How to Perform a Website Malware Scan?

Dec 21, 2018

How to Perform a Website Malware Scan?

Dec 21, 2018

One of the downsides of owning a website is the fact that your website could become a target for hackers. According to research, roughly 18,500,000 websites are hacked each day. The same report shows that an average website is attacked 44 times every day.

To add insult to injury, 17% of all hacked sites suffer from website blacklisting by the search engines. With their website malware scanner Google scan website on the internet , flags the warnings like deceptive site ahead, this site may be hacked or blacklists the ones that are hacked. which is why protecting your website from malware is crucial. But in case, your website has already been blacklisted, here’s a guide on blacklist removal.

Why Hackers Infect Your Site With Malware?

Otherwise, once a hacker gains access to your site, they insert malware for various reasons. None of which are usually related to your site specifically. The main reason why hackers hack WordPress sites is not only to cause damage to your visitors but also to use your website to send spam or phishing emails from your domain, manipulate search results with spammy keywords, spread malware onto other websites that use the same web server as you, and other illegal activities.

If you Google malware, you’ll come across different types of malware. Depending on the purpose of the malware, it can come in many different forms which include viruses, adware, trojan viruses, keyloggers, and more. It’s usually distributed via phishing emails, hidden iframe, through outdated themes and plugins, drive-by downloads, brute-force attacks, DDOS attacks, and other methods.

What’s worse, hackers will try to make malware very difficult to find and insert it in various places on your site which makes it all the more difficult to scan for malware.

In this post, we’ll discuss where you can find malware in WordPress sites and talk about how to scan site for malware using different scanners. Website scanners are like web inspector for your website. They are responsible for keeping your site secure. Besides using a scanner there are few other measures you can take to like installing SSL certificate. Covering all these measures warrants a different post altogether.

Where to Find Malware in a WordPress Site?

As we’ve mentioned earlier, malware can be found in different areas of your WordPress website. Common locations include your database and .htaccess file.

WordPress Themes & Plugins

WordPress plugins and themes are common places where malware could be hiding, especially if you’re using outdated themes and plugins. It can also hide in inactive themes and plugins. Instead of deactivating themes and plugins, simply remove them. You can also use a WordPress malware removal plugin to remove malware.

WordPress Core Files 

Malware can also hide in WordPress core files. This applies to both outdated and up to date installations, although it’s worth mentioning that it’s more common for malware to be present in outdated installations.

If you’ve visited a malicious website or clicked on a link in a phishing email and downloaded an infected file to your computer. It’s safe to assume your computer is now infected with malware. This is an easy way to get your site infected with malware as any uploaded files to your site could be infected.

Shared Hosting

Lastly, when it comes to shared hosting, malware can affect another site on the same host server. Shared hosting is often not the most secure hosting. In some cases, malware is visible on the main site and sometimes it is very difficult to find. A notorious example of a difficult-to-find malware includes the pharma hack. In this scenario, the hack is not visible on any of your website pages or in the source code. Pharma hack shows up when you search for the website on a search engine like Google and it can have crippling effects on your SEO rank.

When you take all of this into consideration, it’s easy to see that finding malware is not an easy job because it can be present in any of these places.

How to scan website for vulnerabilities?

Now that we’ve covered where malware usually hides on a WordPress website, let’s take a look at how to scan sites for malware.

There are many ways to find malware. This includes various tools such as plugins and manual methods. Even though it is possible to use manual methods to scan for malware. But the success rate of manual methods is always very low given the complexity of finding the malware. 

Luckily, there are many tools, plugins, and services on the market that will help you with this. But, before you decide to use any of these tools, it’s a good idea to familiarize yourself with the way these tools often scan website for malware.

How to Scan a WordPress Site For Malware:

  1. Signature/Pattern Matching
  2. Malware Scanning via Keyword Identification
  3. Detect Differences in Core Files
  4. Match WordPress Plugins
  5. Look for Recently Modified Files
  6. Look for Unknown Files & Folders in the Root Folder

1. Signature/Pattern Matching

The first method on this list is the signature/patching method. Using this method, a plugin or a tool will match files and code against known malware signatures. Signatures are nothing more than patterns and the tool will match all the data of your site against those known patterns. If it finds a match, it will send an alert that an infection or intrusion has been found.

There are several drawbacks with the signature/pattern matching method. The main disadvantage is that it only matches the data against a known pattern. Unfortunately, since malware is nothing but code, there can exist an infinite number of patterns that the tool is not aware of.

pattern matching malware scanner

Nowadays, a large majority of tools for site malware scan, uses signature matching, including some of the topmost WordPress security scanners.

Security Scanner That Does Not Reply on Pattern Matching:

Unlike those web security scanners, MalCare’s website malware scanner is different. Counted among the best website malware scanners, it doesn’t use signature matching. But instead, it uses more than 100 intelligent signals to detect malware even the most complex ones. These intelligent signals are the result of website scanning and gathering collective information over the course of three years. This information is now used to detect malware often missed by other website security check plugins. The plugin checks your website thoroughly to detect the location of even the most elusive malware. MalCare also performs all of the scans on its own servers to ensure there is no load on your website. Once the malware is detected, MalCare also removes malware with the click of a button.

Furthermore, being a complete security service, MalCare offers more security protections. Take for instance MalCare’s website monitoring activities or the website firewall, and the CAPTCHA-based security protection. It prevents bots and hackers from successfully hacking your website. MalCare also keeps a track of any IP address that is trying to breaking into your WordPress website. MalCare also offers website backup facilities.


2. Malware Scanning via Keyword Identification 

Another common method to look for and identify malware is to search for keywords that are usually associated with malware. This includes phrases such as ‘eval’ or ‘base64_decode’.

It’s true that a lot of malicious code has those keywords. But there exists an even larger amount of malware that doesn’t use them at all. On the other hand, there is also a lot of valid and good code that uses these keywords.

As such, using this method is not the most foolproof way to scan a website for a virus. Also, if you perform website malware scan using this method, you are likely to encounter many false positives.

Also read: How to fix GoDaddy Malware issues on your WordPress Site?


3. Differences in Core Files

Malware can also be identified by looking at the local core files in WordPress and comparing them to official WordPress core files. The core files are all the WordPress files that make the WordPress software. In some cases, malware is inserted in these files to make it more difficult to find or for vulnerability exploits.

Since WordPress is open-source software, you can easily compare the local version against the official version and see if there are any differences.

This method is rather effective to some extent because you can easily spot a difference. However, it still has its own set of problems. The main problem with this method is that different web hosts have different versions of WordPress. This means there is a possibility you’ll get a false alarm.

On top of that, there is one more problem associated with looking for malware in core files. Malware doesn’t have to reside there. It can reside anywhere else so you may not see any infection even though your website has been hacked. Nonetheless, this is a useful method for finding and identifying malware on your site.

wordpress repository

WordPress plugin repository



4. Match WordPress Plugins

The next method on our list is to match plugins. Similarly to the core file matching, plugin matching refers to matching the installed plugins against the one available in the public repository.

This is another decent method to find malware but it does have drawbacks. For starters, you need to keep in mind that like with WordPress core files, there are different versions of plugins. So there is a possibility you’ll get a false positive.

Another problem with this method is that not all plugins are publicly available. Some plugins exist only on the website developers’ websites or on third-party marketplaces. This means you can’t compare different versions.

Lastly, some plugins have modifications that are often not captured in the repository. This includes modifications to change the way a plugin works or adding more functionality than what the plugin originally offered.

All of these make it difficult to consider matching WordPress plugin files as a reliable method of finding malware on your site.


5. Look for Recently Modified Files

If your site has been hacked, there is a possibility that you can find malware in recently modified files. Perform a website malware scan on recently modified files or even new files. They might be a part of a hack, especially if you or anyone managing your site didn’t modify or upload any files. Any new or modified file that has been uploaded or modified in the last 7-30 days should be treated with caution and scanned for potential instances of malware.

You will have to look at the time when the files were modified or uploaded. If you or your teammates did not make any modification to files, then a third-party, such as a hacker, might have made the changes or uploaded malicious files like wp-feed.php or wp-tmp.php.

Similarly to the other methods listed here, this method as well as its own disadvantages. Today’s hackers are smart and they might have reset the time of the modification. This makes it hard to know if the files have really been modified recently or if they were modified by someone who is not associated with your website.

malware keyword identification


6. Look for Website Malware in Unknown Files and Folders of WordPress Root Folder

Lastly, look for unknown files and folders in the root folder of your WordPress installation. The WordPress root directory (the /public_html folder) is often a target for hackers because it’s not a place any regular WordPress user would access on a daily basis.

Other vulnerable folders and files include the plugin folder found in /wp-content/plugins/ and the themes folder found in /wp-content/themes/. To ensure there is no malware in these directories, make sure there are no unknown php files or extra folders present.

As a general rule of thumb, looking for unknown folders and files is a great way to catch any suspicious and malicious files and folders. Keep in mind, though, that sometimes there might be extra files and folders that look unfamiliar but aren’t malicious.

Likewise, themes and plugins folders usually come with a known set of files and folders, however, there are cases when they contain extra files and folders that aren’t so common. In these situations, removing them could cause themes or plugins to stop working correctly. Therefore, it’s best to pair this method with another one, rather than using it on its own.

Drawbacks of the Scanning

As you can see, there are a variety of premium malware checkers or online website scanners. And they employ various methods to scan your site for malware. While all of these methods can be used, bear in mind that they also have drawbacks which means they are not entirely reliable and may result in false positives or worse, miss malware completely.

Some of the methods employed by online website malware scanners that we’ve mentioned above, require you to get SSH access to the site. This is unavailable on 99% of hosted sites and is often beyond the scope of knowledge for most WordPress users.

In addition to that, you need to use tools like grep which is extremely complex to use and presents another problem for the vast majority of WordPress users.

But, even if you disregard all the drawbacks above, there is no guarantee that you will be able to do a thorough scan of your website and identify all the instances of malicious code.

Finally, keep in mind that processes mentioned above such as pattern matching or WordPress core file matching are usually very resource intensive. This means that they can overload your server, causing you to go over your allocated resources and having your site suspended. This is a common problem with a lot of WordPress malware scanners.

Google malware checker or simply Google website scanner and you’d come across a plethora of options. There are many tools that’ll enable you to scan WordPress for malware online, like for instance Sucuri Site Check. You may also come across tools that offer website protection free of cost as well as many website security companies that offer website malware protection. But they are all prone to taking the measures that we discussed above. Or you can simply get a website malware removal service to remove the malware for you.

Final Thoughts

Like many other security plugins, MalCare’s free website malware scanner performs malware website scans. But it doesn’t suffer from these problems nor does it rely on the methods above. These are some of the highlights of the plugin –

  • MalCare is able to accurately identify malware because it does all the processing on its own servers and uses the knowledge of hundreds and thousands of websites that it’s installed on. You can malware test website anytime.
  • And MalCare collectively uses the information gathered from these sites to identify malware. This makes MalCare website scanner not only a powerful but also the right choice for your website.
  • Besides scanning, MalCare offers a host of other services like instant cleaning, website hardening, firewall and login protection facilities.

Want to perform a quick website malware check?
Check with MalCare Today

Over 17% of all hacked sites suffer from website blacklisting by the search engines
Share via
Copy link