Malware Scanner

Malware Scanner is a module only in Security Ninja PRO

What does the Malware Scanner do?

If you know or suspect your website has been hacked – finding the malicious code can be difficult. To locate the infection you need to know what you are looking for or you have to go through the entire website by hand, folder by folder – file by file.

The malware scanner makes this job easy by scanning your entire website and showing you a list of any suspicious plugins or files on your website.

What happens in a malware scan?

There is a lot happening in the background when you start a malware scan on your website.

We have done our best to keep the interface easy to use and understand, but behind the scenes, there are a lot of things happening when a scan is made.

Step 1 – Checking plugins from the WordPress repository

First, a list of the plugins on your website is gathered and this plugin list is used to check which plugins are from the official repository.

Each plugin from the repository has a list of checksums available via an API provided by The API returns a list of checksums for all the files included in the plugin.

All checksums are stored in a local .json file – This is done because it is faster if you do repeat scans to save the result locally instead of asking each time – this helps speed up repeated scans.

The files are stored on your website in the folder /uploads/security-ninja/ – this folder is removed when you deactivate the plugin.

This method is the fastest and most accurate approach to validating no changes have been done to plugin files.

This does not prevent plugins that have malicious code inserted and then distributed via the public repository. There are systems to prevent abuse in the public repository, but it does still happen.

There will most likely be some premium plugins or custom made plugins on your website, these do not have any official API for checksums, but are instead scanned manually by the malware scanner.

“These plugins were not found on the public repository.” – The list shows which plugins were found in the public repository and the ones who were not. These plugins are scanned by the malware scanner instead.

Step 2 – Scan site for malware and malicious code

After all the known plugins are scanned, the rest of the website is scanned with the PHP malware scanner library to detect malicious files.

Once the scan is completed, the results are compiled and displayed for you to see any detected issues.

Continue reading: How to use the malware scanner

Scan site for malware- Security Ninja detects malicious software

Important: A file marked by Malware Scanner as suspicious does NOT have to contain “bad” code. It might just be a piece of code that looks bad. The Malware scanner can sometimes identify innocent files as suspicious. This is known as a “false positive”.

That’s why it’s necessary to go through the files manually (especially if they come from untrusted authors or sources) and have a look at the suspicious code.

“False positives” is a term that describes false results. In this case a “positive” would be a file that is detected as malicious, however, it is a “false” result – the file does not, in reality, contain any malicious code.

This happens when the scanner tries to be as thorough as possible and identifies files that do not really contain bad code.

Check out our guide on how to do a cleanup after malware scan.

Was this helpful?

Next Article

Scan for malware