Blog

2025/01/15

How to scan your WordPress site for Malicious code

Keeping your WordPress site secure is a task that can feel overwhelming at times—but it’s absolutely essential. Hackers love to target vulnerabilities in plugins, themes, and even the WordPress core itself. Regular scans for malicious code can save you a world of trouble later on. In this post, I’ll share how to use a powerful tool, the PHP Malware Scanner, to hunt down potential threats lurking in your site.

Why You Should Scan for Malicious Code

Have you ever logged into your WordPress site only to notice strange behavior—like unexpected redirects or spammy links that you didn’t create? That’s often a telltale sign that something malicious has found its way into your files. Here’s how malware typically sneaks in:

  • Sketchy plugins or themes downloaded from unknown sources.
  • Exploits targeting outdated WordPress installations.
  • Vulnerabilities in poorly coded forms or file upload scripts.

If malware isn’t caught quickly, it can cause havoc. Search engines might flag your site, visitors could lose trust, and in the worst cases, sensitive data could be compromised. Regular scanning is like a wellness checkup for your website—preventing small issues from turning into major headaches.

When Should You Use PHP Malware Scanner?

Imagine this: You suspect your site has been hacked. Maybe your homepage isn’t loading properly, or a security plugin has alerted you to suspicious changes. If you don’t have a recent backup (we’ve all been there), a scanner like PHP Malware Scanner is your next best friend.

We’ve talked about restoring sites in our previous post, How to Recover a Hacked WordPress Website. But when backups aren’t an option, tools like this help pinpoint the problem areas so you can focus on fixing them.

What Makes PHP Malware Scanner Special?

This isn’t just another generic malware tool. PHP Malware Scanner was built with WordPress users in mind. It’s great at finding and flagging code that might otherwise go unnoticed, especially in PHP files. Here’s what it offers:

  • Signature Matching: It compares your files against a database of known malware patterns.
  • WordPress-Specific Focus: It checks core files, plugins, and themes for irregularities.
  • Actionable Options: Decide whether to quarantine, fix, or whitelist flagged files.

How to Get Started with PHP Malware Scanner

Here’s a no-fuss guide to getting it up and running:

Step 1: Download and Set It Up

First, grab the tool from GitHub:

git clone https://github.com/scr34m/php-malware-scanner.git
cd php-malware-scanner
Step 2: Run the Scanner

Target your WordPress directory and let the tool do its thing. Replace /path/to/your/site with your site’s location:

php scanner /path/to/your/site -l
A Heads-Up About False Positives

Let me be real with you: No scanner is perfect. PHP Malware Scanner uses pattern matching, which means it’s looking for specific chunks of code associated with malware. The downside? Legitimate code can sometimes trigger a false positive.

Don’t panic. Use your judgment. If certain files keep getting flagged unnecessarily, you can add them to the whitelist to avoid dealing with them in future scans. This step alone can save you a ton of time.

Step 3: Analyze and Take Action

Here’s an example of what the scanner’s output might look like:

PROBABLE MALWARE FOUND!
/path/to/your/site/wp-admin/includes/class-pclzip.php

=================================== PREVIEW ====================================
    - Malware Signature: php_uname()

OPTIONS:
    [1] Delete file
    [2] Move to quarantine
    [3] Dry run evil code fixer
    [4] Show source
    [7] Add to whitelist

You’ll have several choices:

  1. Delete the File: Best if the file isn’t essential or can be replaced.
  2. Quarantine It: Safely move the file out of your site’s active directory.
  3. Fix It: Attempt to clean the malicious code while preserving the file.

For example, here’s a flagged snippet you might encounter:

if (!defined('PCLZIP_TEMPORARY_FILE_RATIO')) {
  define('PCLZIP_TEMPORARY_FILE_RATIO', 0.47);
}
// Malicious injection below
php_uname();

In this case, the php_uname() function is often exploited by hackers. Removing it neutralizes the threat.

Step 4: Verify and Repeat

After resolving the flagged issues, run the scanner again to make sure nothing was missed:

php scanner /path/to/your/site -l

Best Practices for Long-Term Security

Scanning alone won’t keep your site safe—it’s just one piece of the puzzle. Here are a few tips to help you stay one step ahead:

  1. Stay Updated: Regularly update WordPress core, plugins, and themes.
  2. Be Picky About Plugins: Only use trusted, well-reviewed plugins.
  3. Install Security Plugins: Tools like Wordfence can provide real-time protection.
  4. Back Up Religiously: A reliable backup can save you when all else fails.
  5. Monitor File Changes: Use plugins that alert you to suspicious activity.

Final Thoughts

No one wants to deal with a hacked website, but it happens. The PHP Malware Scanner is a powerful tool to have in your arsenal. By scanning regularly and staying vigilant, you can protect your site from most threats before they spiral out of control.

If you’re feeling overwhelmed or need expert help, reach out to us at Shift8 Web. We’re always here to help keep your site safe and secure!