As the most popular content management system online, WordPress websites are a common target for hackers, spammers, and other malicious parties. That is why it is vital to take measures to make your website more secure. Between brute force attacks and new threats like BabaYaga, you really need to be more careful to scan your site for malware than you ever have been before.
Why Are They Hacking Me, Anyway?
The goal of most hackers is to infect your website with malware, but not all malware is created equal. Common malware threats include:
- Pharma Hacks – Injects spam into your website database or files
- Backdoors – Allows hackers to gain access to your website at any time using FTP or your WordPress admin area
- Drive-by Downloads – When a hacker uses a script to download a file to the users computer, either without their knowledge or by misleading the visitor and saying the software does something useful
- File and Database Injections – Inserts code into your files or database that lets the hackers do a number of different things
- Malicious Redirects – Redirects visitors to a page of theirs that misleads people into downloading an infected file
- Phishing – Used to acquire usernames, passwords, email addresses, and other sensitive information
When most people think about a website being hacked, they think about the hacker defacing the website by placing a message to visitors like Your Website has Been Hacked by Teh Haxxo0rz!! and putting skulls and crossbones all over the place.
In reality, defacements are not that common. The majority of hackers do not want you to know that they have tampered with your website, as the first thing a website owner will do when they know that their website has been compromised is to remove the malicious files in question.
Letting them know is self-defeating.
Hackers who infect your website with malware are discrete. The longer a victim is unaware that the website is infected, the longer the hacker can use the website to send spam and grab visitors’ information. With that in mind, you have to realize that even a secure WordPress website can be hacked. It is therefore important that you scan your website regularly to detect any hidden malware.
We’ve rounded up some of the best solutions that can help you detect malicious malware on your WordPress website. From services to plugins, making sure you’re as secure as possible is our primary concern.
Sucuri Malware Scanning
Sucuri have a great reputation as an effective security and malware scanning solution. Their Sucuri SiteCheck scanner will scan your website for common issues free of charge. On top of that, their free WordPress plugin is by far one of the best security measures you can take.
The scanner will scan your website for malware, defacements, and spam injections. It will also detect whether your website server has been blacklisted (which can happen if a hacker has been using your server to send spam). The main limitation of the scanner is that you need to scan your website manually yourself.
Upgrading to their $89.99 yearly premium plan will give you automatic alerts via email and Twitter about any malware issues. This plan will also remove your malware for you and remove your website from any blacklists.
Like I mentioned above, Sucuri also offer a free WordPress security plugin. In addition to scanning your website for malware, the plugin offers a firewall to make your website more secure, hardening options that address common WordPress security holes, and a “last logins” section that highlights exactly who has logged into your website.
The plugin also has some useful features for recovering your website after an attack, such as updating the WordPress salt keys and resetting user passwords.
CodeGuard is a backup service that provides automated backups and restores at the click of a button. The service also monitors your website for changes every day and alerts you if it detects any malware.
Plans start from only $5 per month to backup and monitor one website. One of its main rivals in the backup niche is VaultPress, however VaultPress only offer daily scanning with their $40 per month plan. If you are looking for an all in one monitoring and backup solution, CodeGuard is a great choice.
Anti-Malware will scan your website for malware and automatically remove any known threats. The plugin can also harden your wp-login.php page to stop brute force attacks. Anti-Malware also provides a WAF (web application firewall), which pretty much every WordPress website needs these days.
Quttera Web Malware Scanner
Quttera Web Malware Scanner will scan your website for known threats such as backdoors, code injections, malicious iframes, hidden eval code, and more. The report will show you a list of suspicious files and advise whether your website has been blacklisted by ISPs. The big draw on this one is that the results are easy to read and parse. You know what needs to be fixed without much fuss.
It also provides a log of changes to your website and offers many options for hardening your website and making it more secure. There’s a lot more to say about WordFence that you can read about here.
WP Security Audit Log
WP Security Audit Log keeps a log of every single change on your website. Security alerts can be sent to you for a number of reasons, including failed login attempts, changes to file templates, and plugin installation.
This activity report is awesome given the prevalence of brute force attacks and other such malware-infesting actions. You will be able to see just when and how the bad guys are trying to break into your site.
Other Plugins to Stop Malware
You will find a ton of security plugins out there on the repository. But you don’t need to sort through them all. Let us do that for you.
- iThemes Security
- Ultimate Security Checker
- Stop Spammers
- Shield Security
- All-in-One WP Security and Firewall
Stay Safe Out There
The internet is a dangerous place. I encourage each and every one of you to scan your website regularly to help detect malicious files and changes. Read up about new threats and set up a firewall to prevent such nastiness. It is in your best interests to detect any successful hack attempts as soon as possible to minimize the damage from an attack. It’s not just for you; it’s for your users, too. When they’re happy, everyone’s happy, right?
If you know of any other good malware scanners and malware detection plugins, please share them in the comment area below.
Article thumbnail by benchart / shutterstock.com