Grab Your Free 17-Point WordPress Pre-Launch PDF Checklist:
Download our exclusive 10-Point WP Hardening Checklist:
Scan WordPress For File Changes Using Wordfence – Better WordPress Security | WP Learning Lab

In this tutorial I’m going to show you what types of information the Wordfence Security Plugin can turn up when you use it to run a scan of your website files. Just to give you an idea, this plugins helps with:

1. WordPress site safety
2. Finding WordPress malicious code
3. WordPress check for exploits
4. WordPress prevent weakness
5. WordPress improve protection
6. WordPress theme issues
7. WordPress check for viruses

The WP Wordfence plugin is a great WordPress safety solution. So, let’s get starting using this WordPress plugin.

First, you’ll have to install the plugin. You can find it by going to Plugins area in your WordPress dashboard and clicking on Add New Following that search for Wordfence. It is the one with the yellow shield for the image.

There is a free and a paid version of Wordfence. Everything you’ll see in this tutorial is done using the free version of the plug-in.

Once installed and activated find the Wordfence menu item in the bottom left and click on it. This will take you to the WordPress scan site page. Click on Start A Scan.

Once the scan is complete Wordfence will give a diagnoses in these categories:

– Remote scan of public facing site only available to paid members (Paid Members Only)
– Check if your site is being Spamvertized is for paid members only
(Paid Members Only)
– Checking if your IP is generating spam is for paid members only
(Paid Members Only)
– Scanning your site for the HeartBleed vulnerability
– Fetching core, theme and plugin file signatures from Wordfence
– Fetching list of known malware files from Wordfence
– Comparing core WordPress files against originals in repository
– Comparing open source themes against originals
– Comparing plugins against originals
– Scanning for known malware files
– Scanning file contents for infections and vulnerabilities
– Scanning files for URLs in Google’s Safe Browsing List
– Scanning database for infections and vulnerabilities
– Scanning posts for URL’s in Google’s Safe Browsing List
– Scanning comments for URL’s in Google’s Safe Browsing List
– Scanning for weak passwords
– Scanning DNS for unauthorized changes
– Scanning to check available disk space
– Scanning for old themes, plugins and core files

When you scroll further down the scan page Wordfence will show you all the items that need your attention. Here you will find:

1. plugins and themes that need updating
2. files and code that appear suspicious and
3. file contents that have changed from the originals

You do have to go through and decide whether the file changes are threats or if the files are legitimately changed by the developer.

That’s how you use Wordfence to scan your website and determine if files have been changed.

I hope this information helps you! If you have any questions leave a comment below or ping me @WPLearningLab on Twitter.


If you want more excellent WordPress information check out our website where we post WordPress tutorials daily.


Connect with us:

WP Learning Lab Channel:



Google Plus:



  1. I often receive an email from my All in one WP security plugin: "File change detection + file name like Yoast plugin………. etc. So it means I'm hacked? I already re-install the whole WordPress 3 times after this email and now I get another one so, what I should do? re-install WordPress again? I recieve from the premium plugin which I purchased from third party seller And I think that plugin needs upgrade

  2. Hiya! I comment on your videos from time to time as I had hackers get me locked out of wordpress a number of times due to my settings. I only run the website to compliment my YouTube channel and never intended to put much effort into  the website. I started using wordpress knowing nothing about it which I am learning is a dangerous thing lol. I am pretty sure I have things under control now, I got wordfence recently and am watching your related videos now. Is there any other program that I definitely need to install and learn about to be secure? Thanks for all the help!

  3. problems found sacnning for unknown files in wp-admi and wp-includes file name wp-admin/65 if i want to delete this (delete this file (cant be undone) is the right thing to do?

  4. Hi, Im fan or your videos,,,, they are very intuitive and clear, how ever more i see your videos more confused i goy about which service or plugin its better for the security of a wordpress site, and i don't want to full sites with a lot of plugin that i won't even check frequently. Could give a hand with which service or plugin would you go with…. it does not matter if are paid services…. sucuri? all in one wp security, word fence, itheme security…. thanks in advance

  5. I've had this plug-in installed for over a week with several scans started but nothing is showing up in the 'Scan Summary' box…..ever.
    after reading the WordFence help site, I found out this:
    Make sure you have not set up a secondary password to protect access to /wp-admin/. This is a bad idea and will break Wordfence scanning along with any public AJAX functionality in WordPress. Read more about this on this blog entry. 
    I have the secondary password installed as you instructed in another tutorial; so WordFence will not work for me.


Please enter your comment!
Please enter your name here