Find malicious code infections on your website and identify suspicious files
Malware Scanner for WordPress
The malware scanner module searches for any malicious code on your website.
Protecting yourself from hacking attempts is always the best to do. But no matter how well you protect yourself, your website can still be hacked.
Even secure websites are vulnerable to new and unknown bugs. Once in awhile security holes in even well-known plugins come to light, affecting hundreds of thousands of websites in some cases. Malware attacks are on the increase and with the continued success of WordPress, the platform is a big and interesting target for attackers to find security holes to exploit.
How to protect a website 100%
The only way we could protect a website from malicious attacks is by completely blocking any outside visitors and that would ruin the point of having a website in the first place.
Files are scanned using the PHP malware scanner library that detects common code found in malicious scripts and also specifically known attacks.
It could just be a piece code that looks bad. Sometimes it is quite obvious and even specific viruses or attacks can be identified by name. Other times it could be legit programming made with no malicious intent, or it is malicious code trying to hide.
This is where you should start looking if you suspect your website is hacked.
It is very important to go through the files manually and have a look at the suspicious lines of code. If you are certain they are ok - whitelist the file.
We recommend you regularly scan your website and check the results.
Malware Scanner Features
- One-click scan - quickly identify problematic files
- Scan all (active and disabled) theme files
- Scan all (active and disabled) plugin files
- Scan all files uploaded to the wp-content folder
- Scan entire WordPress installation
- Scan options DB table
- Whitelist files that you have inspected and know are safe
- Delete files that you are sure to have no place in your WP folders
- Optimized for large WP installations with numerous files
- Complete integration with Security Ninja's easy-to-use GUI
- Compatible with all themes and plugins
Table of Contents
Integrity checking WordPress plugins
To improve accuracy detecting malicious code a new feature is that all plugins installed on your website that are installed and distributed from wordpress.org
Each plugin installed on your website from the official WordPress plugin repository is checked against a list of checksums that they provide via an API.
This improves accuracy in checking for changes in a plugin when malicious code has been inserted into the code.
A list of checksums for each file included in a plugin is downloaded and stored on your server to make repeated checks faster. By keeping a local copy of the checksums on your server we reduce the time it takes to check the same plugin again.
Note: This does not protect against malicious code inserted and distributed directly from wordpress.org but these are usually caught pretty quickly by the community.
When an integrity check is performed during the malware scanner, the following steps are performed:
- Is the plugin distributed from wordpress.org?
- If so, check each file in the plugin against the list of files and checksum from WordPress API.
- Any changes to files are detected.
- Any unknown files in a plugin are detected and a warning will be shown.
- All other plugins are checked with the powerful malware scanner module.
- We use the more accurate SHA256 value for testing vs. the more commonly used MD5 testing method.
- Reduced false positives by checking for multiple details.
- Locally stored checksums are stored in .json files located in the folder /wp-content/uploads/security-ninja/
- Old files are pruned every 7 days allowing to keep checksums up to date.
- All files are removed when you deactivate the plugin.
Why does it say a plugin is infected?
Malicious code is usually obfuscated or trying to hide as valid looking code for the untrained eye. The code scans each file and tries to identify patterns and specific known pieces of code that identify as malicious.
False positive results
Some plugins' and themes' files can appear on the scan list, but do not be worried - it is normal for some plugins to use code that can look malicious for a website scanner, but does not contain any bad code. These are known as "false positives".
Although we try to limit the number of files that are wrongly identified, we also want to be thorough and rather show you a couple of wrong identified files than miss something malicious.
Again this does not mean they will do harm to your site. It just means you need to have a closer look at their content.
Why is my website under attack?
Hackers do not only try to attack big websites or corporate networks, but even small websites are also of use for malicious code.
That reason could be anything from injecting spammy content into your website for SEO purposes, getting customer data or just being able to brag about getting into your website or bring it down for fun.
Mostly you would find your website under attack from automated scripts that just try different automated hack attempts, without any human interaction.
Protect your WordPress website
Fast and easy to use
How malware scanners work
Identifying malicious code hiding in between actual legit code not easy. Here are a couple of examples of what a WordPress malware scanner has to consider when detecting security threats on a website.
Real code comments
It is common for many malicious scripts to leave a small marker in the files they have already infected, or they might infect it repeatedly and will cause the website to crash - that is not their intent, they want the website to continue working, for whatever purpose they have in mind for you.
Comments similar to this:
It is also common for developers to leave comments in their code, and if the website malware scanner is sensitive enough a normal comment or note by the developer can be identified as a sign of a malicious file.
This is what is known as a false positive.
A "false positive" means that a file was identified as a positive result - it identified a malicious piece of code, but it was not a correct result, it was false - this is what is called a false positive.
False-positive results are something we try to minimize, but it can be a knifes edge trying to identify malicious code vs. actual needed and properly functioning code.
The people that develop malware and viruses are always trying to be a step ahead, making detection even harder and conflicts with regular code much more common.
Using “dangerous” PHP functions
When developing in PHP for WordPress you usually do not need to use, these are "low level" functions that are more commonly used for malicious code. The PHP eval() function is such an example.
The eval function - "evaluates" the parsed string as PHP code, and if valid - it executes the code.
Another PHP function is exec() which executes a program on your server.
The danger here is that the content in the code itself can be obfuscated - making it harder to identify what is actually happening.
Although sometimes a sign of lazy or unsafe coding - there are legitimate uses for both the eval() and exec() functions, so the fact that a file includes either of these does not mean it is an infected file, but it is always worth checking the file once they pop up in the results of your scan.
A firewall is a piece of software that intercepts any visits to your website and blocks malicious and unwanted visitors.
This is done by analyzing the details of the visitor. Such as User Agent, IP address, contents of the request such as SQL injections or attempts to inject other kinds of malicious code.
Plugins distributed from wordpress.org can be checked on your website vs. the version on the repository. An integrity check verifies each file in each plugin. The process makes sure no changes have been made, and no extra code or files have been added.
A false positive is a term for when something is identified, meaning "positive" - but in reality the result is not real - hence the "false" part.
It is a term used in many situations, and in malware and virus protection it refers to when a file is wrongly (false) identified as having bad malicious code in the file (positive).