Prevent Accidental File Deletion and Site Downtime With New Defender Safe Repair

Prevent Accidental File Deletion and Site Downtime With New Defender Safe Repair

All new Safe Repair feature makes repairing and quarantining malicious files with Defender Pro smoother and safer than ever before for WordPress users!

The Hub: Defender - Quarantine Widget
View quarantined files using Defender’s Safe Repair feature from The Hub.

Defender, WPMU DEV’s powerful WordPress security plugin, recently launched its all new version 4.1, which ensures maximum compatibility with the latest version of WordPress, and — more importantly for Pro users — is designed to streamline the process of repairing and quarantining modified files, suspicious files, and offer users a safer alternative to deleting files.

In this post, we’ll focus on this new feature and cover the following areas:

Let’s jump right in…

What is Defender’s Safe Repair Feature?

As a user-driven company, we listen to what our members and users want. Especially when it comes to addressing issues, as outlined in the comments below from our Defender plugin users:

  • “I was running a malware scan with Defender Pro, and I think I accidentally deleted a file which I shouldn’t have. Now the website is down with a critical error.”
  • “Our website is currently down after removing two attached files that Defender Pro recommended removing.”
  • “It would be wonderful if Defender Pro allowed us to quarantine a file in addition to the options of deleting a file or ignoring it.
    That way if the suspicious file breaks the site, it can be restored easily instead of having to restore the entire site from a backup.”

Using the above feedback, our developers decided to improve our security plugin and add the following options to avoid serious issues and errors on users’ WordPress sites:

  1. Repair and Quarantine/backup suspicious files so these can be restored if necessary.
  2. Repair and Quarantine/backup modified files so these can be restored if necessary.

Defender Malware Scanning scans your entire site for suspicious code or modified files and published vulnerabilities in plugins, themes, and WordPress core.

The new Safe Repair feature applies to reported suspicious and modified files, allowing these to be quarantined, deleted, or replaced with the latest file copies from their official plugin repository.

Defender Pro - Plugin vulnerability message
Defender detects and warns users of plugin, theme, and core vulnerabilities. Note: the plugin shown in the above screenshot was modified for illustrative purposes.

How Does Safe Repair Work?

As explained earlier, Defender Pro’s Safe Repair feature within the Malware scanning section is designed to streamline the process of quarantining files before repairing or deleting them, offering a safer alternative to outright suspicious or modified file deletion.

Here’s how Defender Pro handles these requests from version 4.1 onward:

Suspicious Files

Defender flags PHP functions, code, and files when they vary from what is expected or when they match known issues.

Defender- Suspicious file
Defender detects and flags files with suspicious code.

Once a flagged function or suspicious code has been verified as suspicious, Defender presents you with three actions: Ignore, Delete, or Safe Repair (note: you may need to deactivate the plugin for the ‘Delete’ option to become active).

Prior to v4.0, deleting suspicious files would occasionally cause a plugin, theme, or even the entire website to break. Often, this is caused by code from the plugin or theme itself being flagged by Defender as being suspicious.

The problem, however, appears when it’s a false positive, meaning that the flagged file isn’t malicious per se, but part of the plugin’s (or theme’s) core files and contains risky code added by the theme or plugin developer. Hence, deleting this file could cause errors on the site, break functionality, or even break the entire site.

From Defender Pro v4.1 onward, users can now opt to repair and quarantine/back up suspicious files for 30 days or more, instead of deleting the file right away. Files are stored under the new quarantine tab, allowing you to restore these if needed, including restoring files manually. This provides a fail-safe method to handle suspicious files and offers a restoration option if things go wrong or return false-positives.

Note: The Safe Repair option becomes available only if the suspicious code found differs from the plugin’s original code. Also, Safe Repair only works with plugins currently.

Modified Files

If code in a plugin, theme, or WordPress core file doesn’t match what is found in the official WordPress repository. Defender will flag the file as a Modified file. Restoring the original file fixes this issue.

Earlier versions of Defender (and Defender Free plugin) feature a “Restore” button in the plugin’s Malware Scanning section, which fetches a fresh file from the WordPress repository and replaces the existing file in the server directory.

Defender Pre v4 - Restore files
Earlier versions of Defender offer only the option to restore modified files with a fresh version of the file.

However, when a file has been modified by an admin or site developer (e.g. by adding a custom code for a certain functionality), deleting or replacing the file with its original can result in the loss of custom code or functionality, and in some cases, lead to sites breaking.

In Defender Pro, Restore is now Safe Repair. This new feature not only replaces the modified file with the original file from the WordPress repository, it also adds an option to quarantine the modified file before replacing it, allowing users to restore the file if required.

Defender v4.0 - Safe Repair button
The new Safe Repair feature of Defender Pro allows users to restore replaced files.

Repairing Files

Repair is a handy feature to have when a file in the server directory gets modified for any reason. It smartly fetches a fresh file from the WordPress repository and swaps it with the current file in the server directory. (See below for more details on how to use this feature.)