Malware Scanner for WordPress

Find malicious code infections on your website and identify suspicious files.

The malware scanner module searches for any malicious code on your website - a clear sign of a hack.

Protecting yourself from hacking attempts is always the best to do. But no matter how well you protect yourself, your website can still be hacked.

Even secure websites are vulnerable to new and unknown bugs. Once in a while security holes in even well-known plugins come to light, affecting hundreds of thousands of websites in some cases. Malware attacks are on the increase and with the continued success of WordPress, the platform is a big and interesting target for attackers to find security holes to exploit.

Why can't you protect a website 100%

The only way we could protect a website from malicious attacks is by completely blocking any outside visitors and that would ruin the point of having a website in the first place.

Files are scanned using the PHP malware scanner library that detects common code found in malicious scripts and also specifically known attacks.

It is very important to understand that a file marked by Malware Scanner as suspicious does NOT have to contain "bad" code.

It could just be a piece code that looks bad. Sometimes it is quite obvious and even specific virus's or attacks can be identified by name. Other times it could be legit programming made with no malicious intent, or it is malicious code trying to hide.

This is where you should start looking if you suspect your website is hacked.

It is very important to go through the files manually and have a look at the suspicious lines of code. If you are certain they are ok - whitelist the file.

Scanner features

  • One click scan - quickly identify problematic files
  • Scan all (active and disabled) theme files
  • Scan all (active and disabled) plugin files
  • Scan all files uploaded to wp-content folder
  • Scan entire WordPress installation
  • Scan options DB table
  • See exact parts of the file that malware scanner marked as suspicious
  • Whitelist files that you have inspected and know are safe
  • Delete files that you are sure to have no place in your WP folders
  • Optimized for large WP installations with numerous files
  • Complete integration with Security Ninja's easy-to-use GUI
  • Compatible with all themes and plugins

Protect your WordPress website Security Ninja Pro

  • Fix complicated security issues with one click.
  • Firewall - Instant protection from 600+ millions of bad IPs
  • Country Blocking - Prevent visitors from any country to visit your site
  • Malware Scanner - find and fix malicious and suspicious code
  • Check and fix any WordPress core files that have been modified
  • Events Logger - Know everything that's going on your site.
  • Scheduled Scans - Automate checking your website and get warned of any problems

Why does it say a plugin is infected?

Malicious code is usually obfuscated or trying to hide as valid looking code for the untrained eye. The code scans each file and tries to identify patterns and specific known pieces of code that identify as malicious.

Several popular plugins' and themes' files can appear on the scan list, but do not be worried - it is normal for some plugins to use code that can look malicious for a scanner, but does not contain any bad code. These are known as "false positives".

Although we try to limit the number of files that are wrongly identified, we also want to be thorough and rather show you a couple of wrong identified files than miss something malicious.

Again this does not mean they will do harm to your site. It just means you need to have a closer look at their content.

What's in it for the hackers...

Why is my website under attack?

Hackers do not only try to attack big websites or corporate networks, but even small websites are also of use for malicious code.

That reason could be anything from injecting spammy content into your website for SEO purposes, getting customer data or just being able to brag about getting into your website or bring it down for fun.

Mostly you would find your website under attack from automated scripts that just try different automated hack attempts, without any human interaction.

How malware scanners work

Identifying malicious code hiding in between actual legit code is difficult. Here are a couple of examples of what anti-malware scanners have to consider when detecting security threats on your website

Real code comments

It is common for many malicious scripts to leave a small marker in the files they have already infected, or they might infect it repeatedly and will cause the website to crash - that is not their intent, they want the website to continue working, for whatever purpose they have in mind for you.

Comments similar to this:

It is also common for developers to leave comments in their code, and if the malware scanner is sensitive enough a normal comment or note by the developer can be identified as a sign of a malicious file. This is what is known as a false positive.

This means that this file was identified as a positive result - it identified a malicious piece of code, but it was not a correct result, it was false - called a false positive.

False positive results are something we try to minimize, but it is a knifes edge trying to identify malicious code vs. actual needed and properly functioning code.

Using "dangerous" PHP functions

When developing in PHP for WordPress you usually do not need to use, these are "low level" functions that are more commonly used for malicious code. The PHP eval() function is such an example.

The eval function - "evaluates" the parsed string as PHP code, and if valid - it executes the code.

Another PHP function is exec() which executes a program on your server.

The danger here is that the content in the code itself can be obfuscated - making it harder to identify what is actually happening.

Although sometimes a sign of lazy or unsafe coding - there are legitimate uses for both the eval() and exec() functions, so the fact that a file includes either of these does not mean it is an infected file, but it is always worth checking the file once they pop up in the results of your scan.

Comments are closed.