WordPress Security

The WP Cerber scanner for WordPress

The scanner is a complete solution for monitoring file changes, verifying the integrity of WordPress, plugins, and themes, and ​for ​automatic malware removal for WordPress


A manual scan mode

To manually start scanning, go to the Site Integrity admin page and click either the Start Quick Scan button or the Start Full Scan button. Do not close the browser window while the scan is in progress. You can open a new browser tab to do something else on the website. Once the scan has finished, you can close the window; the results are stored in the website database until the next scan.

Depending on server performance and the number of files, the Quick scan may take about 3-5 minutes, and the Full scan can take about ten minutes or less.

During the scan, the plugin verifies plugins, themes, and WordPress by loading checksum data from wordpress.org and using local integrity data. If the integrity data is not available, which happens with a commercial plugin or a theme, you need to upload an appropriate source ZIP archive. You need to upload the archive once, after the first scan.

An automated scan mode

With Cerber Security Scanner, you can easily configure your own schedule for automated recurring scanning and automatic malware removal.

What’s the Quick Scan?

During the Quick Scan, the scanner verifies the integrity and inspects the code of all files with executable extensions only.

Well, what’s the Full Scan?

During the Full Scan, the scanner verifies the integrity and inspects the content of all files on the website. All media files are scanned for malicious payload.

Configuring the scanner

Main scanner settings

Configuring automated recurring scans

Configuring automatic malware cleanup and file recovery

Interpreting scan results

The scanner shows you a list of issues and possible actions you can take. If the integrity of an object has been verified, you see a green mark Verified. If you see the “Integrity data not found” message, you need to upload a reference ZIP archive by clicking “Resolve issue.” For all other issues, click on an appropriate issue link. To view the content of a file, click on its name.

By default, the scanner shows you short file names; to view full file names with their absolute paths, click the icon on the bottom right corner.

Dealing with suspicious files

The following states indicate a security issue with a file.

Checksum mismatch. The contents of the file have been changed and do not match what exists in the official WordPress repository or a reference file you’ve uploaded earlier. The file may have been infected by malware or has been tampered with.

Suspicious code found. During the code inspection with heuristic analysis, the scanner found suspicious code signatures and code instructions.

Potentially malicious code found. Most likely, this file contains malware because detected code signatures should not be in a file of this type.

Unattended suspicious file. The scanner recognized this file as “ownerless” because it does not belong to any known part of a plugin, a theme, or WordPress and should be deleted. It may remain after upgrading to a newer version of WordPress or some software you have. It also may be a piece of unknown obfuscated malware. In some rare cases, it might be a part of a custom-made (bespoke) software.

Content has been modified. This happens when a file has been altered, and the checksum of the file doesn’t match the checksum of the original file. You need to reinstall an appropriate plugin or theme.

Executable code found. A file contains executable code and may contain obfuscated malware. If this file is a part of a theme or a plugin, it must be located in the theme or the plugin folder.

If a file is marked as suspicious or malicious, you can open it safely to view the content of the file. To view the content of a file, click on its name.

Deleting files

You can usually delete any suspicious or malicious file if it has a checkbox in its row in the leftmost cell. Before deleting a file, click the issue link in its row to see an explanation. When you delete a file the plugin moves it to a quarantine folder.

Restoring deleted files

If you delete an important file by chance, you can restore the file from a quarantine folder. The location of the folder is shown on the Tools / Diagnostic page. This folder is not accessible from the Internet.

To restore a deleted file you need to use a file manager in your hosting control panel. The original name and location of the deleted file is saved in the .restore file. It’s a text file so you can open it in a browser or a file viewer.

Troubleshooting

If the scanner window stops responding or updating, it usually means the process of scanning on the server is hung. This might happen due to several reasons, but typically this happens due to a misconfigured server or some hosting limitations. Do the following:

  1. Try to disable scanning the session directory or the temp directory (or both) in the scanner settings
  2. Open the browser console (use the F12 key on PC or Cmd + Option + J on Mac) and check it for CERBER ERROR messages
  3. Enable diagnostic logging

Note: The scanner requires the CURL library to be enabled for PHP scripts. Usually, it’s enabled by default.

What does exactly the scanner scan?

  • Scans and verifies all WordPress files
  • Scans and verifies all plugins
  • Scans and verifies all themes
  • Detects not bundled, abandoned, and unattended files
  • Inspects file contents for suspicious code signatures
  • Inspects any files as if they were executable
  • Inspects .htaccess files for malicious directives
  • Scans all folders for new and modified files
  • Scan all temporary and session folders

Read more about scans: What Cerber Security Scanner scans and detects

Does the integrity checker support commercial themes and plugins?

Absolutely. When you install a theme or a plugin, the scanner takes a snapshot of all files in the plugin or theme ZIP archive and uses it for integrity checking.

Does the integrity checker recognize the version of a plugin or a theme?

Sure! WP Cerber automatically detects which version of WordPress you are running and performs integrity checking with the appropriate version. This version detection and comparison with the correct version also applies to all themes and plugins.

How to control the scanner on multiple websites

You can control and configure the scanner on any number of websites from one, main website. Enable a main website mode on the main Cerber.Hub website and a managed website mode on your other websites to control and monitor all WP Cerber instances from one WordPress dashboard.

Know more about the malware scanner

Automated recurring scans and email reporting for WordPress

Automatic cleanup of malware and file recovery

What Cerber Security Scanner scans and detects

Cerber Security Scanner Settings explained

Troubleshooting malware scanner issues

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments