Hi @frizati,
Defenders malware scan will run and scan the root directory and will list out any files or folders which aren’t part of the WordPress core files.
A root directory is where /wp-admin, /wp-includes and /wp-content folders exists. By default, WordPress doesn’t use index.html in the root directory, by 400, 401 etc if they are HTML files then such files aren’t part of WP too.
In general, 400, 401, 404 responses would be handled within the theme side or by creating templates within the theme folder.
The malware scan is meant to help and highlight users on what all files are present on the server-side and remove if there are any unwanted or vulnerable files.
In general, HTML files shouldn’t cause any potential issue, however, if those files aren’t used by your website, then there isn’t any point in keeping them.
You can check with your developer or your hosting provider to confirm whether these files are safe or not. If the files are important for your website, you can mark them as “ignore” or you can “delete” the files if not required via the Defender side if needed.
I hope this clears your query. Please do let us know if you need any further assistance.
Kind Regards,
Nithin
Hi!
Thanks for your answer!
The files 400 and 500 in my root, are SHTML files, he has marked them as unknown files, I really don’t know whether to leave them or delete them.
Then I want to ask you, if Defender does not have the option to change the database prefix and activate the header of ” Content-Security-Policy ”?? I couldn’t find them …
There is X-XSS protection as an option, but I would prefer not to activate it, because I understand that it has become almost obsolete for some browsers and vulnerabilities were found in this function.
Hello @frizati !
The files 400 and 500 in my root, are SHTML files, he has marked them as unknown files, I really don’t know whether to leave them or delete them.
Those are probably the default files the hosting added to be used when there’s an error – you can safely delete them as WordPress has other ways to handle those.
Then I want to ask you, if Defender does not have the option to change the database prefix and activate the header of ” Content-Security-Policy ”?? I couldn’t find them …
This is correct. We’ve removed the option to change the database prefix as it had no impact on the site’s security. As for CSP headers – we’re planning to add those in the future, however here a bit of patience will be needed as our Defender team wants to make sure we do them right and in a way that will avoid potential issues – as you probably know, those aren’t easy to set up so there’s a bit of additional work to be done.
Kind regards,
Pawel
I agree! Also with CSP, it has its complexity. do it patiently, but it would be great if you added it.
I appreciate your assistance infinitely!
In a few months you will have me closer under a WP MUDEV membership, with a new MS project.
Keep shining like you do. The more I know you, and the more I am convinced that you are a conglomerate of professionals.
NOTE ABOUT THE PLUGIN: I finished configuring what I need … I test my site, and next to achieve an ‘A’ in security levels (Except CSP) my site loads a little faster too, I don’t know how that happened for a security plugin, but your plugin really surprised me! Don’t neglect it, stick with it, it will be great.
We can close the ticket. many greetings!.
Hi @frizati,
Glad to know that and thank you for the kind words.
I am marking this topic as resolved, please feel free to open a new one if you need any other assistance.
Best Regards,
Nebu John
