WordPress is now a very popular platform for websites. As a result it attracts a load of attention, sometimes the unwanted attention of hackers and their malware. The WordPress team at Automattic works constantly to make WordPress a safe CMS to work with. But this is a continuous process, a kind of tug-of-war, as new malware and hackers keep popping up. In the past WordPress websites have been the target of attacks that redirected traffic to malicious URLs which is why it’s so important to regularly scan WordPress for malware.
When something like this happens, it is possible that Google can turn away visitors from your website. This is done to protect the visitors from being infected with malware. You will then begin to notice that traffic to your website begins to dip. If you want to understand how this kind of attack works, you can read Sucuri’s review of the attack.
How Malware Reaches Your Website
WordPress users are spoilt for choice when it comes to themes. Pick any niche, and you will have a multiple choice of themes for your niche, both free and premium. One thing that users should watch out for while picking a theme, is bits of unwanted code that are embedded in themes. For most it’s unnoticeable as the majority of users aren’t developers, which is why you should have a process in place to scan WordPress for malware.
Being particularly cautious while purchasing themes from third party websites (not the author’s website) or when downloading free themes is a good place to start however. This is because some unscrupulous theme vendors can embed code that can harm the user’s website.
These bits of code can be innocuous snippets that do little harm. But they can also be harmful enough to bring down your site entirely. They embed themselves in your blog unobtrusively. Most likely you will never notice them, when it is work as usual on your website.
Themes are not the only way in which malicious code reaches your website. They can be included in plugins, left in the comments section, by hacking or brute force attacks.
Sometimes, you may opt to install software that comes bundled with some popular application that you download and install. That software can often be malware or spyware, disguised as an add-on feature. You may unknowingly allow these options on your website, where the malware lurks around, often adding more malware to the site.
Why do hackers inject malware?
What purpose do these bits of code serve ? Why do hackers infect websites ? Malware is embedded by hackers to be able to,
- Add back links and redirects to the sites that they want to promote.
- Track your visitors.
- Add their own banners and advertisements.
- Access sensitive personal information such as names, passwords and email addresses.
- Bring down your website completely, either for a reason or just for fun.
The longer the malware remains undetected, the better it is for the hackers. This is because they can continue to use your website for gathering information and send spam emails, infecting your visitors in the process. It is left to us to regularly scan WordPress for malware and check our websites, even those that appear ironclad, for malware.
The 10 Best Plugins & Services To Scan WordPress for Malware
Plugins and scans are a great way to check if your website is infested with malicious code, malware or any other security threat. A number of quality plugins are available that can be used to check for malware, and in our humble opinion these 10 are the best.
Scanning a website is potentially a memory intensive activity. You may have to modify your PHP memory access and clear cache directories so that scanning is faster.
In most of the plugins, allied security features are bundled and only a few plugins are purely solutions for detecting malware. Some are full fledged security or backup solutions, that include a malware detection feature. Codeguard, for instance, is a complete backup and restore service that will also scan WordPress for malware. It alerts you if anything unwanted is found.
But for those of you on shared hosting, here are some of the more popular services and plugin options to detect malicious code.
1. VaultPress (included with JetPack plans)
If you’re using a JetPack plan then you’re in luck since you already have access to VaultPress – the backup and security plugin developed by Automattic.
While the Personal plan does include brute force protection and uptime monitoring, you will need to upgrade to a Premium plan ($99 per year) to have access to daily Malware scanning for your website (or spring for a Professional plan to have the added benefit of on-demand scans as well as automatic resolutions – so you never have to lift a finger).
With the VaultPress plugin installed and connected to your website via FTP/SSH it will monitor your site on it’s own. From your online VaultPress user dashboard you’ll be able to access information about any security threats found during your daily scan and make updates if needed (or restore to a secure full backup VaultPress took of your website).
2. MalCare Security and Firewall for WordPress
MalCare is a complete Security Solution, developed after analyzing over 240,000 WordPress sites. It is free and uses the collective intelligence from its network of sites to keep your website protected from malware, hackers and the rest.
The early malware detection technology helps prevent blacklisting of your websites by Google or from being blocked by web hosts. MalCare could successfully detect complex malware that goes undetected in other popular plugins.
The plugin focuses on the accuracy of identifying a malware and significantly reducing the number of false positives being reported. This means that you are alerted only when the plugin is certain that it has detected malware and not a ‘possible suspect.’
Brute force attack is very common for WordPress sites, and so the Web Application Firewall and the Login Protection are automatically enabled in the free plugin. It helps protect your site 24/7 from bots, hackers, and the likes.
The premium version automatically cleans malware that has been found on your website. For an added layer of protection, there are options like IP Blocking, Login Protection, and Website hardening. Managing plugins can be a headache especially if you have multiple websites to maintain. Updating or removing plugins, themes and WordPress core can be carried out from within the MalCare Pro dashboard.
3. Sucuri SiteCheck Scanner
It compares all the pages and links against Sucuri’s malware database and reports the anomalies. The scan will detect malware, blacklisting, defacing, website errors and out-of-date software. The scan generates a report of the malware found and recommends how you should handle it.
The scanner does not access your server. So anything malicious in the server that is not displaying in the browser, is not detected by the remote scanner. And therefore, this scan is not effective for phishing, backdoors and malicious usernames.
The Sucuri Security plugin can do much more – audit logging, integrity checking, email alert, security hardening and other tools. If you do not want to run the URL often, you can activate the plugin and generate a free API.
4. iThemes Security (Formerly Better WP Security)
Downloaded by over 800,000+ WordPress users, the iThemes Security plugin is one of the most popular choices to protect your site and scan WordPress for malware. The free version of this plugin offers 30 layers of protection and security including a 1-click “Secure Site” check, Malware scans (via Sucuri SiteCheck), strong password enforcement, brute force protections, database backups, file change detection and much more.
If you want to add even more layers of protection consider iThemes Security Pro which give you access to features like 2-factor authentication, scheduled Malware scans, password expiration, WordPress core file comparisons and more. The plugin does cost $80 per year which might be a bit high for some bloggers, but can you really put a price on security and peace of mind?
5. Anti-Malware Security and Brute Force Firewall
Anti-Malware Security and Brute Force Firewall not only scans and detects malware, it also helps you to fix them. It detects malware, viruses and other threats on your server, and marks them as Potential Threats, leaving it to you to deal with them.
But if you register the plugin at GOTMLS.NET, you will have access to download of new definitions, automatic removal and patches for known vulnerabilities. The Revolution Slider in WordPress is particularly prone to attack, and so the protection for this feature is automatically enabled in this plugin.
The premium version affords protection against Brute Force and DDoS attacks, checks the integrity of the core files and downloads new definitions automatically. You can donate fixed amounts ranging between $14 to $133.7, and each level opens up different features. For $29, almost everything is unlocked for as many websites as you want.
6. All In One WP Security & Firewall
The All In One WP Security & Firewall plugin is another popular and easy to use option. The plugin offers tons of security features such as password strength, brute force login protection, built-in captcha, database prefix options, file permissions, htaccess/wp-config backups and firewall protection. But the plugin also offers easy to setup security scans that you can use to quickly detect and remove malware.
Use the file change detection scanner and database scanner to look for file changes or data tables you didn’t create. use the settings to schedule automatic detection and to have an email sent directly to you inbox whenever a file change occurs. This way any potential hacking attempt will be brought to your notice quickly.
The plugin does offer Malware specific scanning, but you will need t upgrade to their premium ($9.95/mo) Site-Scanner plan for this feature.
Wordfence is not merely a malware scanner, but an almost complete security protection for your website. It is free and open source and uses the constantly updated Threat Defense Feed to monitor and prevent your website from being hacked.
The Web Application Firewall can pick out over 44000 known malware and prevent it from reaching your website. It also scans for backdoors, phishing URLs, trojans, suspicious code and any other security threat.
The scans are generally carried out at hourly intervals. So you are likely to know of any malware content on your website within the hour of it reaching your website. Wordfence can check core integrity as well as monitor traffic in real time.
For scheduled scans, country blocking and some additional features, you will have to pay and obtain a Premium API key.
8. Exploit Scanner
Exploit Scanner scours the files and database of your website to hunt for unwanted code. Active plugins are also scanned. It’s only function is detection – cleanup and prevention will have to be done by other means.
If you find scanning is slow on account of insufficient memory, you can increase PHP memory access from the plugin admin page. You can customize the scan and exclude some files from scanning, but it is always better to do a complete scan.
This plugin has a tendency to return ‘false positives’. So, to understand the results of the scan, you need to be able to identify unwanted code.
9. Quttera Web Malware Scanner
Malware, viruses, trojans, backdoors, shells, malicious code injection, auto-generated malicious content and more – Quttera Web Malware Scanner will find them all, if they are lurking in your website.
If your site has been blacklisted by Google, it will reveal that in a scan as well. It generates a detailed malware report, based on which you can clean up your website. For any help in removing malware, you will have to contact their support.
10. Theme Authenticity Checker
You can rely on Theme Authenticity Checker to find theme vulnerabilities quickly and easily. It helps to determine if a code cleanup is required or not.
This plugin scans the source code of the theme looking for unwanted code. When it finds the mischievous elements, it will highlight the location where you can find it, along with a snippet of the code. This plugin does not automatically remove the offending code. It leaves it to you to assess the impact of the code and choose to remove or keep it.
Keep In Mind
Scanning for malware is likely to throw up some false positives, which you will need to check out. If you do scan WordPress for malware and the result shows your website to be clean, can you rely on it? Maybe, but take it with a grain of salt as scans are not foolproof.
One way to minimize malicious code from reaching your website is to download themes and plugins directly from the author’s page or from trusted theme houses and not from any suspicious third party websites.
If you do decide to scan WordPress for malware it’s a quick and easy first step to protect your website. Though it takes more than a few scans and plugins to safeguard your website from security threats. Website security is something you need to think through fully and implement diligently.
Not to worry, you can use this guide on WordPress blog security tips to safeguard your website. Starting from WordPress hosting and moving on to backups, plugins, themes and cleaning up your computer, right down to SSL, passwords and folder permissions, you can find it all there. Check it out and take precautions proactively.
Do you have any questions about how to scan WordPress for malware? Or any other security tips you’d like to add? Leave your thoughts below!