Support » Plugin: Wordfence Security - Firewall & Malware Scan » Where is Manual Scan button

  • Resolved Joel Masci


    It says manual scan can be run anytime from dashboard, can you please give me exact and very specific instructions on how to do this? I suspect some malicious code is hiding the ability to run a manual scan by one of many possible methods. The idea would be to give the user the impression everything is working fine, when in fact it is not.

    I have checked WordFence dashboard on 7.0.5, (also WordPress Dashboard), clicked through literally every possible link I could find, spent nearly an hour. Went through all scan options.

    Please help, thanks.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter Joel Masci


    Ok so you know, you go to dashboard, and hit the “manage scan” button, and it takes you to the the “manage scan” subpage, of the scan page itself.

    It would be very nice to have a link at the top, that says, back to “scan” landing page you know, because the page will be highlighted in the sidebar so you might think clicking “scan” from sidebar is same as clicking “manage scan” from dashboard.

    Wasted over an hour on this. Very very very frustrating.

    Thread Starter Joel Masci


    Well, now I have the button. It shows no output in the log when I press it, just a loading animation for a few seconds and then stops, no updates.

    No js errors. It just triggers admin-ajax with a response of this in about 2.39 seconds:


    Any ideas? On a local install of a different website with same version of WordFence, things are working as expected. There is a status, when clicking the button it says “contact WordFence to start scan”, but on this site that may be infected, I just get nothing. Status only says idle. Loading animation for 2 seconds then button says “start scan” again.

    Does WF have some caching thing built in, not letting me scan because it recently determined everything was fine?

    Thread Starter Joel Masci


    Its pw on site, nevermind. Debug mode showed it.

    Hi @joelmasci,

    We generally don’t advocate for password-protecting the “/wp-admin” folder (read more about this on this blog entry.)

    However should you choose to do so you need to set up the “.htaccess” file correctly; you can’t simply block access to everything in “/wp-admin” because the directory contains your AJAX handler.

    The AJAX handler is what allows users on your website to perform application functions without a full page reload occurring. E.g. when you click a button and see a rotating “loading” icon, that is usually an AJAX call. If you simply block the whole of /wp-admin/ with a password, you will break any plugin or theme that uses AJAX for users who are not logged in.

    To work around this, you can whitelist your ajax handler as follows. Your “.htaccess” file should look something like this:

    AuthUserFile /path/to/your/htpasswd
    AuthType basic
    AuthName "Restricted Resource"
    require valid-user
    # This is the whitelisting of the ajax handler
    <Files admin-ajax.php>
        Order allow,deny
        Allow from all
        Satisfy any 

    I’m using 7.1.3 and it’s even harder to find what should be a really simple option.

    The dashboard link for ‘manage scan’ does *not* link to the manage_scans subpage. Instead, it goes to:


    I went round in circles for a similar amount of time as the OP. All I wanted was to manually initiate a scan, something I often do after installing the plugin.

    It was only when I madea guess, and manually entered the URL


    that I was able to see the manual scan options. There doesn’t seem to be a link to this anywhere in the plugin.

    I’ve been long time user of the plugin, and this sort of UX is baffling. In <v7, sure things didn’t look pretty, but they were at least able to be found. Surely it’s a bug?

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Where is Manual Scan button’ is closed to new replies.