How to Scan WordPress Theme For Malicious Code (Plus Cleaning Guide)
Imagine running a scan on your WordPress theme for malicious codes but finding that it’s not infected.
This means you won’t need to spend hours searching for a cleaner. You won’t need to shell out hundreds of dollars to clean your theme.
This is the ideal scenario. But unfortunately, the reality is different.
Here are two scenarios you are possibly facing right now:
- Your WordPress Security Plugin or hosting provider has marked the theme installed on your site as malicious.
- You want to install a new theme on your site which you suspect can be malware-infected.
Either way, you want to scan the theme to ensure that it’s really infected with malware. But how exactly will you do that?
Our goal with this article is to help you achieve the following:
- Scan your theme whether it’s installed or not
- Clean malware-infected theme
- Show you how to protect your website from malicious themes
Over the last decade, we have helped hundreds of thousands of websites affected by hacked themes. Just follow the steps we have listed down below.
TL;DR: To scan an active WordPress theme:
- Install MalCare WordPress scanner on your website
- And run a scan
To scan a theme that isn’t installed on your site:
- You need to create a staging site
- Install the theme on the staging site
- And scan the theme with MalCare malware scanner
Why Was The Theme Infected in The First Place?
In a nutshell: WordPress themes are infected in the hopes that it will be installed into a site. Infected themes have backdoors which will be exploited by hackers to gain access to a site.
Obviously, no one wants to install an infected theme on their site. In most cases, site owners are unaware that they are using a malicious theme.
So how do people end up with a malware-infected theme? It comes down to what type of theme you are using and where did you get it from.
1. Using Themes From Untrusted Sources
Besides the WordPress repository, there are many third-party sources selling or giving away premium themes for free.
These themes are modified and infected with malware. This is why they are often given away for free. When you install an infected theme on your WordPress site, you are opening doors to hackers.
2. Using Free Themes
Premium theme builders have to maintain trust and reputation. They have to garner more business. Hence, the themes they launch into the market undergo strict quality control. Free themes lack such quality control.
Free themes are prone to vulnerabilities. Hackers utilize these vulnerabilities to gain access to your site.
Once they have access to your website through a vulnerable theme, they inject backdoors into other themes or even plugins installed on your site.
3. Using Bundled Solutions
Some themes come bundled with plugins. Bundled solutions make things complicated.
Take for instance, the Slider Revolution plugin. It’s a popular image plugin. Many themes offered the plugin as part of their package. However, many site owners were unaware that this plugin was a part of their theme and active on their site.
Slider Revolution had a major vulnerability which was quickly fixed via an update.
The site owners couldn’t update the plugin, only theme owners could. This left many WordPress sites vulnerable until the theme owners updated the plugin.
Infection in your theme could be a consequence of a hacked plugin or even host.
Shared hosting providers host hundreds of websites on the same server. When one website is hacked, other websites on the same server can be hacked as well.
Ideally, you should avoid using free themes, bundled solutions and using themes from untrusted resources. But if that’s not possible, you can scan your theme before installing it on your site. A good scanner should be able to detect any malware or malicious code hidden inside the theme.
How to Detect Malicious Code or Malware On WordPress Theme?
The fastest and efficient way to detect malicious code and malware in WordPress themes is to use theme authenticity checker(TAC) plugins like MalCare WordPress scanner. The plugin dives deep into every location of your site to find any trace of malicious code, even if it is disguised as a genuine piece of code.
We will show you how to use MalCare to run a WordPress theme security check whether it is installed on your site or not.
We are going to cover two scenarios:
1. Scanning Installed Themes
2. Scanning Themes Before Installation
Note: In both scenarios, we show you how to scan a theme with a plugin scanner. But you’d rather scan your theme manually, jump to this section.
Let’s dive into the steps right away –
1. Scanning Installed Themes
a. Signup and activate MalCare Scanner on the WordPress Website where the theme is installed.
b. Next, from your WordPress dashboard, select the option MalCare from the menu.
c. Enter your email address and click on Secure Site Now.
d. MalCare will start scanning your entire website which includes your themes.
If it finds any infection on your site, MalCare will alert you.
Apart from MalCare, there are a few other scanners you can use to scan the themes installed on your site. They are Wordfence, Quttera Web Malware Scanner, BulletProof Security, Sucuri, iTheme Security, etc.
2. Scanning Themes Before Installation
There are two ways to scan a theme before installing it on your website –
- Create a staging site, install the theme and run a scan with a plugin (reliable)
- Upload the theme to an online scanner (unreliable)
Most online free scanners are unreliable. They are designed to look into the code that’s visible on the browser. Most of the time, malware is not that visible.
Only a dedicated malware scanning plugin like MalCare dives deep into the site to look for malicious codes. Nonetheless, we’ll show you both methods.
a. Scanning Themes Before Installation With a Plugin (reliable)
In a nutshell:
- You need to first create a staging site which is an exact replica of your live site.
- Then install the theme on your staging site.
- Activate a security plugin and run a scan.
Let’s dive into the steps…
Step 1: Create a staging Site
a. Download and install BlogVault on your website.
b. From the WordPress dashboard select BlogVault. Next, insert your email ID, then click on Get Started.
c. Next, BlogVault will ask you to create an account. All you need to do is enter a password.
d. Then you’ll be asked to add your site to the BlogVault dashboard. Just click on Add.
e. BlogVault will start taking a complete backup of your site. Wait for the process to end.
f. Now on the BlogVault dashboard, click on Sites and then select your website.
g. On the next page, scroll down to the Staging section and select Add Staging > Submit. BlogVault will start creating a staging site for you.
h. When the staging site is ready, you will be given a username and password. Make sure you are noting it down somewhere. You’ll need it in the next step.
i. The next step is to open the staging site by clicking on the Visit Staging Site.
j. As soon as the staging site opens in a new tab, you will be asked to enter the username and password you had noted down in the previous step. The staging site is password protected to secure it against unauthorized access.
k. You should now be able to access your staging site. Just add /wp-admin/ at the end of your URL to open the login page.
l. Log into the staging site with the same credentials you use to access your live site.
Step 2: Install The Theme On The Staging Site
Installed the theme on the new staging site just the way you’d do it in the live site. Open the WordPress dashboard, navigate to Appearance > Themes, and upload the theme.
Step 3: Install MalCare Scanner on Staging Site & Run a Scan
We have covered how to use the MalCare scanner in the previous section. Click here to jump to that section and follow the instructions carefully.
> Scanning Themes Manually
Many of you are reluctant to install new plugins into your website. The more plugins you use, the more time you spent managing them.
In that case, why not try scanning the themes manually?
We’ll be upfront here.
Scanning a theme manually is not the most efficient way of detecting malware. There are too many files, too much ground to cover. You are bound to fail to detect all malicious scripts.
Moreover, if you are not a seasoned developer, this method is bound to fail. It’s difficult to tell good code from a bad one.
That said, you want to give it a try, here’s an article that’ll help you do just that – How to Perform a Manual Malware Scan?
If you found malware infection on your theme, then clean it immediately. The longer you wait, the more the infection will spread and who can tell what damage it’ll do to your site!
How to Clean Infected WordPress Theme?
If you used MalCare to scan WordPress theme for malware, you can use it to clean the theme as well.
1. Cleaning an Installed Theme
a. Open MalCare’s dashboard and select your website.
b. On the next page, there is a section called Security. Click on Auto-Clean and MalCare will start cleaning your site.
It’ll take only a few minutes for MalCare to clean the site.
Note that MalCare’s Auto-Clean feature is a premium service so you’ll be asked to upgrade. You can clean one website as many times as you want for $99 per year. More information on MalCare Pricing.
2. Cleaning a Theme Before Installing
If the theme you want to install on your website is infected, it’s best to find an alternate theme and use that.
The theme was already malware-infected when you downloaded it from the internet. It’s possible that the vendors are deliberately peddling a malicious theme so that they can later hack your site.
If they have no idea about the malware infection, then you can’t trust the quality of any of the products they are selling or giving away.
Even if you clean the theme and install it, you are putting your site at risk. If the theme is poorly coded hackers can easily find a vulnerability and exploit it to gain access to your site.
If you bought the theme, ask for a refund.
If you got it for free, never use products from that marketplace ever again.
Get your theme from the WordPress repository or popular marketplaces and vendors like Themeforest, ElegantThemes, MyThemeShop, AThemes, etc.
> Cleaning Infected Themes Manually
Cleaning an infected theme manually is best left to a seasoned developer. That said, even WordPress pros with 10+ experience are reluctant to delete a piece of code.
Some PHP functions like eval, base64_decode, gzinflate, etc are not malicious by default. Many plugins use these functions to carry out operations. If you delete a legitimate piece of code, it’ll break your website.
But if you are feeling adventurous then go right ahead and clean your themes with the help of this guide – Cleaning WordPress Theme Hacked
If you’ve given up halfway, then just use MalCare to clean the theme.
For as long as you are running a WordPress site, you need to ensure that you are protecting your site against infected theme. There are some basic steps that you can take. But before we get into that, let’s have a look at the impact of installing an infected theme on your site.
Impact Of An Infected WordPress Theme On Your Site
Installing an infected theme on your WordPress website could lead to devastating consequences. It could damage your site which could have a negative impact on your business and your revenue.
1. Direct Impact
When hackers infect your site, they carry out malicious acts such as:
Stealing Visitors – One of the most common things hackers do is, deploy malicious redirects from your website to other sites. These sites are usually phishing sites designed to steal visitor’s personal data. They could also be adult sites or online stores that sell counterfeit products.
Stealing Data – Hackers can steal login credentials, credit card payment information, or even personal contact information of your customers. They can sell such data or use it to run more malicious schemes.
Integrating Unwanted Ads – Hackers hijack your advertisement spaces and display their own ads. Here too, these ads could lead visitors to malicious sites, adult sites, and the like.
2. Impact on SEO
Slow Website – In order to run their malicious acts, hackers use your website’s resources. This puts a heavy load on your server and will bring down your site’s performance and cause it to slow down.
Drop in SEO Rankings – Getting to the top of Google’s SERPs (Search Engine Results Pages) is no easy task. It takes constant effort to achieve SEO ranks. One of the ranking factors is the speed of your site. When Google detects that your site is slow, your ranking will drop. Plus, if your visitors are being redirected, it will cause a severe loss in traffic as well.
Google Blacklist – Next, Google and other search engines crawl sites regularly and if they detect such code on your site, they immediately blacklist your site or will suspend your google adwords account. They display a warning to visitors that your site is infected in order to protect them. Checkout this guide on Google Blacklist Removal to learn more about it.
3. Web Host Suspension
Once your hosting provider detects malware on your site, they will suspend your account and take your site offline.
They do this because hackers always use your server resources to run their malicious activities. Not only will you reach your server resource limit, it will also impact your server’s speed and performance. If you’re using a shared server, your site could bring down the performance of the other sites on the same server.
Many hosts have very strict policies against malware and may permanently ban your site from their platform if you have multiple instances of website hacks.
4. Brand Image and Reputation
Needless to say, when visitors are defrauded and duped by hackers on your site, they will lose the trust they have in your brand. It’s likely that many visitors won’t return to your website.
Thus, it’s so important to use only trusted themes on your WordPress site. So without further ado, let’s proceed to scan WordPress theme for malicious code to ensure they’re safe to use.
How to Protect Your Theme From Malware Infection
Now that you have cleaned your theme, you need to ensure that your theme is never infected again. Here’s what you need to do:
1. Use Themes From Trusted Source Only
When selecting a theme, use only trusted sources. These include the WordPress Theme Repository, Theme Forest, Mojo Themes, Creative Themes, ThemeSnap, WP Eden, InkTheme, DMartify, AppThemes, etc.
These marketplaces vet their developers before allowing them on their platform. They also have strict guidelines and policies that developers need to adhere to.
Avoid using pirated and nulled themes because they are likely to be injected with malware. Premium plugins can be a bit too expensive. But the good news is, there are many free themes available out there.
2. Always Scan Your Theme Before Installation
Whether you download your theme from a trusted source or not, we still recommend scanning your theme before you install it on your website. It’s easy to use automated online tools like VirusTotal to scan the files in under a few seconds. Once you’re sure it’s safe to use, you can go ahead and install it on your WordPress site.
3. Disable Your Theme Editor
As we mentioned earlier the theme editor is accessible through your WordPress dashboard. If hackers manage to break into your site, one of the first things they attack is your theme editor as it gives them access to your WordPress files directly from the dashboard. They can use this editor to create backdoors that will give them secret access to your site. If you do not require this feature, we strongly advise disabling it. You can do this in two ways:
- Using The MalCare Security Plugin
- Simply access the MalCare dashboard and click on your site.
- Next, go to ‘Security’ and select ‘WordPress Hardening’.
- Here, you can disable the File Editors. By clicking on this, you can disable the theme and plugin editors on your WordPress dashboard.
- Manually By Editing Your wp-config.php File
- This method is risky and the smallest mistake can break your site. We recommend taking a complete backup of your site before proceeding with this method.
- Access your web hosting account and go to cPanel. Here, choose File Manager > Public_html.
- Next, find the wp-config file, right-click, and select ‘edit’.
- Paste the following code just before the line that says ‘That’s all, stop editing! Happy publishing’ :
define( 'DISALLOW_FILE_EDIT', true );
The theme editor will be disabled on your WordPress dashboard.
Checkout the complete guide on Protecting your WordPress Site using WP-Config file.
4. Delete Inactive Themes
It is common for WordPress site owners to install and try out different themes. But often, we forget to delete the themes we aren’t using.
Every element on your website gives hackers another chance to break into your site including themes that are inactive. So, it’s best to keep only the theme you’re using and delete the rest.
After you implement these steps, we’re confident that your WordPress theme is secure.
We are confident that if you follow all the WordPress theme security checks we have listed above, your theme will be safe from malicious infection.
That said, securing your theme alone will not protect your website from a hack attack.
You need to secure your website on different fronts. We’ve compiled an article that’ll help you do just that, checkout this guide on WordPress Security.
This guide will help you take several security measures. Some of them are mandatory, while others are good to have.
One of the most important security measures you need to take is to install a WordPress security plugin like MalCare.
It’ll place a firewall between your site and the incoming traffic. It will protect your login page from brute force attacks. MalCare will scan your site on a daily basis and help you clean your website instantly if it’s hacked. It’ll also enable you to take site hardening measures to protect your site from hack attacks.
Install MalCare Security Service Right Now!
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.