Conversation
supportYARA scan shows this plugin’s files as a webshell… in /wp-snapshots/XYZ…BAK_(long-idenifier)_installer.php I’m thinking this is a false-positive, and is secure as long as someone doesn’t guess that long-identifier and decide to call a backup restore somehow?
Hi @programmin , Thanks for flagging this. This is a false positive. Duplicator’s installer.php is a legitimate restore script that gets flagged by security scanners because it has powerful capabilities by design (file access, database interaction, etc.), the same traits scanners look for in webshells. A couple of things worth noting: The /wp-snapshots/ directory you’re seeing is from an older version of Duplicator — it no longer exists in current releases. This suggests your plugin is out of date. Duplicator includes a cleanup step at the end of the restore process that removes the installer and archive files. If you see an installer.php sitting around, make sure you complete that cleanup step after any restore. We’d recommend updating Duplicator to the latest version to get the most recent security improvements and stay on the supported path. Hope that helps!
Hi @programmin , We haven’t heard back from you in a few days, so I’m going to go ahead and close this thread for now. But if you’d like us to assist further, please feel welcome to continue the conversation. Thanks!
Hi @programmin , Thanks for flagging this. This is a false positive. Duplicator’s installer.php is a legitimate restore script that gets flagged by security scanners because it has powerful capabilities by design (file access, database interaction, etc.), the same traits scanners look for in webshells. A couple of things worth noting: The /wp-snapshots/ directory you’re seeing is from an older version of Duplicator — it no longer exists in current releases. This suggests your plugin is out of date. Duplicator includes a cleanup step at the end of the restore process that removes the installer and archive files. If you see an installer.php sitting around, make sure you complete that cleanup step after any restore. We’d recommend updating Duplicator to the latest version to get the most recent security improvements and stay on the supported path. Hope that helps!
Hi @programmin , We haven’t heard back from you in a few days, so I’m going to go ahead and close this thread for now. But if you’d like us to assist further, please feel welcome to continue the conversation. Thanks!