What does the Malware Scanner do?
If you know or suspect your website has been hacked – finding the malicious code can be difficult. To locate the infection you need to know what you are looking for or you have to go through the entire website by hand, folder by folder – file by file.
The malware scanner makes this job easy by scanning your entire website and showing you a list of any suspicious plugins or files on your website.
What happens in a malware scan?
There is a lot happening in the background when you start a malware scan on your website.
We have done our best to keep the interface easy to use and understand, but behind the scenes, there are a lot of things happening when a scan is made.
Step 1 – Checking plugins from the WordPress repository
First, a list of the plugins on your website is gathered and this plugin list is used to check which plugins are from the official wordpress.org repository.
Each plugin from the repository has a list of checksums available via an API provided by wordpress.org. The API returns a list of checksums for all the files included in the plugin.
All checksums are stored in a local .json file – This is done because it is faster if you do repeat scans to save the result locally instead of asking wordpress.org each time – this helps speed up repeated scans.
The files are stored on your website in the folder /uploads/security-ninja/ – this folder is removed when you deactivate the plugin.
This method is the fastest and most accurate approach to validating no changes have been done to plugin files.
Security notice: This does not prevent plugins that have malicious code inserted and then distributed via the public repository. There are systems to prevent abuse in the public repository, but it does still happen.
There will most likely be some premium plugins or custom made plugins on your website, these do not have any official API for checksums, but are instead scanned manually by the malware scanner.
Step 2 – Scan site for malware and malicious code
After all the known plugins are scanned, the rest of the website is scanned with the PHP malware scanner library to detect malicious files.
Once the scan is completed, the results are compiled and displayed for you to see any detected issues.
Continue reading: How to use the malware scanner
Important: A file marked by Malware Scanner as suspicious does NOT have to contain “bad” code. It might just be a piece of code that looks bad. The Malware scanner can sometimes identify innocent files as suspicious. This is known as a “false positive”.
That’s why it’s necessary to go through the files manually (especially if they come from untrusted authors or sources) and have a look at the suspicious code.
“False positives” is a term that describes false results. In this case a “positive” would be a file that is detected as malicious, however, it is a “false” result – the file does not, in reality, contain any malicious code.
This happens when the scanner tries to be as thorough as possible and identifies files that do not really contain bad code.