How to Scan for Files That Should Not Be In Your WordPress Install

Scan & Remove Files That Should Not Be On Your WordPress Install

Heads up: This page may include affiliate links. Read the full disclosure.

Backup files such as MySQL dumps, and wp-config.php backup files should not be stored in your WordPress install’s public_html (root folder).

It’s important to note that the backup wp-config.php file can provide an easy way for a site attacker to find the database credentials.

These credentials can then be used to directly connect to your site to insert content in the site’s database or to create an admin user to install and deploy malicious content to your site from plugin installs.

Wordfence Security Plugin

One of the easiest security plugins to scan for those types of files is Wordfence.

To ensure that files outside of your WordPress installation are included in the Wordfence site scan, you’ll need to enable that option in wp-admin by going to:

Wordfence > All Options

Wordfence Security Plugin Scan Files

When you go back to run an on-demand scan or wait for the site scan to run in the set schedule, files outside of the WordPress installation will be included in the scan.

You can also set images that could be executable files but renamed as image files to be included in the scan. Both of those site scanning options will need to be enabled since they are not enabled by default in site scanning options.

To access site scan results and start an on-demand scan in Wordfence in wp-admin, go to:

Wordfence > Scan

Wordfence Security Plugin Scan Results

If any files are found that you do not recognize, or if the scan results show that you have a backup or other files that should not be stored on the site’s server, it is recommended to delete them.

Did You Know? MainWP has a Wordfence Extension that allows you to check the security of all Wordfence-installed Child Sites directly from a centralized MainWP Dashboard.

Useful Links

Looking for something?

Privacy laws apply to businesses that collect personal information. Since no personal information is collected by the MainWP plugins, no privacy laws apply to the MainWP plugins. This includes GDPR, UK DPA 2018, PIPEDA, Australia Privacy Act 1988, LGPD, PIPL, and other privacy laws.
Donata Stroink-Skillrud
Donata Stroink-Skillrud
President of Agency Attorneys

Your Download Is Just One Click Away

…or just download the plugin.

By entering your email, you agree to our Terms of Service and Privacy Policy.