Elegant Themes Blog

Stay up to date with our most recent news and updates

How To Scan Your WordPress Website For Hidden Malware

Posted on July 23, 2014 by in Tips & Tricks | 70 comments

How To Scan Your WordPress Website For Hidden Malware

As the most popular content management system online, WordPress websites are a common target for hackers, spammers, and other malicious parties. That is why it is vital to take measures to make your website more secure.

The goal of most hackers is to infect your website with malware. Common malware threats include:

  • Pharma Hacks – Injects spam into your website database or files
  • Backdoors – Allows hackers to gain access to your website at any time using FTP or your WordPress admin area
  • Drive by Downloads – When a hacker uses a script to download a file to the users computer, either without their knowledge or by misleading the visitor and saying the software does something useful
  • File and Database Injections – Inserts code into your files or database that lets the hackers do a number of different things
  • Malicious Redirects – Redirects visitors to a page of theirs that misleads people into downloading an infected file
  • Phishing – Used to acquire usernames, passwords, email addresses, and other sensitive information

When most people think about a website being hacked, they think about the hacker defacing the website and placing a message to visitors e.g. Your Website has Been Hacked by ABCXYZ!.

Defacement Example

In comparison to malware infections, website defacements are rare.

In reality, defacements are not that common. The majority of hackers do not want you to know that they have tampered with your website, as the first thing a website owner will do when they know that their website has been compromised is remove the malicious files in question.

Hackers who infect your website with malware are more discrete. The longer you are unaware of your website being infected, the longer they can use your website to send spam emails and infect your visitors. Even a secure WordPress website can be hacked without the owner knowing. It is therefore important that you scan your website regularly to detect any hidden malware.

In this article, I would like to show you services and plugin solutions that will help you detect malicious malware on your WordPress website.

Sucuri Malware Scanning

Sucuri have a great reputation as an effective security and malware scanning solution. Their Sucuri SiteCheck scanner will scan your website for common issues free of charge.

The scanner will scan your website for malware, defacements, and spam injections. It will also detect whether your website server has been blacklisted (which can happen if a hacker has been using your server to send spam). The main limitation of the scanner is that you need to scan your website manually yourself.

Upgrading to their $89.99 yearly premium plan will give you automatic alerts via email and Twitter about any malware issues. This plan will also remove your malware for you and remove your website from any blacklists.

Sucuri SiteCheck

Sucuri SiteCheck will scan your website for common malware issues.

Sucuri also offer a WordPress plugin entitled Sucuri Security. In addition to scanning your website for malware, the plugin offers a firewall to make your website more secure, hardening options that address common WordPress security holes, and a “last logins” section that highlights exactly who has logged into your website.

The plugin also has some useful features for recovering your website after an attack, such as updating the WordPress salt keys and resetting user passwords.

Sucuri Security

Sucuri Security can scan your website for malware and make your website more secure.

CodeGuard

CodeGuard is a backup service that provides automated backups and restores at the click of a button. The service also monitors your website for changes every day and alerts you if it detects any malware.

Plans start from only $5 per month to backup and monitor one website. One of its main rivals in the backup niche is VaultPress, however VaultPress only offer daily scanning with their $40 per month plan. If you are looking for an all in one monitoring and backup solution, CodeGuard is a great choice.

CodeGuard

CodeGuard offer backups and monitoring at an affordable price.

Theme Authenticity Checker

Theme Authenticity Checker will scan every theme installed on your website for malicious code. It can find things such as footer links and Base64 code injections.

Theme Authenticity Checker

Theme Authenticity Checker will scan your theme files to check that nothing malicious is there.

Footer links will not stop a WordPress theme from passing their test, however the plugin will give you details of any links that are hard coded into the template. These will usually be harmless, but it is worth checking them nevertheless in case a bad link slips through.

Theme Authenticity Checker

Details of any detections are brought to your attention.

WP Antivirus Site Protection

WP Antivirus Site Protection is a security plugin from SiteGuarding that can scan your website for backdoors, rootkits, trojan horses, worms, fraudtools, adware, and spyware. In addition to scanning theme files, the plugin will scan plugin files and media that has been uploaded to your website.

Their free plan will scan your website every week. Upgrading to their $4.95 per month basic plan offers daily monitoring, however their standard plan at $9.95 per month offers website antivirus and malware removal.

WP Antivirus Site Protection

WP Antivirus Site Protection provides notifications of any malware it detects.

AntiVirus

AntiVirus is a free WordPress plugin that can scan your website theme files every day for malicious code and spam. It features a virus alert option in the WordPress admin bar. It can also notify you of any malware detections by email.

The main limitation of the plugin is that it will only scan your current WordPress theme. Your other installed themes will not be scanned. This is not a major issue if you remove inactive themes from your website (which is advisable as old themes that have not been updated can create a security risk).

AntiVirus

AntiVirus is a useful free malware scanner that can scan your WordPress theme for malicious code.

Anti-Malware

Anti-Malware will scan your website for malware and automatically remove any known threats. The plugin can also harden your wp-login.php page to stop brute force attacks.

Anti-Malware

Anti-Malware can scan your website for viruses and malware.

Quttera Web Malware Scanner

Quttera Web Malware Scanner will scan your website for known threats such as backdoors, code injections, malicious iframes, hidden eval code, and more. The report will show you a list of suspicious files and advise whether your website has been blacklisted by ISPs.

Quttera Web Malware Scanner

Quttera Web Malware Scanner can scan your website for common malware threats and provide an easy to read report.

Wemahu

Wemahu is a new WordPress plugin that can detect malicious code on your website. It can perform scans on your website on a regular basis and then email you a report.

Wemahu

Wemahu

Wordfence Security

Wordfence Security is one of the most popular security plugins available for WordPress. The plugin can scan your website core files, theme files, and plugin files, against known threats.

It also provides a log of changes to your website and offers many options for hardening your website and making it more secure.

Wordfence Security

Wordfence Security is a great all in one security solution that can scan your website for known threats.

WP Changes Tracker & WP Security Audit Log

WP Changes Tracker is not a malware checker. What it does is highlight the changes that have been made to the WordPress database, plugin files, and theme files.

If you are hacked, this information may help you see what exactly was changed and how someone compromised your website. The plugin is also useful for tracking changes that have been made by staff.

WP Changes Tracker

WP Changes Tracker shows you what has been changed on your website.

A great alternative to WP Changes Tracker is WP Security Audit Log. The plugin will keep a log of every single change on your website. Security alerts can be sent to you for a number of reasons, including failed login attempts, changes to file templates, and plugin installation.

WP Security Audit Log

WP Security Audit Log keeps a log of every action on your website.

Other plugins to consider using for malware scanning are:

I encourage you all to scan your website regularly to help detect malicious files and changes. It is in your best interests to detect any successful hack attempts as soon as possible to minimize the damage from an attack.

If you know of any other good malware scanners and malware detection plugins, please share them in the comment area below.

Article thumbnail by benchart / shutterstock.com

download divi

70 Comments

  1. We have ClamAV on all our shared hosting plans. I just assumed it would work as well, and works beyond a wordpress install.

    Any thoughts on ClamAV as a general server malware and antivirus remover?

    Thanks!

    • It doesn’t hurt to run ClamAV as well. If you are looking for a basic server-level exploit scanner that includes ClamAV as well, check out CXS.

  2. Thanks for the great information to help keep our websites (that of course use Elegant Themes products) safe and secure, Kevin!!

  3. Great article and valuable info Kevin, thanks!

    I personally use Wordfence Security and Sucuri have save two of my sites by successfully finding and removing effected files at one time when I was on their yearly plan. Wordfence has help me to realize how much a website is tried to get access to using “Admin” as the user name amongst other insights.

  4. What do you think about ithemes Security?

    • I use iThemes security on all my sites and have had great success with it. It’s amazing how many brute force attacks are done on the sites almost on a daily basis. So far I have had no problems with it.

      • Brute force attacks against what – the login page ? Why are you not using iThemes simple method of hiding your login page ? This stops all automated brute force attacks against the login page

        • Sorry, isn’t it easy to pull up a login page, simply by adding wp-admin to the url?

          • Hide any page you want just by using the htaccess file. You don’t change the structure of the page its just let you access the login page by another url. direct access to the file will be impossible by automated bots that will use fingerprinting won’t be able to do their work (most attacks are done automatically). If you need to know more feel free to contact me. I’ll be happy to show you how for free.

      • Well its good to know that I am not the only one and I hide my login also. I think it is very easy to use and I am happy with it so far. Thanks!

      • Yeah, Ithemes Security former BetterWP Security. I wonder why Kevin never mentioned it in his article considering its popularity

      • Yes, I also use iThemes Security, which was originally Better WP Security. It is the first plugin that I install on all my sites.
        Cheers,

  5. Awesome article and list! I use codeguard on my site and it’s great.

  6. This past weekend mine and 6 of my clients websites were hacked. It has been a nightmare to say the least! I’ve had to purchase SiteLock plans and am crossing my fingers that the sites will be up and running soon.

    A tough and costly lesson learned 🙁

    • crossing your fingers wont help, you need an expert to rid of the hack

  7. Nice article.

    My website was in attack few days ago. I just activated wordfence security plugin and came to know the IP addresses and blocked them. Now everything is good. It took 5 minutes to save my site from hackers. And the best solution to keep your site safe is to have both Wordfence and Cloudflare.

    • Blocking by IP address will only help against basic attacks – more sophisticated attacks will spoof the IP or quickly rotate via proxy servers – we have recorded attacks over several hours that have come from tens of thousands of different IP addresses

  8. Only scanning will give you information, no doubt. WP is highly secured system, but it’s security needs improvement. So I recommend to use also “Better WP Security” plugin.

    And use smth like “WordPress File Monitor Plus” — it will inform you by e-mail when every file in your WP installation created/changed/deleted.

    You’ll find no 100% reliable way to protect from all attacks, but you will know for sure if one happens. You will see that file changed and have to think — why? And you can then do smth with it.

    • It’s true, scanning is just part of the solution. We have some other great posts about basic security tips as well as how to deter WordPress hackers that touch on these other topics. This post is focused on scanning only.

  9. Hi Kevin
    I use a number of security features plus the paid version of Sucuri.

    If you run several websites the price per site is pretty reasonable.

  10. I have to say, this is by far one of the most usefull posts to the date, thank you very much.

  11. Thanks for this article. I have already checked my website – free from viruses.

  12. Just want to contribute a plugin that helps with many of these issues as well. It is called WordFence and there is a free version of it that works great.

  13. Hey Kevin, this articles are the best in the field…

    But why you don´t do top tens? I always end up testing most of them instead to aim for the best 🙂

    • There is rarely one best solution for everyone ! A top ten list is usually biased either by the authors requirements or by some financial incentive so this approach is much better – giving an outline of available solutions and letting the reader decide which will suit their situation

  14. A good roundup of available solutions although also very surprised that iThemes Security wasnt included in the list especially as prevention is much better than a cure. A site where the core, plugins and themes are always kept updated ; themes and plugins are from reputable developers ; where everything is properly protected by iThemes Security (in our opinion the best security plugin) and the Sucuri plugin are pretty secure against most of the standard hacks. Add to that using a hosting company that takes security seriously (a very large percentage dont do this and dont care) and also restricting access to admin directories to specific IP addresses and you are secure against most things. The Sucuri cleanup service is good for those that havent tied everything down and have been hacked

      • Understand that, and that is a great post as well, but if you are including Wordfence Security, then iThemes Security does pretty much all same functionality you list for that

        • I wasn’t aware that iThemes Security had a malware scanning tool like WordFence. Good to know 🙂

  15. Loving these daily updates, good job to the entire ET crew

  16. Thanks for the great article! I use BlueHost – so I haven’t thought too much about site security. Which is not smart since I have had sites hacked in the past. Off to download some plugins and start installing! Thanks again for the great post!

    • I’m considering using bluehost as well 🙂

  17. Thanks for the list of plugins. Don’t have time to test them all. Anyone know the bare minimum security set-up that will keep my site safe & secure?

    • Dont go with any of the cheap or free hosting companies – their server security isnot as good. The install and properly configure iThemes Security and the Sucuri plugins. For extra security you can take Sucuri yearly plan and WAF but that is belt and braces

  18. Awesome list! Wordfence is awesome but it creates huge log files if the traffic is substantial. There are plugins to remove those logs, but it should be included in the plugin itself. A simple and effective plugin I would recommend everyone use is “Rename wp-login.php”. It will simply hide your /wp-admin login by changing it to a name of your choosing and keep automated bots from trying to hack your site. It’s not going to stop other intrusions but it will stop those pesky scripts from trying a million login attempts. It also reduces wordfence logs substantially. If paid solutions are your thing, I would ask that you look up “We Watch Your Website”. When I get calls from potential clients about their site being hacked, I get WWYW on the case. They are so cheap, and so good, it’s a crime anyone pays monthly for the same type of service.

    • Again why would you use two or three plugins when iThemes Security does all of this ?

      • Though I use WordFence and I so mush love their security update and 2 factor authentication aside being enough to keep hackers at bay. Are you saying that using iTheme security pro pack is the All-in-One solution to WordPress security HavenSwift Hosting?

        • No, it isnt the only solution (see our other answers for what else we also suggest) but properly configured, it is a great foundation and getting better with each release but also includes a setting to do what the previous person was saying they use “Rename wp-login.php” for.

          • A whooping $444/yr to get all the real values, iThemes isn’t meant for a lone blogger maybe for a small/medium enterprise!

  19. Great article and such a great reminder to be proactive and protect or pay the price! Thanks again.

  20. Helpful article…..

    I’m using Sucuri Malware Scanning…

  21. Very Good article Kevin, I mostly used Sucuri for scan my or my clients websites.

  22. Hey good to see few plugins which are unknown to me but seems useful.
    It will be very good if you can through some light on the malicious code in database, how to figure it out and prevent it,

    The common areas we should take care of in terms of wp database.

    Thanks

  23. +1 for sucuri

    One problem in having is failed attempts at logging in by random ip addresses. I get like 40 a day.

    How can I stop them?

  24. I get calls regularly with non-clients with Malware problems in their WP sites.

    Great information as always

    Thanks

    Dave

  25. The timing of these articles are great. After reading this I installed Wordfence on my sites and actually found a couple of threats on different sites. Thankfully I was able to remove the files.

  26. thanks to tips. should the deleted the plugin does not use. and regularly update the version of the theme plugin wordpress

  27. I have had a couple of instances when WordPress sites for my clients were hacked. The reason which I diagnosed was the users there checked the “Remember Me” check box. This allowed the malware to slip in from the local machines to the websites and cause issues. We have never faced the malware issue ever since.

    But this seems to be a pretty good round up for website security. I will definitely test and try these someday for my WordPress websites.

    Cheers

  28. Nice post. Although I have installed all the plugins, none of them has found a spam code even tho in the footer of my website there is a display:none spam links, which are displayed randomly. Which means if I refresh the page a new links are displayed there. I am trying to solve this issue for days and none of the plugins work. I cant seem to find how the links are placed there. I runned thru all the files with scanner..also decoded the links into base64 and searched thru the database and the files, I cant seem to find them anywhere. Any idea?

  29. My site is safe with codeguard!Thanks for this beautiful Article!

  30. Helpful article….. I’m using Centrora Security, better to add it to the list, it finds malware on my site

  31. I installed Limit Login Attempts by Human Made Ltd. Free, easy to configure, and logs IP addresses and username hack attempts. Yes, there are better solutions, thanks all for some good reading 🙂

  32. I installed Limit Login Attempts by Human Made Ltd. Free, easy to configure, and logs IP addresses and username hack attempts.

  33. I wonder is this safe to install all the plugin you mention above?
    In this month, my website is hacked two times although I installed 3 anti-hack plugin. Really tired.

  34. Great list. So what do YOU use?

  35. Thank you for this article! So helpful!

    Do you have any suggestions for what to do if malware is detected on your site via one of these plugins? Are there any plugins or tutorials for dealing with malware that you know of?

  36. I had a different experience with the 2 big Security plugins. I first had ITheme and it let a hacker in and threw me out. I then went to Wordfence and found it changed a lot of code in my root files, I might be different then some but I wasn’t comfortable with that. If you already have Wordfence you cannot just delete the plugin and move on. I’m not complaining, just explaining my next choices which I have been very happy with. I was newbie several months ago so did not question the most popular choices.
    Part of the problem was mine on leaving Admin on my login and the former server I had was not very secure on their end. I have since moved on to better server and non-invasive security plugins.
    They are: Sucuri not upgraded (which I had originally at the first site), Simple Firewall and Betterwebsoft Limit Attempts. Everything has been going great now and even some brute force attacks have been recorded but not gotten in.
    I just tried the Anti-Malware plugin above. It seems in-depth and brought up a couple of files that are plugin’s as questionable. The only problem is I’m not a code savvy so not sure what I’m looking at. I will give some others of these a go though, thank you for making the list.

  37. I have been attacked 2 times on my network, i have 4 websites (shared hosting) on bluehost, when first time i was attacked, i was told by adwords and then i bought sitedoctor from bluehost and they scanned and remove malware, now i attacked again and bluehost deactivate my account again, now i again bought sitedoctor (60$/ scan&remove), i am now afraid that every time i have to give 60$ when i am attacked?? first time malware was “Copyright (C) 2000 Free Software Foundation, Inc. See LICENSE.txt” in all .js files and second time (now) it is “base64” in .php and .css files, can anybody tell me what should i do? i am not a programmer and i dont know from where the hacker gets hi, ooh 1 thing. i installed wordfence security plugin after first attack and befor 2nd attack wordfence gave me allert that someone is trying to access wp-admin with some usernames like “admin” and “urdudvds” from china, but i don’t have any of above usernames for my site http://www.urdudvds.com, please give me a suggestion/service on which i can trust and my money will not be wast. thank you in advance

  38. Any plugin that detects malware cryptphp?

  39. thanks thanks thanks u saved my website reputation !!!!

  40. Just scanned all of my sites with sucuri. All clear.

  41. Just was told my sites had some bad files and bluehost sent me to http://gotmls.net/ used there plugin and it was awesome. The best part is the support in helping understand some bad files. That help was impressive and for that alone it is worth getting. Donations are accepted and rightfully so.

  42. My Hosting was recently taken down due too Malware in my .php files, i manually deleted most files listed by my ISP, what i would like to know is, how does it work as the code just looked like variables,

    ” $countermeasure =’C’; $maam=’iPCJeSH6′;$dugout = ‘]NeQv’;$grape = ‘j_t)’;$eavesdropper= ‘(r$o’;$bertie =’u’; $armor =’_$sIJapa’; $crafty =’iEe’;
    $bridie= ‘_’; $barth = ‘e’; $dequeuing=’o;,ja’; $electricalness =’R’; $expiration= ‘W’; $dolf= ‘s[)_’; $converge= ‘l’;$brightness=’d’;$herculie=’Uait’; $around=’O’; $dastard= ‘)’; “,

    any info or links will be appreciated

  43. Nice information on how to make a healthy WordPress website and remove hidden malware..

  44. Thanks for publishing nice peace of information regarding WordPress security and removing hidden malware files…

  45. really amazing article all those security plugins are amazing i try many of them but I wordfence and I recommend for others will thanks you for sharing great article I just love it

  46. Thanks for the list of useful scanners – been looking for a solution that caters to a range of different CMS options and is also not too expensive if I have multiple domains.

    David

  47. Update: iThemes security plugin seems to have started charging for malware scans as of this writing.

    I installed it a month ago and it was free.

    Now I’m using https://sitecheck.sucuri.net/

  48. Hey,
    Just to include a plugin I used.. You forgot about the all in one wp security from wordpress repo.. Its a good plugin I used… Maybe add it also,,:)

    Cheers

Join 351,380 Happy Customers And Get Access To Our Entire Collection Of 87 Beautiful Themes For The Price Of One

We offer a 30 Day Money Back Guarantee, so joining is risk-free!

Sign Up Today

Pin It on Pinterest

Share This