Security Blog
Posted By Gregory

Cerber Security Scanner for WordPress

The scanner is a complete solution to monitor file changes, detect and remove malicious code and viruses for WordPress.


To start scanning, click either the Start quick scan button or the Start full scan button. Do not close the browser window while the scan in progress. You may just open a new browser tab to do something else on the website. Once the scan is finished you can close the windows, the results are stored in the DB until the next scan.

Depending on server performance and the number of files, the Quick scan may take about 3-5 minutes and the Full scan can take about ten minutes or less.

During the scan, the plugin verifies plugins, themes, and WordPress by trying to download checksum data from the wordpress.org. If the integrity data is not available, you can upload appropriate source ZIP archive for a plugin or a theme. The plugin will use it to detect changes in files. You need to do it once, after the first scan.

What’s the Quick Scan?

During the Quick Scan, the scanner verifies the integrity and inspects code of all files with executable extensions only.

Well, what’s the Full scan?

During the Full Scan, the scanner verifies the integrity and examines the content of all files on the website.

Interpreting scan results

The scanner will show you a list of issues and possible actions you can take. If the integrity of an object has been verified, you see a green mark Verified. If you see the “Integrity data not found” message, please upload a reference ZIP archive by clicking “Resolve issue”. For the rest of issues, click on an appropriate issue link. To view the content of a file, click on its name.

The scanner shows you short file names, to view full file names, with absolute path click the Show full paths link.

Dealing with suspicious files

The following states indicate a security issue with a file.

Content has been modified. This happens when a file has been altered and the checksum of the file doesn’t match the checksum of the original file. You need to reinstall an appropriate plugin or theme.

Suspicious code found. During the code inspection with heuristic analysis the code inspector found suspicious code signatures and instructions.

Unattended suspicious file. The scanner recognized this file as “ownerless” because it does not belong to any known part of a plugin, a theme or WordPress and should be deleted. It may remain after upgrading to a newer version of WordPress or a some software you have. It also may be a piece of unknown obfuscated malware. In some rare case it might be a part of a custom-made (bespoke) software.

Executable code found. A file contains contains executable code and may contain obfuscated malware. If this file is a part of a theme or a plugin, it must be located in the theme or the plugin folder.

If a file marked as suspicious or malicious, you can open it safely to view the content of the file. To view the content of a file, click on its name.

Deleting files

Usually, you can delete any suspicious or malicious file if it has a checkbox in its row in the leftmost cell. Before deleting a file, click the issue link in its row to see an explanation. When you delete a file the plugin moves it to a quarantine folder.

Restoring deleted files

If you delete an important file by chance, you can restore the file from a quarantine folder. The location of the folder is shown on the Tools / Diagnostic page. This folder is not accessible from the Internet.

To restore a deleted file you need to use a file manager in you hosting control panel. The original name and location of the deleted file is saved in the .restore file. It’s a text file so you can open it in a browser or a file viewer.

Troubleshooting

If the scanner window stops responding or updating, it may mean the process of scanning on the server is hung. It may happen due to many reasons. Try to disable scanning the session directory or the temp directory (or both) on the Settings tab. Open the browser console (F12 key) and check it for CERBER ERROR messages.

The scanner requires the CURL library to be enabled for PHP scripts. Usually, it’s enabled by default.

What does scanner scan?

Scan and verify all WordPress files

This scan checks if WordPress files match what exists in the official WordPress core repository. If a file have been changed, usually it means your WordPress installation has been altered or infected by malware which has modified a file or a set of files. If changes have occurred, all changed files are listed and marked as Content has been modified. In this case you have to reinstall core files. Go to the Dashboard / Updates admin page. Click the Re-install now button.

Scan and verify all plugins

As with the WordPress core file change detection above, the scanner compares your plugin files with what are in the official WordPress repository, and will alert you to any changes. Cerber Security Scanner verifies integrity of plugins that are installed from the official repository on the worpdess.org as well as commercial plugins that is installed manually.

Scan and verify all themes

As with the WordPress core file change detection above, the scanner compares your theme files with what are in the official WordPress repository, and will alert you to any changes. Cerber Security Scanner verifies integrity of themes that are installed from the official repository on the worpdess.org as well as themes that is installed manually.

Detect “not bundled” files

The scanner detects files in any WordPress, theme or plugins folders which are not a normal part of them. The scanner recognizes those files as “ownerless” or “not bundled” because it does not belong to any known part of the website and should not be there. These files are marked as Unattended suspicious file.

Some developers do not follow the official guidelines that WordPress provides for theme and plugin developers, so you should make sure that a suspicious file is not a part of a poorly designed plugin.

Scan file contents for suspicious code

The scanner has a list of known malicious and suspicious code patterns (signatures) that are usually used in malware. During the scan, the scanner inspects content of every file for presence of these patterns.

Scan any files as if they were executable

The scanner looks for malicious code that is hidden inside files that have non-executable extension like PNG or JPG. This is a part of the Full Scan.

Does integrity checker support commercial themes and plugins?

Absolutely. When you install a theme or a plugin the scanner takes a snapshot of all files in the plugin or theme ZIP archive and use it for integrity checking.

Does integrity checker recognize the version of a plugin or a theme?

Sure! The plugin automatically detects which version of WordPress you are running, and performs integrity checking with the appropriate version. This version detection and comparison with the correct version also applies to any themes and plugins.

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments
There are currently no comments.