the scan result. At the bottom of the details section there will be further actions as follows:


This will open a new browser tab allowing you to inspect the code in the file.


This allows you to delete the file. Be very cautious of deleting files. If you are not sure whether a file should be deleted then create a backup of the file first. Running a HIGH SENSITIVITY scan can generate false positive scan results and you could potentially delete legitimate theme or plugin files.


This button will remove the scan result from the current list of scan results. Scan results that have been marked as fixed will reappear in subsequent scans. This action is useful when you have a long list of scan results. For example, you could “mark as fixed” all results for plugins that have an update available. This will tidy up the list and help you to concentrate on the other scan results that you want to investigate.


This action will only be available for WordPress core files and files belonging to themes and plugins that are available in the repository. It allows you to view the code that contains modifications and compare it to the code in the original copy of that file. File changes are color coded as follows:

  • Green – Code added to your modified version of the file will be highlighted in green.
  • Yellow – Code that has been changed in an existing section of code in your modified version of the file will be highlighted in yellow.
  • Red – Code that has been removed from your modified version of the file will be highlighted in red.


This action is only available in scan results that indicate an update is available for a theme or plugin in the repository. This button will take you to your WordPress admin Updates page so that you can view all available updates.


This action will be present when an installed theme or plugin appears to have been abandoned or has been removed from the repository. Please refer to the Plugin appears to be abandoned and Plugin has been removed from sections below for more information.

Scan results can require some interpretation, and you might need to take different actions depending on how you run your WordPress site. Below are details of of some of the scan results.

File appears to be malicious

Wordfence detects known malicious files and files that have suspicious code. In most cases, you will want to repair or remove the file, but you should investigate the contents first.

Example scan result
File appears to be malicious: wp-content/uploads/footer.php
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: "(example)". The infection type is: Example Infection.

If you don’t know what the file is, we recommend making a backup before you remove it, in case it was a false positive. Some plugins could create files containing code that appears similar to malicious files but is not actually malicious, especially backup plugins that produce an installer that you could use to restore the backup. We always recommend saving a backup copy of the file first, whether by making a full backup of the site, or by saving only the file and the location where it belongs, so you can replace it if necessary.

Option contains a suspected malware URL

Some attacks affect WordPress options or options from plugins and themes that are stored in the WordPress “options” table. This result indicates that an option contains a potentially malicious URL, which could be the result of an infection.

Example scan result
Option contains a suspected malware URL: td_011
This option contains a URL that is currently listed on Wordfence's domain blacklist. It may indicate your site is infected with malware.

To clean affected options, you will need to determine which plugin, theme, or core feature uses the option listed in the scan results.

The most likely case is an option with a name like “td_###” (any three digits) and a URL including “traffictrade”, which is related to an issue with the Newspaper theme and derived themes. These themes had a vulnerability in July/August 2017. To remove the affected code, go to the Newspaper theme’s menu, click the “Theme Panel” submenu, click the “Ads” tab, and go through the list of ad positions to find and remove the “traffictrade” scripts that do not belong. Be sure to also update the theme to the latest version and clean any additional affected files.

Also check WordPress’s Settings->General page. Two options may have been changed: the “Anyone can register” checkbox should be off if you don’t allow user registration on your site, and the “New User Default Role” should not be set to “Administrator,” where the default is usually “Subscriber” on single-site WordPress installations.

Plugin needs an upgrade

This scan result means that a plugin has an update available. There are two types of alerts for plugins with an update available: Medium and Critical alert. A plugin with an update available will generate a Medium alert. If the plugin also has unpatched security vulnerabilities, the scan result will be Critical.

Example Medium scan result
You need to upgrade "Plugin Name" to the newest version to ensure you have any security fixes the developer has released.

Example Critical scan result
Update includes security-related fixes.
You need to upgrade "Plugin Name" to the newest version to ensure you have any security fixes the developer has released.

Plugins with unpatched vulnerabilities should always be updated. If you are certain that the plugin is still safe, and the scan result doesn’t show unpatched security issues, you can continue to use it. Some small plugins may remain safe and may not need any compatibility changes for new WordPress versions. However, in most cases, we recommend that you consider updating all plugins, and this includes installed themes too.

Plugin appears to be abandoned

This scan result means that a plugin has not been updated in 2 years or more. This can be a problem, because it means that the plugin author has not made any changes for a long period of time. Sometimes that means it won’t be fully compatible with newer WordPress versions, reported bugs may not be fixed, and new security issues might not be addressed.

The scan result also shows if this plugin has a known security issue that has not been fixed. If that is the case, it is recommended that you remove the plugin as soon as possible, and replace it with a different plugin if you need the same functionality.

There are two types of alerts for abandoned plugins: Medium and Critical alert. An abandoned plugin will generate a Medium alert. If the plugin also has unpatched security vulnerabilities, the scan result will be Critical. Plugins that are abandoned should be evaluated in terms of what risk they may pose. Unless you know that the code in the plugin is safe, you should start looking for a replacement. Plugins with unpatched vulnerabilities should always be removed.

Example scan results
The Plugin "Plugin Name" appears to be abandoned (updated April 20, 2015, tested to WP 4.1.18).
It was last updated 2 years 2 months ago and tested up to WordPress 4.1.18. It may have compatibility problems with the current version of WordPress or unknown security issues.

If you are certain that the plugin is still safe, and the scan result doesn’t show unpatched security issues, you can continue to use it. Some small plugins may remain safe and may not need any compatibility changes for new WordPress versions. However, in most cases, we recommend that you consider replacing it with a plugin that is being actively maintained.

Plugin has been removed from

This means that a plugin is no longer available to install from Plugins can be removed from for a variety of reasons, including that the author intentionally stopped its development or converted it to a “paid only” plugin. A plugin can also be removed if it violates WordPress.orgs terms of service or if it contains vulnerabilities. If it contains vulnerabilities, it may be restored to the repository within a few days. As a general recommendation, unless you are familiar with the code in the plugin, we suggest that plugins that have been removed from the repository are removed from your site.

Example scan result
Plugins can be removed from for various reasons. This can include benign issues like a plugin author discontinuing development or moving the plugin distribution to their own site, but some might also be due to security issues. In any case, future updates may or may not be available, so it is worth investigating the cause and deciding whether to temporarily or permanently replace or remove the plugin.

In most cases, we recommend removing the plugin and finding a similar plugin that is being actively maintained. Some hosts pre-install some plugins on all new WordPress sites, so if you have a plugin installed that you have never used, and it is no longer available on, it is best to remove it.

If the removal was at the plugin author’s request, we recommend following up with them on their site so that the plugin remains updated and supported. If updates will no longer be available on, you may need to install a new copy of the plugin from the author’s site.

Please note: There may also be rare cases where a plugin you have from another source shares a name with a plugin, so if you know that is the case, it would not be necessary to remove it.

Publicly accessible config, backup, or log file found

This result shows files that may contain sensitive information that can be served by the web server. This may be backup copies of files, like a copy of wp-config.php under another name, log files, or configuration files.

Example scan result
Publicly accessible config, backup, or log file found: .user.ini is publicly accessible and may expose sensitive information about your site or allow administrative functions to be performed by anyone. Files such as this one are commonly checked for by both attackers and scanners such as WPScan and should be made inaccessible. Alternately, some can be removed if you are certain your site does not need them. Sites using the nginx web server may need manual configuration changes to protect such files.

If you know that the file is not needed by your site, you can simply remove the file. This is often the case with files like “wp-config.bak”, which may be a backup copy of your wp-config.php. Do not remove files like “.user.ini” that may be required for your site to work properly.

If in doubt, the scan result includes the option to “Hide this file in .htaccess”, which will add a section to your .htaccess file to prevent Apache from serving this file, if you leave the file in place. This is recommended for .user.ini and similar files. You can run another scan after making the change, to make sure your server correctly blocks public access.

If you need to manually add the htaccess code, this should work for apache 2.2 and 2.4:

<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all

If your site uses the NGINX web server, then you or your host may need to configure NGINX to block access to the file, whether NGINX is set up as a reverse proxy in front of Apache or if NGINX handles all requests directly. The method of blocking these files in NGINX varies depending on your current configuration, but one simple example is placing a “location” block like this, in the same file as your other “location” blocks:

location ~ \.user\.ini$ {
deny all;

Make sure to restart NGINX or reload its config after making any changes to its config files, and then check that the .user.ini file is no longer visible in a web browser.

Skipped Paths / 1 path was skipped for the malware scan due to default scan settings

By default, Wordfence scans WordPress-related directories if the option “Scan files outside your WordPress installation” is not enabled. This scan result shows if you have any additional directories that you might want to scan. You should not scan additional WordPress sites that are in the same hosting account that have their own Wordfence installation, but you or your host may have added other directories that could be useful to scan.

This scan result was first added in Wordfence 7.4.3 in early 2020, though the option to scan all directories had already existed.

Example scan result
2 paths were skipped for the malware scan due to default scan settings
The option "Scan files outside your WordPress installation" is off by default, which means 2 paths and their files will not be scanned for malware or unauthorized changes. To continue skipping these paths, you may ignore this issue. Or to start scanning them, enable the option and subsequent scans will include them. Some paths may not be necessary to scan, so this is optional.
The paths skipped are ~/.cache/ and ~/testing/.

First, you should decide whether the additional files should be scanned. In general, additional WordPress sites in a subdirectory of the main site should not be scanned if they have their own Wordfence installation, since they will run their own scans more efficiently. If you do not know what the additional directories contain, it is generally ok to scan them, but your scans may take longer, and in some cases there may be false positives. If you find suspicious files only after enabling this additional scan, be sure to confirm that they are malicious before removing them. The support team can help if you are unsure.

If you do not want to scan the listed directories, click the Ignore icon on the scan result, so it will not appear in future scans. You can remove it from the Ignored Results tab later, if you decide that you want to check for additional directories again.

If you would like to enable scanning the directories listed in the scan result, click the “GO TO OPTION” button and enable the option “Scan files outside your WordPress installation” on the Scan Options page. They will be included the next time a scan runs.

Lastly, if you want to scan only some of the directories that are found, you can enable the above option, and also add some paths to the “Exclude files from scan that match these wildcard patterns” field on the Scan Options page. For example, if you have a second site in the directory “another-site/” and it has its own Wordfence installation, you can enter “another-site/*” in the main site’s “Exclude files” field, to exclude that directory and all of its contents.

Unknown file in WordPress core

This scan checks your WordPress core files and notifies you about files that do not match the current version of WordPress that you have installed.

Example scan result
Unknown file in WordPress core: wp-includes/js/info.php
This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker.

If you already know about the listed file, you can click the link to ignore the file until it changes. If you don’t know what the file is, it may require some investigation to find out if your host has placed it there, or if it may have been created by your FTP application or OS, or if it is malicious.

Some “Managed WordPress” hosting plans do not allow you to change core files, and on some hosts, if a new version of WordPress no longer includes a particular file, it may be left in your site’s files after they update WordPress. In this case, it is generally safe to ignore the file, or you can contact the host if you believe it should be removed.

In a few cases, we have seen that a host’s support staff or a host’s control panel may place “php.ini” files in every subdirectory of WordPress’s core files. Typically, this is to change PHP settings throughout the site. Since this can generate a lot of scan results, we combine results for php.ini files into a single result with a note like “(22 more similar files were found.)”

  • If that occurs, we recommend checking the contents of some of these files to make sure they are safe. If you’re not sure if the files are safe, please reach out to our support staff, either in the free forums or the ticketing system for Premium users.
  • Assuming that they are safe, your host may have a better way to set the same PHP settings without adding additional files – depending on the server configuration, it is usually done through the PHPRC environment variable or by using .user.ini.
  • Alternatively, if you are sure they are safe, you can use the “ignore” option, to hide the result unless there are future changes.

Web Application Firewall is disabled

If a file permissions issue or other server problem causes the firewall’s files to be unreadable, this scan will notify you about it. This scan was added in Wordfence 7.2.3 in early 2019, so you may see this result for an existing file-related issue that was not related to the upgrade.

Example scan result
Web Application Firewall is disabled
Status: Disabled
Details: Wordfence's Web Application Firewall has been unexpectedly disabled. If you see a notice at the top of the Wordfence admin pages that says "The Wordfence Web Application Firewall cannot run," click the link in that message to rebuild the configuration. If this does not work, you may need to fix file permissions.

The problem can generally be fixed by logging into your site and clicking the link in a WP admin notice about the same issue, to “rebuild” the configuration file. If the result still occurs after rebuilding the configuration and running another scan, you may need to fix permissions on the directory at “wp-content/wflogs/” and its contents. This scan result should be uncommon. If you see it more than once, your server may have an issue with locking files or general stability.

More details on handling issues with firewall files can be found here.

If your server has an unusual setup and you see this scan result even while the firewall is working normally, you can disable the scan option Monitor Web Application Firewall status on the Manage Scan page.

Frequently Asked Questions

  • Plugin “” needs an upgrade

    If you get an email from Wordfence that says The plugin “” needs an upgrade and lists a version number, don’t panic. One reason this can happen is if plugins are embedded in your theme. When plugins are embedded in a theme you often don’t get notified when those plugins have updates available. The easiest way to find out if this is the cause of your warning is to google the version number you received in the email and the theme name. Most often a theme developer has already released an update and if not, a forum post in their support area may help speed the process up.

    Contact us if you see this happening under any other circumstances than the ones described above.

  • ‘How does Wordfence get IPs’ setting is misconfigured

    When Wordfence detects that your site is behind a “reverse proxy”, you may need to adjust the option How does Wordfence get IPs on the Dashboard > Global Options page in the “General Wordfence Options” section, or by clicking the link in the admin notice that warns you about the issue. This includes the following message, followed by a recommendation:

    Your 'How does Wordfence get IPs' setting is misconfigured

    Solution: You can click the link in the message to apply the recommended setting, or you can adjust the setting manually.

    Additional Options
    If you do not want this scan to run, this can be disabled on the options page at Scan for misconfigured How does Wordfence get IPs. Wordfence also runs this check upon activation, to ensure that your settings are correct.

    For advanced users, there are two constants that can be set to control this feature. (See Wordfence constants for advanced configuration: WORDFENCE_DISABLE_MISCONFIGURED_HOWGETIPS and WORDFENCE_CHECKHOWGETIPS_TIMEOUT.)

    If you have dismissed the admin notice about this option being misconfigured, it can reappear when a new version of Wordfence is installed, to be sure you are aware of the issue. If you do not want the admin notice to reappear, you can use the constant above to disable the notice permanently.