Extensions to the WordPress File Security Scanner

By 15th August 2017 April 21st, 2020 Shield Security

We released the WordPress File Security Scanner over a week ago and the results have been great!

We’ve gotten a lot of useful feedback and there are several ways we can improve the scanner to make it even more useful.

This quick article outlines the new improvements we’ve made with the latest 5.13.0 release of the Security Plugin

Improvements to the File Security Scanner #1 – File Exclusions

Probably the most important change for many is the ability to customize the file exclusions.

When we first shipped the scanner, we included a small list of standard files that should be ignored. This prevented the scanner removing or reporting on core hosting files that are important to the running of the site.

But it didn’t go far enough for many. It turns out that many administrators leave PHP error logging settings at the defaults of their web host. This means that their WordPress sites are spewing out logs into core directories.

Of course, this isn’t a security concern, but it means that the files get flagged up in the scanner.

Now if you want to have log files, and any other files sitting in your WordPress core directories, you can. You can just add the file name (not the path) to the exclusions list.

Simples.

Improvements to the File Security Scanner #2 – ‘Uploads’ directory scanning

In its first release, the scanner processed 2 core directories:

  • wp-admin; and
  • wp-includes

Other directories are difficult to scan since they’re more likely to contain non-standard WordPress files.

But, the Uploads folder is one that should contain a limited number of types of files – ideally media files. While it can’t be said for every site, typically the Uploads folder shouldn’t have executable code in it. If you know that this is true in your case, then you can turn on scanning of the Uploads folder.

The scanning, in this case, will look for files with extensions:

  • .php / .php5
  • .js

Before turning on this option, you should review your Uploads folder. If you’re finding PHP and Javascript files in there that are important to the normal running of your site, do not enable this option.

Questions, Comments and Suggestions?

We’re open to suggestions for improvements and it is your suggestions and comments that has led to these extensions of the scanner.

Please feel free, as always, to leave your thoughts and suggestions about these changes in the comments section below.

Join the discussion 2 Comments

Leave a Reply