1. Enable diagnostic logging in the scanner settings

To do this, click the “Site Integrity” menu and then click the “Settings” tab, turn on “Enable diagnostic logging”, and save the settings.

2. Now start scanning

Manually or by configuring the schedule for the automatic scans.

3. Check the diagnostic log

Click “Tools” in the plugin admin menu and then click the “Diagnostic Log” tab. Check the log for error messages.

In case you need assistance from our customer service team, make a screenshot or/and export the log to a file by clicking the “Download as a file” link and attach it to a support ticket via the support desk: https://my.wpcerber.com

Hint: You can easily identify scanner entries in the log by the [Scanner] marker in a line.

Automatic cleanup of malware

If the malware scanner detects malicious files during a scheduled scan, it automatically deletes files moving them to the quarantine. By default this feature is disabled. It’s advised to enable it as shown below.

Automatic file recovery

If the malware scanner detects changes in the WordPress files and plugins, it automatically recovers them. As with the automatic deletion of malicious files, the scanner stores a copy of the recovered file in the quarantine and shows them in an email report.

Automatic cleanup of malware and suspicious files by scanner

These automatic removal policies will be enforced at the end of every scheduled scan based on its results. The list of files to be deleted depends on the scanner settings. Please note the following:

• WP Cerber deletes only files that have malicious or suspicious code payload.
  
• All detected malicious and suspicious files are moved to the Quarantine.

How to restore automatically deleted files

To restore one or more files from within the WordPress dashboard, go to the Quarantine admin page. It’s located under the Site Integrity menu item. Find the filename in the File column and click Restore in the Action column. The file will be restored to its original location.

To restore a file manually, you need to use any file manager in your hosting control panel. All deleted files are stored in a special quarantine folder. The location of the folder is shown on the Tools / Diagnostic admin page. The original name and location of a deleted file are saved in a .restore file. It’s a text file. Open it in a browser or a file viewer, find the filename you need to restore in a list of deleted files and copy the file back to its location by using the original name and location of the file.

Is it possible that scanner deletes vital files by chance?

No. It’s restricted by design. The scanner has comprehensive algorithms to recognize if a file is a part of WordPress, a plugin or a theme. There is only one exception if another plugin or a theme use the uploads folder to store some of its executable code files. Typically those files do not contain malicious code but the scanner shows them as Low severity issues because that is not normal to have executable code files there. Why? The WordPress uploads folder is intended to be used for storing media files like pictures, videos, documents, etc.

To let you safely use such kind of plugins there are three levels of severity you can set for cleaning up the uploads folder. If a file marked as High severity issue, it means it contains malicious code and must be deleted. If you don’t use such kind of plugins, you should enable all three options for deleting files in the uploads folders.

If malicious files have been detected and deleted, the list of deleted files will be shown in every email report.

Know more about the malware scanner

How to use Cerber Security Scanner for WordPress

What Cerber Security Scanner scans and detects

Automated recurring scans and email reporting for WordPress

Cerber Security Scanner Settings explained

Troubleshooting malware scanner issues

We’ve spent a great deal of time studying malware, trojans and their patterns and algorithms. As a result, we’ve implemented a set of heuristic algorithms that effectively detect almost all known and unforeseen pieces of malware.

Scans and verifies all WordPress files

This scan checks if all WordPress folders and files match what exist in the official WordPress core repository. If a file has been changed, usually it means your WordPress installation has been altered or infected by malware which has modified a file or a set of files. If changes have occurred, all changed files are listed and marked as Checksum mismatch. In this case you have to simply reinstall WordPress. Go to the Dashboard / Updates admin page. Click the Re-install now button.

Scans and verifies all installed plugins

As with the WordPress core file change detection above, the scanner compares your plugin files with what are in the official WordPress repository, and will alert you to any changes. Cerber Security Scanner verifies the integrity of plugins that are installed from the official repository on wordpress.org as well as commercial plugins that are installed manually.

Scans and verifies all installed themes

As with the WordPress core file change detection above, the scanner compares your theme files with what are in the official WordPress repository, and will alert you to any changes. Cerber Security Scanner verifies the integrity of themes that are installed from the official repository on wordpress.org as well as themes that are installed manually.

Detects not bundled, abandoned and unattended files

The scanner detects files in any WordPress, theme or plugins folders which are not a normal part of them. The scanner recognizes those files as “ownerless” or “not bundled” because they do not belong to any known part of the website and should not be there. In a scan report these files are marked as Unattended suspicious file.

Some developers do not follow the official guidelines that WordPress provides for theme and plugin developers, so you should make sure that a suspicious file is not a part of a poorly designed plugin or theme.

Inspects file contents for suspicious code signatures

Our team maintains a list of malicious and suspicious code patterns (signatures) that are usually used in malware, trojans, viruses and backdoors. During a scan, the scanner inspects the contents of every file for presence of these patterns.

Scans installed plugins for known vulnerabilities

The scanner scans installed plugins for known vulnerabilities. If you have enabled scheduled automatic scans you will be notified in a email report if a vulnerability in one of the installed plugins has been discovered.

Inspects any files as if they were executable

The scanner looks for malicious code that is hidden inside files that have non-executable extensions like PNG or JPG. This inspection is a part of Full Scan.

Inspects .htaccess files for malicious directives

The scanner looks for malicious and suspicious directives like redirecting users to malicious or phishing websites and PHP configuration directives in .htaccess files that must not be in a normal .htaccess file on a normal WordPress powered website. The scanner also verifies the integrity of a .htaccess file if it’s bundled with WordPress, with a theme or a plugin.

Scans all folders for new and modified files

The scanner looks for new files and monitors changed files in all website folders including the system temporary folder, the temporary folder for uploaded files and the sessions folder.

Inspects temporary and session folders

The scanner scans those folders like other website folders. It’s crucial to monitor those folders because some malware can reside there.

Read more about the malware scanner:

How to use Cerber Security Scanner for WordPress

Automated recurring scans and email reporting for WordPress

Automatic cleanup of malware and file recovery

Cerber Security Scanner Settings explained

Troubleshooting malware scanner issues

Once the schedule is configured, the scanner automatically scans the website and sends an email report with the results of the scan. All recurring scans are launched and controlled by our cloud scanning servers.

The Quick Scan can be launched as often as one time per hour, so you can enable up to 24 scans per day. The Full Scan can be launched only once a day at a specified time.

After every scan, the scanner creates a report that is generated based on settings in the Scan results reporting section.

Configure scheduled website scans

Click the WP Cerber / Site Integrity menu, then click the Scheduling tab.

In the Automated recurring scan schedule section, you set up your schedule. Select the desired frequency of the Quick Scan and specify the time of the Full Scan. By default, all automated recurring scans are turned off.

The Scan results reporting section is about reporting. Here you can easily and flexibly configure conditions for generating and sending reports.

Scheduled malware scan settings

What issues would you like to include in an email report?

An email report will only include issues that match any of the selected types in the Report an issue if any of the following is true filter. So this setting works as a filter for issues you want to get in a report. The report will only be sent if there are issues to report and the following, a selected option is true.

When does the scanner send an email report to you?

The second condition is configured with the Send email report setting. The report will be sent if a selected option is true:

• After any scan means always send a report after every scan if there are issues to report about. You may get up to 24 emails per day.
• If any changes in scan results occurred means something has changed in a set of issues you’ve selected in the setting above.
• If new issues detected means to send a report only if new issues have been found during a scan. Other changes don’t affect sending reports. For instance, if a size of a file is changing from scan to scan, you will be notified only once when this issue occurs for the first time. This option is the most restrictive.

For the last two options, the scanner compares the results of two consecutive scans. Quick Scan and Full Scan are compared separately.

Note: if you’ve enabled reporting Content has been modified or/and New file, you have to enable Monitor modified files and Monitor new files on the Settings tab accordingly.

Additional notification settings

An example of the email report sent by the Cerber Security malware scanner

To include additional details in email reports enable Include file sizes or/and Include scan errors settings. The last option will include all server, database and input/output errors that occur during a scan. It may be helpful to diagnose technical problems.

To send a scan report the scanner uses an email address from the Email Address field in the malware scanner settings. If you leave this field empty, the scanner will use an email address from the notification settings. If the email field in the notification settings is empty too, the scanner uses an email address from General WordPress Settings for the website (Settings -> General -> Email Address).

Technical details

Once you’ve configured settings for the automated recurring scan, the set of scan parameters are transmitted to Cerber Tech cloud scanning servers. The servers launch scheduled scans and control the whole process of scanning. The parameters include the website URL, the schedule of the scan, and the email address for reporting. No data any kind is transmitted from the scanned website to the cloud servers. That means the results of a scan are remain private and do not leave a website.

If your website is not accessible from the Internet, automated recurring scans cannot be launched.

Know more about the malware scanner

How to use Cerber Security Scanner for WordPress

What Cerber Security Scanner scans and detects

Automatic cleanup of malware and file recovery

Cerber Security Scanner Settings explained

Troubleshooting malware scanner issues

What’s the scanner, anyway?

Cerber Security Scanner is a sophisticated and powerful tool that inspects every single file and every single folder on a website for traces of malware and backdoors, changed, and new suspicious files. The scanner verifies the integrity of WordPress, plugins, and themes and prevents them from being infected with unforeseen malware. When the scanner detects unauthorized changes, it automatically recovers affected files.

Custom signatures

Custom signatures allow you to add your own additional scan signatures. They will be used by the scanner during the PHP code inspection for each file containing PHP code.

Unwanted file extensions

Use the “Unwanted file extensions” field to specify a set of file extensions to look for and include files with such extensions in the results of a scan.

Directories to exclude

To exclude some directories from a scan, add them to the Directories to exclude list. Use this setting with caution because the scanner ignores all files in these directories and malware may remain undetected. Specify directories with full (absolute) paths or relative to the WordPress root directory. For instance, if you have another WordPress installation in the subfolder simply enter the subfolder name, the plugins expand the given name to the full path automatically.

If you enter a directory that doesn’t exist, the plugin removes it from the list.

Monitor new files and Monitor modified files

If you enable these options, the scanner will look for new and modified files in all website folders and includes all found files in the report. To monitor file changes the scanner uses SHA-256 algorithm. It’s recommended to have both options enabled.

Scan temporary directory and Scan session directory

Scan temporary directory and Scan session directory should be enabled because malware can reside there. You should only disable scanning these folders if the scanner is unable to process them due to hosting platform limitations and restrictions.

Diagnostic logging

If you come across an issue with the malware scanner, your go-to tool is diagnostic logging. Normally and by default it’s disabled. Know more.

Delete quarantined files

When you manually delete a file on the scan results page or the scanner does this automatically on a schedule, the file is moved to the quarantine. The plugin automatically cleans up the quarantine and deletes files permanently after the specified amount of days since the date of a scan.

Do you know that you can control and configure the scanner on any number of websites remotely? Enable a main website mode on the main Cerber.Hub website and a managed website mode on your other websites to manage all WP Cerber instances from one dashboard.

Know more about the malware scanner

How to use Cerber Security Scanner for WordPress

What Cerber Security Scanner scans and detects

Automated recurring scans and email reporting for WordPress

Automatic cleanup of malware and file recovery

Troubleshooting malware scanner issues

To manually start scanning, go to the Site Integrity admin page and click either the Start Quick Scan button or the Start Full Scan button. Do not close the browser window while the scan is in progress. You can open a new browser tab to do something else on the website. Once the scan has finished, you can close the window; the results are stored in the website database until the next scan.

Depending on server performance and the number of files, the Quick scan may take about 3-5 minutes, and the Full scan can take about ten minutes or less.

During the scan, the plugin verifies plugins, themes, and WordPress by loading checksum data from wordpress.org and using local integrity data. If the integrity data is not available, which happens with a commercial plugin or a theme, you need to upload an appropriate source ZIP archive. You need to upload the archive once, after the first scan.

An automated scan mode

With Cerber Security Scanner, you can easily configure your own schedule for automated recurring scanning and automatic malware removal.

What’s the Quick Scan?

During the Quick Scan, the scanner verifies the integrity and inspects the code of all files with executable extensions only.

Well, what’s the Full Scan?

During the Full Scan, the scanner verifies the integrity and inspects the content of all files on the website. All media files are scanned for malicious payload.

Configuring the scanner

Main scanner settings

Configuring automated recurring scans

Configuring automatic malware cleanup and file recovery

Interpreting scan results

The scanner shows you a list of issues and possible actions you can take. If the integrity of an object has been verified, you see a green mark Verified. If you see the “Integrity data not found” message, you need to upload a reference ZIP archive by clicking “Resolve issue.” For all other issues, click on an appropriate issue link. To view the content of a file, click on its name.

By default, the scanner shows you short file names; to view full file names with their absolute paths, click the icon on the bottom right corner.

Dealing with suspicious files

The following states indicate a security issue with a file.

Checksum mismatch. The contents of the file have been changed and do not match what exists in the official WordPress repository or a reference file you’ve uploaded earlier. The file may have been infected by malware or has been tampered with.

Suspicious code found. During the code inspection with heuristic analysis, the scanner found suspicious code signatures and code instructions.

Potentially malicious code found. Most likely, this file contains malware because detected code signatures should not be in a file of this type.

Unattended suspicious file. The scanner recognized this file as “ownerless” because it does not belong to any known part of a plugin, a theme, or WordPress and should be deleted. It may remain after upgrading to a newer version of WordPress or some software you have. It also may be a piece of unknown obfuscated malware. In some rare cases, it might be a part of a custom-made (bespoke) software.

Content has been modified. This happens when a file has been altered, and the checksum of the file doesn’t match the checksum of the original file. You need to reinstall an appropriate plugin or theme.

Executable code found. A file contains executable code and may contain obfuscated malware. If this file is a part of a theme or a plugin, it must be located in the theme or the plugin folder.

If a file is marked as suspicious or malicious, you can open it safely to view the content of the file. To view the content of a file, click on its name.

Deleting files

You can usually delete any suspicious or malicious file if it has a checkbox in its row in the leftmost cell. Before deleting a file, click the issue link in its row to see an explanation. When you delete a file the plugin moves it to a quarantine folder.

Restoring deleted files

If you delete an important file by chance, you can restore the file from a quarantine folder. The location of the folder is shown on the Tools / Diagnostic page. This folder is not accessible from the Internet.

To restore a deleted file you need to use a file manager in your hosting control panel. The original name and location of the deleted file is saved in the .restore file. It’s a text file so you can open it in a browser or a file viewer.

Troubleshooting

If the scanner window stops responding or updating, it usually means the process of scanning on the server is hung. This might happen due to several reasons, but typically this happens due to a misconfigured server or some hosting limitations. Do the following:

1. Try to disable scanning the session directory or the temp directory (or both) in the scanner settings
2. Open the browser console (use the F12 key on PC or Cmd + Option + J on Mac) and check it for CERBER ERROR messages
3. Enable diagnostic logging

Note: The scanner requires the CURL library to be enabled for PHP scripts. Usually, it’s enabled by default.

What does exactly the scanner scan?

• Scans and verifies all WordPress files
• Scans and verifies all plugins
• Scans and verifies all themes
• Detects not bundled, abandoned, and unattended files
• Inspects file contents for suspicious code signatures
• Inspects any files as if they were executable
• Inspects .htaccess files for malicious directives
• Scans all folders for new and modified files
• Scan all temporary and session folders

Read more about scans: What Cerber Security Scanner scans and detects

Does the integrity checker support commercial themes and plugins?

Absolutely. When you install a theme or a plugin, the scanner takes a snapshot of all files in the plugin or theme ZIP archive and uses it for integrity checking.

Does the integrity checker recognize the version of a plugin or a theme?

Sure! WP Cerber automatically detects which version of WordPress you are running and performs integrity checking with the appropriate version. This version detection and comparison with the correct version also applies to all themes and plugins.

How to control the scanner on multiple websites

You can control and configure the scanner on any number of websites from one, main website. Enable a main website mode on the main Cerber.Hub website and a managed website mode on your other websites to control and monitor all WP Cerber instances from one WordPress dashboard.

Know more about the malware scanner

Automated recurring scans and email reporting for WordPress

Automatic cleanup of malware and file recovery

What Cerber Security Scanner scans and detects

Cerber Security Scanner Settings explained

Troubleshooting malware scanner issues