Support » Plugin: Wordfence Security » hacked site not identified by Wordfence

  • Resolved grantballardtremeer


    We love Wordfence and have been benefiting from it for months. We’ve just had our WordPress site hacked however, and Wordfence scans did not identify the malicious executable code that was placed on our server, so I thought I’d let you know about it.

    The malicious code was placed in a subdirectory in the web root with a leading space like so: ” .” or “/%20.” (without quotes). Since the leading space means the folder does not show up in usual directory listings (not in sftp for instance), it was quite hard to track down. I’d guess Wordfence is not scanning in such directories.

    I hope this helps. Thanks for a fantastic plugin!


Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Wordfence


    Thanks Grant. Actually we only scan your wordpress directories off the web root. If you want the other directories included you need to check the box to:

    Scan files outside your WordPress installation

    That should get those files.


    ps: waiting for your reply before I mark this resolved.

    Thanks for replying Mark.

    I do already have the option checked to scan files outside my WordPress installation, and this directory is not picked up. But also, I may have given the wrong impression by saying ‘web root’ – it is the root of the WordPress installation – i.e. the directory containing wp-login.php, we-config.php etc. In my setup this is the same as the web root.

    While trying to verify and reproduce this behaviour, I placed files with eval and base64_decode( in them and I can confirm that indeed WordFence does scan the ‘ .’ directory. I can only guess that the phishing files did not contain anything that looked malicious! 🙁

    However, in trying to find out why I didn’t manage to detect these files I have noticed a related issue (please let me know if it is better to start a new thread):

    Even when I have directories containing files that look malicious in a scan, and are noted as “File type: Not a core, theme or plugin file.” I still don’t find them under “Files found that don’t belong to WordPress Core or known Themes and Plugins”. That page always just states “You either have not completed a scan recently, or there were no files found on your system that are not in the WordPress official repository for Core files, themes and plugins.”

    Should those files not appear here? Or am I misunderstanding what files I should see there?

    Plugin Author Wordfence


    Thanks for the report. Yes that feature is currently not working. We disabled it internally and forgot to remove the link on the scan page. So it’s being removed and we’re adding back a feature to show unrecognized files and non-core files in core directories to help site cleaning – but that still needs to be implemented.



    Ok, thanks for the info, Mark

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘hacked site not identified by Wordfence’ is closed to new replies.