Does Wordfence log files I deleted?

There currently is no log of files deleted from using the links on the scan pages. If the file is a temporary file that the backup plugin creates, it might recreate the file automatically, if you disable it and re-enable it.

If it was part of the original package of files though, you can uninstall and reinstall the backup plugin to get the original file back. Many plugins keep their settings when you uninstall and reinstall them, but I recommend taking note of any settings before uninstalling them, just in case.

Some backup plugins do create files that appear like malicious files, but are actually ok — if it does come up in your scans again, let us know, and we can help check it out.

-Matt R

Thanks for the response. I already tried reinstalling the backup plugin, but the missing file was not recreated. I installed another backup plugin which is working fine, and have sent the log file to the cr4ators of the first plugin so they can look into it.

I notice it’s possible to email a more detailed Wordfence scan log to someone. Could I email that to myself, and would it have the names of files that were identified as infected?

You can try emailing the log to yourself, but I don’t think it will show the detail that you are looking for, unfortunately.

When the error about the missing file comes up, if you have the filename, can you find it in one of your recent backups?

-Matt R

No, it turns out it’s a WordPress core file, so it wasn’t backed up. I can, of course, extract it from a WordPress install, but I’m guessing Wordfence wouldn’t have let me remove a WordPress core file without additional cautions, and I’m also realizing that the full filename may not be the same as the one of the file I deleted, so I’m going to wait and see what the plugin authors say about my logs before I do that.

I’m curious, though, why Wordfence wouldn’t log file deletions for just such situations as these? It is in every way such a well-thought-out plugin, and that seems like such an obvious and useful feature. Would it be hard to do?

Ok. Sometimes there are files with the same name in multiple locations, so let us know if you need help after hearing back from the other plugin author.

It is a good suggestion to add logging of the deleted files, so I’ve sent it on to the dev team. I can’t promise that every suggestion we get will make it into a release, or when that might be, but every suggestion we get is evaluated carefully and considered seriously. We value the input we get from our customers. Our tracking number for this is FB1028.

Thank you for helping to make Wordfence great!

-Matt R

I restored the missing file from a fresh WordPress installation, and that did resolve the problem with the plugin, so that must be the file I deleted. This is another point at which a deletion log would’ve been helpful, since I could review what Wordfence told me about the file, and make sure I delete with more caution in the future. Hope that’s something you are able to implement. I would think many people would find it useful.

I am extremely grateful for Wordfence – it really saved my life when I got hacked recently, and has allowed me to recover from that, not only with all of my content intact, but with confidence that my sites are much better protected than they were previously. I especially appreciate how beginner-friendly it is, not a given in the WordPress world by any means, alas. Many thanks for making such a great resource available to WP users for free.

Ok, great! I agree that a log of files deleted from the options on the scan page could help in cases like this. Thanks for the feedback, too.

-Matt R

I’m getting a Wordfence critical warning on the newly installed version of the file (which is a good thing, since we can take a closer look at that warning). The file in question is wp-admin/includes/class-pclzip.php, a WordPress core file, and it is getting flagged because it “contains the word ‘eval’ (without quotes) and the word ‘unpack(‘ (without quotes).”

Now, it’s true that I have high sensitivity scanning on due to recent hacker activity on my site, and it’s also true that given the file is NOT getting flagged for discrepancies between the repository version of the file and the version on my site, I can probably feel confident in ignoring the flag.

However, that huge red X is a little hard to ignore, and I’m wondering why a WordPress core file that matched the repository version would set off this flag in the first place? It’s a known and essential file, presumably with known instances of eval and unpack, so as long as the scanned file matches the repository version of the file, shouldn’t it be exempted from a flag for this reason?

Yes, normally that file should be treated as a core file, and shouldn’t produce a warning if it matches the repository.

Do you have multiple WordPress sites installed on the same host? If so, do you also have “Scan files outside your WordPress installation” enabled? If there is a second copy of the file in a place that isn’t typical, that may cause this scan result.

-Matt R

Ahh! (Lightbub over head) – that totally makes sense. I do indeed have multiple installations of WP. Installation A is the top level, installation B is in a subdirectory of the same directory in which installation A is installed, and installation C is in a subdirectory of the directory in which installation C is installed. Furthermore, each installation has its own installation of Wordfence. And, as the hacker apparently was able to upload (not just alter) at least one file, I have “scan files outside…” and high sensitivity scanning enabled across the board. Yeah, I’m making sure ??

It was the level A copy of Wordfence that sent the alert, but it was about the level B copy of the file, which makes sense, since it was “outside” the top level installation. That got me wondering why there was no alert about the same file in the level C installation. Turns out, because it wasn’t there. I must’ve deleted that one too. Which is bad because that’s my testing installation, and I definitely need that file there, or I will be unfairly judging plugins and themes that don’t work through no fault of their own.

So thanks for answering all my persistent questions – it enabled me to discover that I needed to restore the file to a second location.

Do I actually need Wordfence in all 3 installations? Level B is a different domain from level A, while level C is a subdomain of level B. With the exception of the username lockout (which I could easily transfer to the top level domain), the settings are the same on all 3 installations (in fact, I imported them from level A – thank you for that, saved me lots of time).

You should still keep Wordfence enabled on all three sites, because the login security and other blocking options would not cover all of the domains.

If you did turn off just the scans on the “B” and “C” sites, with “Scan files outside your WordPress installation” enabled, all of the files will still be scanned, but you won’t have the benefit of scanning themes and plugins against the repository for the additional sites. The copies of Wordfence installed on those two sites will still do that if they are enabled.

I would recommend keeping the scans enabled on all 3 Wordfence installations, though you will have to watch for false positives like this, especially with high-sensitivity scanning enabled. I’ll see what the dev team thinks about possibly detecting multiple WordPress installations like this, in a future version of Wordfence. Thanks!

-Matt R

Thank you!