Our Jetpack Scan tool checks every WordPress.com site daily for dangerous plugins, themes, malware, and other vulnerabilities. This guide explains security scanning and how to view a record of all threats to your site.
Jetpack Scan, our security tool enabled on all WordPress.com sites, checks the following files on your site automatically each day:
- Plugin files and directories
- Theme files and templates
- Media uploads and attachments
- Root directory files like
wp-config.php - Other select files inside the
wp-contentdirectory
Once weaknesses or malware are spotted, our security team swiftly resolves the issues, updating or reverting files as needed, depending on the problem.
This section of the guide applies to sites with our WordPress.com Personal, Premium, Business, and Commerce plans. For free sites, upgrade your plan to access this feature.
On our higher-tier plans, you have access to the scan history, which shows a record of all previous threats identified on your site. To view the scanning history, take the following steps:
- Visit your site’s dashboard.
- Navigate to Jetpack → Scan.
- The Scanner tab will show you when the most recent scan was, with a “Scan now” button to trigger a new scan.
- Click the History tab to view a record of all previously active threats on your site.
- Scroll through the security threats, where you can expand more details about the threat.
No action is required for these security threats – Jetpack Scan fixes each threat discovered.
Jetpack Scan checks your site for common security threats and vulnerabilities that could put your data or visitors at risk. Below are some examples of what you may see in the scanning history.
Jetpack Scan will alert you if any core WordPress files have been changed or deleted. These files should never be modified directly. To customize your site’s functionality, use plugins or themes instead.
If you didn’t make these changes yourself, treat them as suspicious. Replace the affected files with clean versions using SFTP or contact support for help.
Jetpack Scan detects plugins with known security vulnerabilities and will include a link to learn more about the vulnerability. If a newer version includes a fix, we will update the plugin to patch the threat. You can delete plugins you no longer need on your website.
Jetpack Scan looks for shells found in files that give attackers access to execute malicious code (malware), delete files, and make changes to your database. Jetpack Scan removes any infected files and replaces them with a clean version from your backup.
