You can exclude specific folders or files from malware scans so they are never scanned or reported. This is useful when you know a plugin or theme is safe but its code triggers pattern matches (for example Leadpages, AccessAlly, Hide My WP Ghost, UpdraftPlus, or custom plugins).
Exclude paths from scan (in the plugin)
- Go to Security Ninja → Malware Scanner.
- In the Exclude paths from scan card, enter one path or pattern per line in the textarea.
- Click Save patterns.
Paths and patterns listed there are excluded from every malware scan. They are not scanned and do not appear in results.
Pattern format
- One pattern per line.
- Patterns are matched against the full server path to the file.
- Use
*as a wildcard (matches any characters).
Examples
*/plugins/updraftplus/*— exclude the whole UpdraftPlus plugin folder*/plugins/leadpages/*— exclude the Leadpages plugin*/plugins/accessally/*— exclude the AccessAlly plugin*/plugins/hide-my-wp-ghost/*— exclude Hide My WP Ghost*wp-content/uploads/cache/*— exclude a cache folder*/themes/my-theme/inc/*— exclude a specific subfolder of a theme
You can combine multiple lines to exclude several plugins or paths at once.
Whitelisted files vs path patterns
- Whitelisted files — Single files you added via the “Whitelist” button on a scan result (path + hash). Shown in the “Whitelisted files” list; use “Revert Whitelist” to remove.
- Path patterns — Lines in “Exclude paths from scan”. They apply to whole folders or glob patterns and are stored in the same whitelist data; they are edited in the textarea and saved with Save patterns.
Both are included in Import/Export (Tools page) under malware scanner settings.
For developers: add exclusions in code
You can add or change excluded paths programmatically with the filter securityninja_malware_exclude_paths. It receives an array of path/pattern strings (the same list used for the scanner) and must return an array of strings.
Example: add a pattern
add_filter( 'securityninja_malware_exclude_paths', function ( $paths ) {
$paths[] = '*/plugins/my-custom-plugin/*';
return $paths;
} );Example: add multiple patterns
add_filter( 'securityninja_malware_exclude_paths', function ( $paths ) {
return array_merge( $paths, array(
'*/plugins/leadpages/*',
'*/plugins/accessally/*',
'*/plugins/updraftplus/*',
) );
} );Patterns use the same rules as in the UI: full path, one string per pattern, * for wildcards. They are applied in addition to any patterns saved in the Malware Scanner settings.
Written by Lars Koudal
Get AI-Powered Security Summary
Let AI analyze this WordPress security article and provide actionable insights from WP Security Ninja experts.
