How to exclude paths from the Malware Scanner
You can exclude specific folders or files from malware scans so they are never scanned or reported. This is useful when you know a plugin or theme is safe but its code triggers pattern matches (for example Leadpages, AccessAlly, Hide My WP Ghost, UpdraftPlus, or custom plugins).
Exclude paths from scan (in the plugin)
- Go to Security Ninja → Malware Scanner.
- In the Exclude paths from scan card, enter one path or pattern per line in the textarea.
- Click Save patterns.
Paths and patterns listed there are excluded from every malware scan. They are not scanned and do not appear in results.
Pattern format
- One pattern per line.
- Patterns are matched against the full server path to the file.
- Use
*as a wildcard (matches any characters).
Examples
*/plugins/updraftplus/*— exclude the whole UpdraftPlus plugin folder*/plugins/leadpages/*— exclude the Leadpages plugin*/plugins/accessally/*— exclude the AccessAlly plugin*/plugins/hide-my-wp-ghost/*— exclude Hide My WP Ghost*wp-content/uploads/cache/*— exclude a cache folder*/themes/my-theme/inc/*— exclude a specific subfolder of a theme
You can combine multiple lines to exclude several plugins or paths at once.
Whitelisted files vs path patterns
- Whitelisted files — Single files you added via the “Whitelist” button on a scan result (path + hash). Shown in the “Whitelisted files” list; use “Revert Whitelist” to remove.
- Path patterns — Lines in “Exclude paths from scan”. They apply to whole folders or glob patterns and are stored in the same whitelist data; they are edited in the textarea and saved with Save patterns.
Both are included in Import/Export (Tools page) under malware scanner settings.
For developers: add exclusions in code
You can add or change excluded paths programmatically with the filter securityninja_malware_exclude_paths. It receives an array of path/pattern strings (the same list used for the scanner) and must return an array of strings.
Example: add a pattern
add_filter( 'securityninja_malware_exclude_paths', function ( $paths ) {
$paths[] = '*/plugins/my-custom-plugin/*';
return $paths;
} );Example: add multiple patterns
add_filter( 'securityninja_malware_exclude_paths', function ( $paths ) {
return array_merge( $paths, array(
'*/plugins/leadpages/*',
'*/plugins/accessally/*',
'*/plugins/updraftplus/*',
) );
} );Patterns use the same rules as in the UI: full path, one string per pattern, * for wildcards. They are applied in addition to any patterns saved in the Malware Scanner settings.
Written by Lars Koudal
Get AI-Powered Security Summary
Let AI analyze this WordPress security article and provide actionable insights from WP Security Ninja experts.
