Security Blog
Posted By Gregory

Cerber Security Scanner for WordPress

The scanner is a complete solution to monitor file changes, verify the integrity of WordPress, plugins, and themes, and ​to ​remove malicious code and viruses from a WordPress powered website.


To start scanning, click either the Start Quick Scan button or the Start Full Scan button. Do not close the browser window while the scan is in progress. You may just open a new browser tab to do something else on the website. Once the scan is finished you can close the window, the results are stored in the DB until the next scan.

Depending on server performance and the number of files, the Quick scan may take about 3-5 minutes and the Full scan can take about ten minutes or less.

During the scan, the plugin verifies plugins, themes, and WordPress by trying to retrieve checksum data from wordpress.org. If the integrity data is not available, you can upload an appropriate source ZIP archive for a plugin or a theme. The plugin will use it to detect changes in files. You need to do it once, after the first scan.

What’s the Quick Scan?

During the Quick Scan, the scanner verifies the integrity and inspects the code of all files with executable extensions only.

Well, what’s the Full scan?

During the Full Scan, the scanner verifies the integrity and inspects the content of all files on the website. All media files are scanned for malicious payload.

Interpreting scan results

The scanner shows you a list of issues and possible actions you can take. If the integrity of an object has been verified, you see a green mark Verified. If you see the “Integrity data not found” message, you need to upload a reference ZIP archive by clicking “Resolve issue”. For all other issues, click on an appropriate issue link. To view the content of a file, click on its name.

The scanner shows you short file names, to view full file names with absolute paths, click the icon on the bottom right corner.

Dealing with suspicious files

The following states indicate a security issue with a file.

Checksum mismatch. The contents of the file has been changed and does match what exists in the official WordPress repository or a reference file you’ve uploaded earlier. The file may have been infected by malware or has been tampered with.

Suspicious code found. During the code inspection with heuristic analysis the scanner found suspicious code signatures and/or code instructions.

Potentially malicious code found. Most likely this file contains malware because detected code signatures should not be in a file of this type.

Unattended suspicious file. The scanner recognized this file as “ownerless” because it does not belong to any known part of a plugin, a theme or WordPress and should be deleted. It may remain after upgrading to a newer version of WordPress or some software you have. It also may be a piece of unknown obfuscated malware. In some rare case it might be a part of a custom-made (bespoke) software.

Content has been modified. This happens when a file has been altered and the checksum of the file doesn’t match the checksum of the original file. You need to reinstall an appropriate plugin or theme.

Executable code found. A file contains executable code and may contain obfuscated malware. If this file is a part of a theme or a plugin, it must be located in the theme or the plugin folder.

If a file is marked as suspicious or malicious, you can open it safely to view the content of the file. To view the content of a file, click on its name.

Deleting files

Usually, you can delete any suspicious or malicious file if it has a checkbox in its row in the leftmost cell. Before deleting a file, click the issue link in its row to see an explanation. When you delete a file the plugin moves it to a quarantine folder.

Restoring deleted files

If you delete an important file by chance, you can restore the file from a quarantine folder. The location of the folder is shown on the Tools / Diagnostic page. This folder is not accessible from the Internet.

To restore a deleted file you need to use a file manager in your hosting control panel. The original name and location of the deleted file is saved in the .restore file. It’s a text file so you can open it in a browser or a file viewer.

Troubleshooting

If the scanner window stops responding or updating, it may mean the process of scanning on the server is hung. It may happen due to many reasons. Try to disable scanning the session directory or the temp directory (or both) on the Settings tab. Open the browser console (F12 key) and check it for CERBER ERROR messages.

The scanner requires the CURL library to be enabled for PHP scripts. Usually, it’s enabled by default.

What does exactly the scanner scan?

  • Scans and verifies all WordPress files
  • Scans and verifies all plugins
  • Scans and verifies all themes
  • Detects not bundled, abandoned and unattended files
  • Inspects file contents for suspicious code signatures
  • Inspects any files as if they were executable
  • Inspects .htaccess files for malicious directives
  • Scans all folders for new and modified files
  • Scan all temporary and session folders

Read more about scans: What Cerber Security Scanner scans and detects

Does the integrity checker support commercial themes and plugins?

Absolutely. When you install a theme or a plugin the scanner takes a snapshot of all files in the plugin or theme ZIP archive and uses it for integrity checking.

Does the integrity checker recognize the version of a plugin or a theme?

Sure! The plugin automatically detects which version of WordPress you are running, and performs integrity checking with the appropriate version. This version detection and comparison with the correct version also applies to any themes and plugins.

Read more about the malware scanner:

Automated recurring scans and email reporting for WordPress

What Cerber Security Scanner scans and detects

Cerber Security Scanner Settings explained

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments