Comparing plugins / core against repo doesn't find unrecognised files?

I just looked at the repo and found it’s already in WordFence: https://github.com/wp-plugins/wordfence/blob/master/lib/unknownFiles.php

I just can’t see how to trigger this through the WordFence interface. Has this feature been removed?

Thanks!

This is probably what you want:
– On the option page

Scan core files against repository versions for changes
Scan theme files against repository versions for changes
Scan plugin files against repository versions for changes

tim

Hi Tim,

Sorry for the slow reply.

These options only scan against the official files in the repo. If there are new files then the scan doesn’t doesn’t pick them up.

i.e.: pluginname/maliciousfile.php

maliciousfile.php isn’t in the official plugin repo so isn’t reported as being changed but still needs to be identified as a file that isn’t in the repo and shouldn’t be there.

As pointed out above there is clearly code in wordfence (or used to be) that lists additional found files that are not included in the official plugin/theme but it’s currently not being triggered.

The bottom line is that it appears that it is super easy to hide malware in WP-Core or a plugin or theme folder. If it’s a new file that doesn’t exist in the official repo the “compare against repository versions” scan doesn’t pick it up? I did some tests a week ago that failed to pick up malware this way.

Thanks!

Hi WF Support – still waiting for a clear answer on this.

Do the theme / plugin / core scans identify and scan files that are NOT in the official theme repositories. Yes, I know it will compare all known files with their versions in the repo. I’m asking about other backdoor / malicious files hidden in core / plugins / themes.

From the quick testing I’ve done it looks like they aren’t scanned and identified and yet there is code in the WordFence git repo that specifically shows a report that does this:

https://github.com/wp-plugins/wordfence/blob/master/lib/unknownFiles.php

“<h1>Wordfence: Files found that don’t belong to WordPress Core or known Themes and Plugins.</h1>”

How do we run this report to find files hidden in themes / plugins / core that should not be there?

Thanks!

I apologize for the slow response but this has been a really busy week for us. I am asking about this in our weekly call today.

To be clear, these are plugins and themes that are available at www.ads-software.com, correct?

tim

Hi,

Thanks for the feedback. We’ve entered this as a feature request. We actually used to do this i.e. alert on files that are not recognized in core but were in core directories. So we’re looking at offering this again but as an option.

Also just FYI, we don’t maintain that git repo, so if it’s a reliable mirror of what’s currently in the SVN repository then I guess you can use that, but make sure it is.

Thanks for the feedback.

Regards,

Mark.

@tim – yes referring to any plugin / theme available at www.ads-software.com. It’s great if WordFence checks all theme / plugin / core files against your repos but if there are other malicious files hidden in the same folder not being checked it pretty much defeats the point of scanning those folders. ??

@mark – great to hear! The “should not be here” file check needs to be done in Core, Theme and Plugin folders. Matched with the “search files outside of WordPress” it will give pretty much full coverage.

Thank you!

Did this ever get resolved? We just had the same issue – the site got hacked by someone uploading a malicious file but the scanner does not pick it up (v6.0.17)

Is there a scan option I’m missing somewhere?