Excluding Files and Folders from Malware Scanning
Security by CleanTalk includes a powerful malware scanner designed to detect suspicious and malicious code on your website. However, in some cases, it is both safe and recommended to exclude specific files or directories from scanning.
Exclusions allow you to fine-tune the scanning process by skipping locations that are known to be safe, irrelevant, or managed separately. This helps reduce false positives, speeds up scanning, and prevents unnecessary resource usage.
In this article, we explain how file and directory exclusions work in Security by CleanTalk, including how to use the spbct_directory_exclusions.txt file, and provide practical examples of when and why exclusions should be applied.
You can find the exclusion option in our plugin settings:
WordPress Admin Page —> Settings —> Security by CleanTalk —> General Settings —> Directory and file exclusions for the malware scanner.
Examples of Usage
Below are practical examples of exclusions. A key rule applies to all: excluding a directory will also skip all its subfolders and files. Use any directory separator (/ or \) in your paths. Separate each path with a new line. You can specify both directories and files.
1) Excluding unnecessary files and folders
To further optimize scanning, you can exclude specific non-critical directories and individual files that do not require security checks, such as development, or log.
Example exclusions:
wp-content/uploads/dev/script.php
wp-content/themes/test-theme
wp-content/logs
2) Excluding Nested Websites
In some environments, a single hosting account may contain multiple websites located in subdirectories, for example:
site1.com/
├── site2.com/
└── old-site/
It is recommended to exclude directories that contain other websites. Each nested website should be scanned by its own instance of Security by CleanTalk.
Example exclusions: site2.com or old-site.
3) Excluding backup directories
Backup folders often contain copies of your website’s files. Scanning these duplicates can trigger false alerts and consume unnecessary resources.
Example of exclusion: wp-content/backups
Note: your backup folder path may vary. If it is different, specify the correct path to it.
4) Excluding cache directories
Cache folders store temporary data generated by plugins, themes, or server-side caching systems. These files are dynamic and not part of the original codebase, so scanning them may lead to irrelevant results.
Example of exclusion: wp-content/cache
Note: your cache folder path may vary. If it is different, specify the correct path to it.
5) Excluding via a Special File
If you prefer, you can list all your exclusions in a separate file. Create a text file named spbct_directory_exclusions.txt and write each exclusion path on a new line. Then simply add the path to this file in the plugin's "Exclusions" field.
Example:
- The content of spbct_directory_exclusions.txt:
client-portal
wp-content/backups
wp-content/cache
- Place this file somewhere on your site, for example in
wp-content/. - In the scanner settings, add the path:
wp-content/spbct_directory_exclusions.txt
The scanner will then read all exclusions from this file.
It would also be interesting
- How To Install Universal Security Extension UniForce By CleanTalkImportant note Starting from November 1, 2024, the Uniforce Universal Security active development has...
- CleanTalk WordPress and Universal Security Plugins for websites | Description of all Security FeaturesFeatures of the CleanTalk WordPress Security and Uniforce Security Plugins Brute-force Protection Security...
- The CleanTalk Malware Scanner for WordPress. How it worksThe CleanTalk Malware Scanner for WordPress Quarantine Can files like OTF or ICO, JPEG,...