Get the Best WordPress Backup
& Migration Plugin Today
Get Duplicator Now

Duplicator Documentation

Documentation, Reference Materials, and Tutorials for Duplicator

How to handle security/malware threat detection?

Problem AA notice from a virus scanner indicates something in the plugin is a possible threat. How can you handle this?

Solution 1VirusTotal Check: If you do receive a virus scan that reports as true be sure to validate the integrity against other scanners. In the vast majority of most cases we are quiteconfident there is nothing to worry about for a few reasons:

  1. For example if you receive a threat from a virus scan be sure to check the virustotal site.Check the total virus scan counts. If the count is say 50 virus scanners on all files and Duplicator passed 49 of them with nothing detected and only 1 or 2of them showing a “possible” threat, then the chances are very low there is a possible corruption or hack of the plugin on your site.Note: You can update the full plugin zip file or just the file in question to the virus-total portal.
  2. Virus signatures can be tricky and it is not uncommon for certain byte or code patterns to set them off. The virus-total site is also aware of falsepositives and addresses these types of issues on their website.
  3. If the file does indeed show a threat across more than 2+ zones feel free to contact us with the file in question and we can do a compare against the base to determine ifthe file(s) have been compromised on your system. Our recommendation in all cases will be to remove the plugin and install a fresh clean copy. If the problem persiststhen there is a wider hole in your site and you will probably need a security analysis done on your site by a company that deals with these issues, like WordFence and the like.

Solution 2Contact Provider: A warning by a Malware scanner may not provide you with the details needed to pin-point a possible threat. The scanner should report why it thinks thefile is a risk and what it thinks the issue might be. Be sure your scanner does more than just say XYZ file is a threat. It needs to give details and sayexactly what line(s) of code are an issue and why. For example “Heuristic logic has detected something unsafe…” is entirely to general to determine if a fileis a threat.

The base install of the Duplicator is known to be safe and continually scanned by third party security companies. You can be assured that the original install ofthe plugin is safe and if any items are reported that a patch will be applied promptly. However because WordPress systems can and do become compromised it isyour responsibly to evaluate any type of possible compromise to your system.

In the case you want more information about the scan result we recommend you contact the virus scan company that reported the result and ask them for a fulldetail of the virus/malware threat. The Duplicator has been on the WordPress forums years with over 25+ million downloads. We work very closely with the WordPress team and otherthird party companies to make sure the plugin stays safe for the community.

False Flags Example:
In the world of malware detection it is common for companies to release scanners that do in fact report a false positive. This has happened on several occasionswith Duplicator and in some cases the companies are quick to respond with an update to their software and it other cases they are not. Below is an exampleof a company who was very quick to respond to let users know it was a false flag.

From the forums

…My name is Jelmer Verkleij, CTO at Patchman. This issue was brought to our attention about 30 minutes ago and after some quick research we noted thatthese detections are the result of an error in our definition development process. All detections of the installer/build/assets/inc.libs.js.php filein the duplicator plugin folder seem to be false positives at this point. My sincere apologies for the confusion – this should of course not havehappened and naturally we have immediately started looking into how and why this went wrong, and what needs to be done to prevent this from happeningagain in the future.

In the meantime, we have deployed a definition update to all our Patchman customers that rolls back any automated quarantine actions that tookplace for these files, and retracts the associated detections. This should automatically restore all websites to their original state without problems.

Once again, I sincerely apologize for this inconvenience, and I would like to reiterate that we are taking this matter very seriously. If you have anyfurther questions or comments you have regarding this incident, please don’t hesitate to let me know here or by sending an e-mail to will make sure to address each response as soon as possible.

Best regards,

Jelmer Verkleij
Patchman B.V.

Problem BWordFence Notices
WordFence can trigger false positive results. If the WordFence scanner is in High sensitivity mode then users might might see warnings about the installer.

Solution 1To mitigate these results users can do the following:

  1. Disable High sensitivity scanning and return to recommended settings.
  2. If you don’t want to disable High sensitivity scans, you can click ignore on the individual results and they won’t be bothered by them again (until one of the file hashes changes at least)
  3. Under their scanner’s Advanced settings, they can exclude any specific filepath or a wildcard path from being scanned (See for some detail).

The Duplicator currently includes several large minimized JavaScript libraries that have been detected as a falsepositives on some system scanners. In most cases these notices can be ignored, however if other plugins or portions of your site also show positive readingsfor Malware then you should probe deeper into the issue.
Was this article helpful?

Related Articles