SiteFort security guide

Scanner

When to scan, which scan type to use, how to read findings, and what schedule makes sense for your site. The Scanner covers more than malware.

Security Guide Scanner Docs

What the scanner checks

Go to SiteFort → Scanner.

The SiteFort Scanner is cloud-connected and checks more than just malware. A full scan covers:

Malware indicators and known malicious file signatures
Unauthorized file changes against a known-good baseline
Sensitive data exposure: credentials, keys, or config data accessible publicly
Account and permission issues: unexpected administrators, weak user state
Database concerns: suspicious options, injected content
Reputation: whether the site or its IP appears on blocklists
Known vulnerabilities in plugins, themes, and WordPress core

Understanding this scope matters when reviewing findings. A flagged file in the uploads folder means something different from a flagged database option, and both require different responses.

Before the first scan: confirm your license is active and cloud scanning is available. If the Scanner shows a License Required banner or a scan credits message, resolve that first. Changing scan scope does not fix a connection or license issue.

Standard vs Deep Scan

Use Standard Scan for regular protection. Use Deep Scan when something specific prompts a thorough check.

Situation	Use this scan
First scan after installing SiteFort	Standard
Routine weekly or daily monitoring	Standard
After installing or updating plugins and themes	Standard
Suspicious redirects, SEO spam, or unknown admin users	Deep
Hosting provider flagged the site for malware	Deep
After cleaning up a compromised site	Deep, then Standard for follow-up
Pre-launch security check	Deep
Standard scan findings suggest something deeper is wrong	Deep

Scan schedule

Go to SiteFort → Scanner → Scanner Configuration → Scan Frequency.

Scheduled scans turn security from a manual task into continuous monitoring. Set a schedule that matches how actively the site changes and how quickly you would want to know about a compromise.

Site type	Recommended schedule
Small business or brochure site	Weekly
Low-change static site	Weekly or monthly
WooCommerce store	Daily or weekly depending on order volume
Membership or LMS site	Daily or weekly
Recently cleaned compromised site	Daily for the first two to four weeks
Agency-managed client site	Match to the client's maintenance plan and risk level

Manual Only is available but not recommended for unattended production sites. If no one is running scans regularly, issues go undetected until they become incidents.

Scan notifications

A scan schedule without notifications is only half useful. Make sure scan findings and scan failed alerts are configured to reach whoever can actually act on them. See the Security Notifications guide for recommended alert settings.

Handling findings

Open the Findings panel after a scan. Work through Critical and High findings before reviewing Medium and Low.

Do not bulk delete. Read each finding before acting. A file in the uploads folder, a plugin directory, and the WordPress root all mean different things. Deleting the wrong file can break the site.

1. Read the finding first

Check severity, file path, and whether a diff is available. Use View file or View diff before deciding on an action.

2. Choose the right action

Use Repair when SiteFort can restore a known-good version. Use Delete only when the file is clearly malicious or has no legitimate purpose.

3. Use Ignore intentionally

Ignore only verified false positives. Ignored findings stay visible under the Ignored filter and can be reviewed or unignored later.

4. Verify after cleanup

Run another scan after repair, deletion, or updates. Confirm the Dashboard no longer shows unresolved findings before closing the incident.

Findings that keep coming back

If a finding reappears after cleanup, the source is still active. Check whether a compromised plugin, theme, scheduled task, or external deployment pipeline is regenerating the file. Review the Audit Log and hosting file modification logs around the time the file returns. Run a Deep Scan and rotate administrator passwords if account compromise is possible.

Severity as a triage guide

Severity	When to act
Critical	Immediately. Do not wait for a maintenance window.
High	Same day. Review firewall and audit logs for suspicious activity around the same time.
Medium	Next maintenance window.
Low	During normal updates. Do not ignore indefinitely.

Scanner configuration

Go to SiteFort → Scanner → Scanner Configuration.

Setting	Recommended	Watch out for
Excluded Paths	Exclude cache and build folders only	Do not exclude uploads, plugins, themes, or root files to make findings disappear. Exclusions hide real problems. Only exclude paths you are certain do not need security review.
Quarantine Retention	Long enough for rollback and client review	Shorter retention saves storage but removes your safety net if a repair turns out to have been wrong.
Scan Intensity	Standard for daily runs, Deep for post-incident	Deep scans take longer and use more scan credits. Reserve them for situations where a Standard scan is not sufficient.
Notifications	Send to whoever acts on findings	Alerts sent to an inbox nobody monitors are the same as no alerts. See the Security Notifications guide.