Build Beautiful WordPress Websites Using Divi and Divi Builder

How to Scan WordPress Website to Clean Malware

Blair2004 WordPress Tutorials Feb 25, 2021

Most people have heard about "Hacking", but few feel concerned about that matter. You might not know it, but at the time you're reading this post, someone is trying to break your website down.

Maybe it's already broken, but you can't notice that. Hackers attacks websites for various purposes :

  • Spamming
  • Ransomware
  • Phishing
  • Etc

Your website can have already been compromised, but the attacker is performing harm quietly. That's why it's important to frequently run tests on your website. So in today's tutorial, we'll figure out how you can run scans on your website and get rid of them.

Let’s get to it!

Download Divi The Best WordPress Theme

The Most Popular WordPress Theme In The World And The Ultimate WordPress Page Builder

Download Divi

How Does Hidden Malware Get Installed?

There are multiple ways to gain access to a website. The most common is by brute force attack. This consists of trying multiple times (until success) various credentials that can match administrator credentials. Once on your dashboard, the wolf is on the sheepfold. They can do whatever they like, but most commonly they'll install malicious code.

It might get installed from a file you downloaded to your local machine that contained malware that found its way to your server. You might have even (accidentally, of course) clicked a phishing link or been redirected by a compromised website to one that seemed legitimate.

The truth is that there are even entire networks of bots that search the internet for WordPress websites with specific vulnerabilities. Like out-of-date plugins with known vulnerabilities, themes with specific, unpatched exploits, servers that run old versions of PHP, etc.

Keep in mind that this can happen to all of us at some point, and don't be ashamed if that happened to you. Because while it’s definitely not a good occurrence, it’s fixable if you follow the right steps. That's what we'll unfold now.

1. Use An Anti-Malware Plugin

Whether or not you think you have hidden malware on your site, the first step is choosing anti-malware software. For WordPress users, two of the top choices are WordFence and Sucuri. Both of these are tried, tested, and trusted to protect WordPress sites. And both of them offer stellar free versions many users trusts, on top of the more advanced premium versions.

Additionally, you might choose some external URL checkers like VirusTotal.

This service will crawl your website URLs and check whether it is compromised. If there are positive results, then you should definitely use WordFence or Sucuri.

Throughout this tutorial, we'll explore deeply WordFence which is also available on the WordPress repository.

2. How to Scan Your Website For Malware

Despite services that explore your website by crawling, you'll need to have a plugin that check the source code. Frequently, attackers inject code on existing files, that cause harm to your website. These files might be WordPress core files, themes and plugins. An internal scan will then compare all your files with original files and see the difference. It will also check if there are exploits explicitly added on a file.

Regarding WordFence, you can get it on the WordPress repository. Since it's a WordPress plugin, you can even install it from your dashboard.

At landing, the default dashboard of WordFence includes all the details about the actual status of your website. It's available under "WordFence > Dashboard". From you'll see the summary of the protection, the scans, the issues detected on previous scans and much more.

When you go into WordFence – Scan, you see a lot of data. But it’s easy to digest once you know what you’re looking at.

You'll start by pressing the Start New Scan (1) button, WordFence works its way through a timeline (2). After the scan, you see a detailed log of results in a tab that is located below section 2.

3. How To Handle The Scan Result

Once you see your results, it’s time to review and take action on them. But even before that, you have to know what is mentioned.

If you see a message labeled High Priority with a red dot (6), you need to take immediate attention. Especially if that highlights that there is an unknown file in WordPress core. That is bad news. Luckily, WordFence lets you Delete All Deletable Files (5) with the click of a button.

However, some of the errors you'll see are core files being editing by the attacker. Rather than going through all the files and delete the malicious code, the quicker solution is to (after having deleted other unknown files) reinstall WordPress. By default, that option is available on the WordPress updates center.

One important thing we need to do is to frequently back up your website. And even if you decide to restore a backup, you still need to check that backup by scanning. Usually, backup plugins only do their backing up job, without checking if there is malware within. At the moment, we need to do that because any wrong modification can lock you out.

The most difficult part of this job is when the attack has affected plugins and themes. The only right thing to do is to manually downgrade the version of your plugins so that you can update to the new version (this is a solution to reinstall your plugins and themes). Note that here, if an unknown plugin has been added to a plugin or theme, during the reinstallation, that file will be deleted.

After having done that, you just need to update all your plugins. At this point, your site should be free of hidden malware. If you want to check even deeper, run a scan with Sucuri to see if it picks up anything WordFence misses. Additionally, you can subscribe to the premium version of either to get a deeper scan.

The malware-infected files are gone. So you only have to deal with issues that are less pressing and most likely not related to malware but still cause a flaw on your website.

In this instance, the WordPress version is out of date (9). WordFence warns about it because outdated WP versions can contain severe security issues. Additionally, WordFence tells you about plugin and theme versions being out of date (10).

4. Other Things To Do After Cleaning Your WordPress Website

It's quite disgusting to find malware on your website, but be reassured that it's something you can fix. After you clean your site and get the malware gone, you can follow a few simple steps to strenghten your defenses.

  • Change all your passwords. You probably don’t know how the malware got there. But it’s possible and likely that your admin and user passwords were compromised in some way. So you need to change them all. You can use this plugin, and it will notify everyone at their registered email.
  • Enable Two-Factor Authentication (2FA). By having 2FA enabled on your site, it means that even if a password is compromised, the attacker will unlikely be able to get further into your site. This step is becoming mandatory as attacks on WordPress sites increase.
  • Audit Your Registered Users. Just to be safe, check the users on your site who have permission to edit files and permissions. If an attacker got inside your site and made their own user, 2FA and changing passwords will happen for them, too. So check to see if you have a mole and root them out. And by rooting them out, we mean to delete that user and purge them from your database.
  • Backup Your Site. Now that you are certain your website is clean, back it up. That way, you have a solid, sterile foundation to start from if anyone goes bananas again.
  • Run Regular Malware Scans. Hopefully, you will keep WordFence or whatever security plugin you use installed. Set it to automatically scan your site and to email the results to you. The free version of WordFence will do this for you.

Final Note On Scanning WordPress For Malware

All these attacks (malware, hacking, viruses, brute force), are maybe scary, but you can deal with them. By following strict measures on your website, you can put enough defenses to prevent them from entering your safe haven you took time to build. While it's not necessarily mandatory, you're highly encouraged to perform :

  • Frequent Scans
  • Frequent Backup
  • Secure Your Authentication (2FA)
  • Update Your System (Core, Plugins & Themes)

Surely doing that doesn't take you completely away from attackers, but that strongly makes the work very hard for them. Good luck.