Understanding Sucuri Scanner's File Integrity Checks and Common Scenarios

If you use the Sucuri Security plugin, you've likely relied on its WordPress Integrity scanner to detect unauthorized changes to your site. However, many users encounter situations where the scanner doesn't report a file they know is malicious or modified. This article explains how the scanner works and clarifies common points of confusion.

How the WordPress Integrity Scanner Works

The plugin's Core Integrity feature is not a full server-side malware scanner. Its primary function is to monitor a specific set of core WordPress directories for changes. It compares the current state of these directories against a known-good set of checksums and a baseline it establishes.

Why Some Files Are Not Detected

Based on community reports and plugin behavior, here are the most common reasons a file might not appear in the scan results:

• Location Outside Core Directories: The scanner focuses on WordPress core directories (e.g., wp-admin/, wp-includes/). Malicious files uploaded to wp-content/, theme folders, uploads directories, or the site's root will typically not be listed in the Core Integrity scan. This is a frequent source of confusion, as seen in threads where files like indonesia.php or backdoors in wp-content were missed.
• Files on an "Ignore List": The scanner intentionally ignores some files it considers irrelevant, even if they are found in a core directory. For example, the plugin may ignore a file named wp-rss.php because it existed in very old WordPress versions. If a hacker uses this filename, the scanner may skip it.
• .htaccess Files: There are reports of the scanner not detecting newly created .htaccess files in certain subdirectories during its scan for "added files."
• Theme and Plugin Files: Changes to files within themes (like header.php) or plugins are not part of the core integrity check. The scanner is designed to protect WordPress core, not custom code.

What To Do If You Find a File the Scanner Missed

1. Don't Panic: This behavior is often by design and does not necessarily mean the plugin has failed.
2. Check the File's Location: Confirm where the file is located. If it's in wp-content or a theme folder, the Core Integrity scanner will not report it.
3. Review the Audit Logs: The plugin's Audit Logs may have recorded the file's creation if it happened after the plugin was installed and the event was triggered by a detectable action.
4. Use Remote Scanning: Remember that the local plugin works alongside Sucuri's SiteCheck remote scanner. A remote scan can sometimes detect malicious output (e.g., scripts printed from a database) that a local file scan might miss.
5. Manual Investigation: For a thorough cleanup, you must investigate all directories via FTP or your hosting file manager, not just rely on the core scan report.

Conclusion

The Sucuri Security plugin's WordPress Integrity tool is an effective monitor for changes to the core WordPress files it is designed to watch. Its scope is intentionally limited. For comprehensive security, it should be used as part of a broader strategy that includes remote malware scanning, strong hardening measures, and manual server inspections, especially after a suspected breach. Understanding its purpose and limitations will help you use it more effectively and avoid false expectations.