How To Scan Your WordPress Blog For Hidden Malware

13 May How To Scan Your WordPress Blog For Hidden Malware

With millions of websites and sophisticated malware out there, cyber crime is becoming more common than car theft.

WordPress sites are a frequent target of spammers, hackers, and malicious software. This is simply because WordPress is the most popular online content management system and its inner workings are well known to hackers. You wouldn’t leave your car key in the ignition, but if you have a site with a dated WordPress version and generic settings, you might as well include tags that say “hacker friendly”.

Every WordPress site owner should take measures toward improving WordPress security.

The standard tactic of most hackers is the easiest – infecting your site with malware. These threats can include:

  • Pharma hacks, which inject spam into files or databases
  • Drive-by download – scripts that download malicious files to a users computer, generally without their even being aware of it. The download might be masquerading as some useful utility, or covertly bundled with another legitimate program.
    Backdoors – a program that gives hackers access whenever they like, either via FTP uploads or even your WordPress admin dashboard.
  • Database or file injection – insertion of code into database or system files that gives hackers access. Database injections are a common threat where text sprinkled through various records can be reassembled by a simple query into malicious commands. WordPress uses a single MySQL database that contains all the settings and information needed to administer your site.
  • Redirects – a piece of code that sends visitors from your links to a page on a hacker site that tricks people into downloading malicious files. They might even copy one of your own pages so the user doesn’t even know they’ve been sent to another site.
  • Phishing – a fraudulent page/form asking for sensitive information like usernames, passwords, and account numbers which are captured by the hackers and used to access accounts. Often this will be a very good copy of a legitimate site you might deal with, such as a bank or Paypal, which they’ve identified from your web activity. Except that all the information you enter goes straight to a hacker’s personal files.

 

Defacements

Defaced-Website-Upgrade-Security

Some hackers aren’t merely content with getting information or even crippling a targeted site; they deface a page (and drive away your customers) by placing a header or image that declares something like “This site has been hacked by the Goon Squad!”
Website defacement is actually rare compared to infection by malware, but it is a favored tactic of some hackers. The majority wish to remain hidden so they can go on with the criminal activity of stealing information and compromising accounts.

When hackers show themselves the first thing you need to do is locate and remove the offending files. But apart from a certain gratification of ego, they get the satisfaction of knowing your site is exposed as hackable to your visitors, which could cost you traffic and do as much damage to your bottom line as if they had actually gotten to your bank account.

WordPress Hackers will bide their time

In most cases, covert hacking means more time for the hacker to operate and more visitors they can potentially scam or infect. A WordPress site might be hacked without the owner ever knowing, meaning that not just you but all your customers are exposed.

Hackers might introduce malware to your site and wait to activate it so any changes that show up on scans seem harmless, since there isn’t a problem. Then they discreetly start to implement malicious scripts to gain further access and control, meaning essentially that they can get whatever they want from your site, whenever they want, if they aren’t discovered.

It is very important to do a regular scan of your site’s files to uncover and malware that might have been introduced. Your site might seem to be operating perfectly fine when in fact it’s been badly compromised. The hacker could already have your IP address, or have copied session cookies that give access to your WordPress dashboard. Some hackers will implement code designed to create the illusion that everything is normal with your system files and everything must be OK. In reality they could already have stolen all the sensitive information they can find and be using your email and user accounts to spam for more victims.

If search engines like Google identify your site as a source of malware, forget about those rankings you worked so hard to get. Not only will you be blacklisted, but your site could show up in browsers with a security warning as a malicious site. Visitors disappear when you were under the impression that things were going well.

Fortunately there are a number of plugins or available 3rd-party services that can help identify malware on a WordPress site. Most ot these site checkers work by typing in your URL, clicking a scan button, and waiting for results. However, these scans may not include hidden or archived files and pages, or recognize the code of particularly innovative hacking attempts. In short, nothing is 100% guaranteed.

WordPress Scanning tools

Sucuri

MalwareRemoval
This company has a solid reputation when it comes to security measures and malware scans. Sucuri SiteCheck can be used to scan your site for known issues with their free trial version.

SiteCheck malware scanning checks not only for malicious software, but defacements and injection attacks. It can also detect whether compromised email accounts have led to your website server getting blacklisted by spam recipients.

The main drawback to the free version is that you have to scan your site manually on your own. Upgrading to the paid premium plan includes automatic alerts via email about any suspicious issues. The full version will remove the malware and remove your IP address from remote server spam lists.

Sucuri also offers a plugin called Sucuri Securiy that offers firewall protection along with malware scans. It also works to provide additional security to known WordPress vulnerabilities, and provides you with a list of logins so you can see exactly who has been using your site. It also has some useful features for recovering in the event you are hacked, such as a utility for resetting passwords.

Virustotal

virustotal
This is a free web service that identifies and analyzes suspicious files and associated URLs on your site, helping you to detect viruses, worms, and other kinds of malware.

CodeGuard

codeguardbackup
This is really a backup program that creates automated file backup and restore operations with a single click. But it also monitors your site regularly for changes and sends alerts if it detects possible malware. In any case every site should be performing regular backups to preserve files and data in the event they are corrupted.

CodeGuard plans are very affordable for basic service. VaultPress performs many of the same services but at a higher fee.

Wordfence Security

How-to-unstuck-Wordfence-scan
One of the more popular WordPress security plugins, it will scan not just theme files, but core WordPress files and other plugins for known threats. It can also deliver a change log to help identify malicious uploads as well as recommendations for making your site more secure.

Wordfence checks against earlier versions saved to your repository. It also has the capability to do scans outside of the WordPress installation, which is a good idea if you have working files in other folders.

WordPress Malware Security Plugins

If you have a lot of image files, you might want an option that lets you exclude them from scans, otherwise the process might be slowed considerably.

Theme Authenticity Checker
This plugin tool can scan your WordPress theme files for malicious content, including illicit footer links and Base64 code injection issues. It will return details on any links that are hard-coded into the template, and while this may not be actually malware, it’s worth checking now and then to see that nothing potentially harmful has been passed in.

WP Antivirus
One security plugin from SiteGuarding engineered for WordPress is WP Antivirus Site Protection, which scans your site for the usual hacker attacks: backdoors, worms, adware, spyware, rootkits, and so on. This plugin will also scan other plugins and media files that have been uploaded to your site. Their free plan will scan your site weekly, but upgrading to paid versions can provide daily monitoring, antivirus protection, and removal of malware, along with automatic notification of uncovered threats.

AntiVirus
This is a simply named, free plugin that scans theme files for spam and malicious code. One of its best features is a convenient alert message that shows up right on your WordPress admin bar. Other options regarding malware detection include email alerts. However, AntiVirus only scans your current themes; other installed themes are not scanned. Unless you’re one of those who like changing themes from time to time, unused themes represent an additional level of risk and should be removed.

Anti-Malware
This is another excellent security plugin that scans and automatically removes malware, viruses, and other identified threats from your WordPress site. It can also beef up your wp-login code to prevent any brute-force login attempts.

Quttera
This plugin, named Quttera Web Malware Scanner, scans your site and generates an easy-to-follow report showing possible threats such as backdoors, malicious iframes, code injection, and much more. It also notifies you if your site has been blacklisted for spam by ISPs.

Wemahu
This is a fairly new plugin that will regularly scan your WordPress site for malicious code and email you a report of detected threats.

WP Changes Tracker
WP Changes Tracker & WP Security Audit Log is not exactly a malware scanner so much as a change log that monitors alterations to your MySQL databases, plugins, and theme files. If you are hacked, changes will show up here to help you determine exactly what was affected and how it was done, so that you can identify and reinforce weak spots. It’s also handy in that it lets you track your own changes and those of your staff.

A similar plugin that’s easy to use is WP Security Audit Log. This logs every change made, including failed logins, template changes, and new plugins. You can set up automatic alerts for any of these.

One thing to keep in mind when scanning plugins and theme files is that they could includes logs or other files that change automatically every time you use the plugin. If you’ve made changes to WordPress core files, they could show up on change scans, as well. So don’t panic over every warning that shows up in your logs, but it would certainly help if you were familiar enough with your installation to know what should and should not have been changed.

A hands-on approach

A basic technique you should not overlook is manually searching for inconsistencies in the code of your WordPress core files, or sudden changes in file size that could indicate the addition of unusual PHP scripts. A good method is to have recent backup copies of these files that you can use for comparison.

If you are storing and uploading images to cloud services like Dropbox, you might also want to check these files against the original versions. If you haven’t done image optimization or re-sizing, discrepancies should be easy to spot.

Of course, this involves more work and valuable time. For sites with hundreds of files and images, it’s just unrealistic to spend hours checking and comparing files. You could rely on a change tracker and just verify the files that show up as being altered to ensure they haven’t been compromised. Or find a text-comparison tool which will save you time over going through pages of code you may not be all that familiar with. But you will learn a lot about WordPress and PHP.

If you do maintain recent copies, you only need to delete and replace any suspicious changes.

Every WordPress site should be scanned regularly to identify and remove threats as soon as possible. The longer malware is able to lurk and operate, the more damage it can do to your site and your visitors.

The following two tabs change content below.

Jamie

My name is Jamie Spencer and I have spent the past 5 years building money making blogs. After growing tired of the 9-5, commuting and never seeing my family I decided that I wanted to make some changes and launched my first blog. Since then I have launched lots of successful niche blogs and after selling my survivalist blog I decided to teach other people how to do the same.
8 Comments
  • Rama
    Posted at 01:16h, 19 July Reply

    What tool is available that scans the actual database for code already injected?

  • Shopping Site
    Posted at 06:58h, 22 August Reply

    Best online tool to check the malicious code ?

    • Jamie
      Posted at 07:46h, 29 August Reply

      I use Sucuri a lot of the time.

  • Tyrohn White
    Posted at 09:53h, 01 September Reply

    I heard a lot about tool Sucuri. I also visited their blog to attain more information about the plugin. I also discovered some blogs like a blog from template toaster which teach about security of wordpress websites manually and without use of any plugins. Is that security sufficient for a website or plugins are necessary?

  • Tarun
    Posted at 17:12h, 18 September Reply

    No doubt article is very good , but many wp users install free theme and free plugin which is also one of the reason from where they get infected, User need to add tight setting to protect there website , just installing this plugin will not help .

  • Penyair
    Posted at 05:53h, 29 November Reply

    I use AIO Security for firewall and advanced security.

  • Heather Wood
    Posted at 23:04h, 06 February Reply

    Hey Jamie! Thanks so much for all the awesome roundup of links. Are there any common wordpress files we, as admi/developers could manually check out quickly to look for malicious code? I know that code can be injected in thousands of pages, but sometimes from what I’ve experienced, I’ve found only a few instances in more common places, usually in files such as wp-config.php and functions.php. Are there any others off the top of your head that are generally targeted by hackers?

Post A Comment