All new Safe Repair feature makes repairing and quarantining malicious files with Defender Pro smoother and safer than ever before for WordPress users!

The Hub: Defender - Quarantine Widget
View quarantined files using Defender’s Safe Repair feature from The Hub.

Defender, WPMU DEV’s powerful WordPress security plugin, recently launched its all new version 4.1, which ensures maximum compatibility with the latest version of WordPress, and — more importantly for Pro users — is designed to streamline the process of repairing and quarantining modified files, suspicious files, and offer users a safer alternative to deleting files.

In this post, we’ll focus on this new feature and cover the following areas:

Let’s jump right in…

What is Defender’s Safe Repair Feature?

As a user-driven company, we listen to what our members and users want. Especially when it comes to addressing issues, as outlined in the comments below from our Defender plugin users:

  • “I was running a malware scan with Defender Pro, and I think I accidentally deleted a file which I shouldn’t have. Now the website is down with a critical error.”
  • “Our website is currently down after removing two attached files that Defender Pro recommended removing.”
  • “It would be wonderful if Defender Pro allowed us to quarantine a file in addition to the options of deleting a file or ignoring it.
    That way if the suspicious file breaks the site, it can be restored easily instead of having to restore the entire site from a backup.”

Using the above feedback, our developers decided to improve our security plugin and add the following options to avoid serious issues and errors on users’ WordPress sites:

  1. Repair and Quarantine/backup suspicious files so these can be restored if necessary.
  2. Repair and Quarantine/backup modified files so these can be restored if necessary.

Defender Malware Scanning scans your entire site for suspicious code or modified files and published vulnerabilities in plugins, themes, and WordPress core.

The new Safe Repair feature applies to reported suspicious and modified files, allowing these to be quarantined, deleted, or replaced with the latest file copies from their official plugin repository.

Defender Pro - Plugin vulnerability message
Defender detects and warns users of plugin, theme, and core vulnerabilities. Note: the plugin shown in the above screenshot was modified for illustrative purposes.

How Does Safe Repair Work?

As explained earlier, Defender Pro’s Safe Repair feature within the Malware scanning section is designed to streamline the process of quarantining files before repairing or deleting them, offering a safer alternative to outright suspicious or modified file deletion.

Here’s how Defender Pro handles these requests from version 4.1 onward:

Suspicious Files

Defender flags PHP functions, code, and files when they vary from what is expected or when they match known issues.

Defender- Suspicious file
Defender detects and flags files with suspicious code.

Once a flagged function or suspicious code has been verified as suspicious, Defender presents you with three actions: Ignore, Delete, or Safe Repair (note: you may need to deactivate the plugin for the ‘Delete’ option to become active).

Prior to v4.0, deleting suspicious files would occasionally cause a plugin, theme, or even the entire website to break. Often, this is caused by code from the plugin or theme itself being flagged by Defender as being suspicious.

The problem, however, appears when it’s a false positive, meaning that the flagged file isn’t malicious per se, but part of the plugin’s (or theme’s) core files and contains risky code added by the theme or plugin developer. Hence, deleting this file could cause errors on the site, break functionality, or even break the entire site.

From Defender Pro v4.1 onward, users can now opt to repair and quarantine/back up suspicious files for 30 days or more, instead of deleting the file right away. Files are stored under the new quarantine tab, allowing you to restore these if needed, including restoring files manually. This provides a fail-safe method to handle suspicious files and offers a restoration option if things go wrong or return false-positives.

Note: The Safe Repair option becomes available only if the suspicious code found differs from the plugin’s original code. Also, Safe Repair only works with WordPress.org plugins currently.

Modified Files

If code in a plugin, theme, or WordPress core file doesn’t match what is found in the official WordPress repository. Defender will flag the file as a Modified file. Restoring the original file fixes this issue.

Earlier versions of Defender (and Defender Free plugin) feature a “Restore” button in the plugin’s Malware Scanning section, which fetches a fresh file from the WordPress repository and replaces the existing file in the server directory.

Defender Pre v4 - Restore files
Earlier versions of Defender offer only the option to restore modified files with a fresh version of the file.

However, when a file has been modified by an admin or site developer (e.g. by adding a custom code for a certain functionality), deleting or replacing the file with its original can result in the loss of custom code or functionality, and in some cases, lead to sites breaking.

In Defender Pro, Restore is now Safe Repair. This new feature not only replaces the modified file with the original file from the WordPress repository, it also adds an option to quarantine the modified file before replacing it, allowing users to restore the file if required.

Defender v4.0 - Safe Repair button
The new Safe Repair feature of Defender Pro allows users to restore replaced files.

Repairing Files

Repair is a handy feature to have when a file in the server directory gets modified for any reason. It smartly fetches a fresh file from the WordPress repository and swaps it with the current file in the server directory. (See below for more details on how to use this feature.)

FREE EBOOK
Your step-by-step roadmap to a profitable web dev business. From landing more clients to scaling like crazy.

By downloading this ebook I consent to occasionally receive emails from WPMU DEV.
We keep your email 100% private and do not spam.

FREE EBOOK
Plan, build, and launch your next WP site without a hitch. Our checklist makes the process easy and repeatable.

By downloading this ebook I consent to occasionally receive emails from WPMU DEV.
We keep your email 100% private and do not spam.

Quarantined Files

Modified and/or suspicious files on your server are quarantined and moved to a remote directory (/wp-content/.defender-security-quarantine), allowing you to restore the files if needed (explained in more detail further below).

How to Use Defender’s Safe Repair Feature

To use the new Safe Repair feature, make sure you have installed Defender Pro and that the plugin is running the latest version. If you are currently using our free Defender WordPress Security plugin, consider upgrading to Pro by becoming a WPMU DEV member.

Also, make sure that you have enabled the plugin’s settings as shown below for the Safe Repair feature to work.

Defender Settings
The above settings must be enabled for Safe Repair to work.

With Defender Pro v4.1 (minimum) installed and the above settings configured, run a fresh Malware Scan by going to Defender > Malware Scanning > New Scan

Defender - Malware scan
Run a malware scan in Defender.

Once the scan is completed, check for modified or suspicious files.

Defender Malware Scan results
A malware scan showing modified files and suspicious code detected.

Next, click on the Malware Scanning > Issues tab.

Defender - Malware Scan Safe Repair

Select a file and click on the Safe Repair button.

You will be given the option to repair and/or quarantine the selected file.

Defender Repair File feature
We recommend quarantining files before repairing them.

Note that by default, quarantined files will remain isolated for 30 days before being automatically deleted. You can configure quarantine duration in the Malware scanning settings if you want to change this default period.

Defender Quarantine settings
You can change the quarantine period in the Malware Scanning settings section.

Restoring Quarantined Files

You can restore quarantined files in one of two ways:

  1. Via WordPress Admin: Go to Defender > Malware scanning > Quarantined section.
  2. Via The Hub: Use the Quarantined Hub widget under the Security tab.

Restoring Quarantined Files Via The WordPress Admin

Quarantined files are listed under the new quarantine tab.

Defender Quarantined section
Defender stores all of your quarantined files in the Quarantined section.

To restore quarantined files from your WordPress admin, log into your WordPress site, and go to Defender Pro > Malware Scanning > Quarantined.

Defender Pro - Malware Scanning - Quarantined section
View all of your quarantined files in the Malware Scanning section.

This section lets you go through your quarantined files and choose to either restore or permanently delete these.

Defender Quarantined Fles - Options
Restore or delete your quarantined files.

Files can also be restored manually by downloading them from /wp-content/.defender-security-quarantine.

Restoring Quarantined Files Via The Hub

The Hub’s Security tab lists your most recent quarantined files (up to a maximum of 5 files) and provides the following options, depending on whether the website is running or not.

  • If the website is up – files can be restored from the Hub.
  • If the website is down – instructions will display on how to restore the quarantined file(s) manually using FTP/SSH
The Hub - Quarantined Files widgets
Monitor quarantined files in The Hub’s Security section.

Repair Files Safely Using Defender

Defender 4.1 now lets you apply a powerful combination of quarantining and repairing modified or suspicious file threats and isolating files instead of deleting these entirely, lessening the risk of breaking your site, as quarantined files can be restored if required.

For full details on using the new Safe Repair feature and all of its options, see the Defender plugin documentation section.

Have you used Defender’s Safe Repair feature yet? Share your experiences and feedback in the comments below.