We released the WordPress File Security Scanner over a week ago and the results have been great!
We’ve gotten a lot of useful feedback and there are several ways we can improve the scanner to make it even more useful.
This quick article outlines the new improvements we’ve made with the latest 5.13.0 release of the Security Plugin
Improvements to the File Security Scanner #1 – File Exclusions
Probably the most important change for many is the ability to customize the file exclusions.
When we first shipped the scanner, we included a small list of standard files that should be ignored. This prevented the scanner removing or reporting on core hosting files that are important to the running of the site.
But it didn’t go far enough for many. It turns out that many administrators leave PHP error logging settings at the defaults of their web host. This means that their WordPress sites are spewing out logs into core directories.
Of course, this isn’t a security concern, but it means that the files get flagged up in the scanner.
Now if you want to have log files, and any other files sitting in your WordPress core directories, you can. You can just add the file name (not the path) to the exclusions list.
Simples.
Improvements to the File Security Scanner #2 – ‘Uploads’ directory scanning
In its first release, the scanner processed 2 core directories:
wp-admin; andwp-includes
Other directories are difficult to scan since they’re more likely to contain non-standard WordPress files.
But, the Uploads folder is one that should contain a limited number of types of files – ideally media files. While it can’t be said for every site, typically the Uploads folder shouldn’t have executable code in it. If you know that this is true in your case, then you can turn on scanning of the Uploads folder.
The scanning, in this case, will look for files with extensions:
.php/.php5.js
Before turning on this option, you should review your Uploads folder. If you’re finding PHP and Javascript files in there that are important to the normal running of your site, do not enable this option.
Questions, Comments and Suggestions?
We’re open to suggestions for improvements and it is your suggestions and comments that has led to these extensions of the scanner.
Please feel free, as always, to leave your thoughts and suggestions about these changes in the comments section below.
Does the entire file name need to be included, or can I just include a file extension in the exclusions filter?
A little more detail – I generally avoid editing core files, but sometimes I tweak just a little 🙂 When I do that, my editing program automatically saves a .bak backup file. Those get flaggged by the security scanner.
Can I just include .bak in the exclusions list to keep them from being flagged, or *.bak ?
Thanks,
Chris
View CommentHey Chris,
As of version 6.1.0, you can now use Regular Expressions to match for file names.
See the release notes here: https://onedollarplugin.com/wp-shield-security-update-6-1-0/
Cheers!
View Comment