So what is the best time to scan a WordPress site for malicious code?

If you’re asking yourself this question, I have a simple answer for you: the answer is right now! And the great thing is that there are a couple of solutions that make it very easy to do this. But let’s first dive into the reason why malware scanning is a good practice.

Why you should scan for malware

The primary reason for scanning a site is that malware can lie undetected and dormant on your site for weeks or months. By the time you detect any issues, like your site ranking for drug-related keywords (something you really want to avoid, unless you’re in that business!), it may already have harmed your position in search engines. Or even have Google show warnings on the search engine results of your site.

As a consequence, you will lose traffic, search engine rankings and possible revenue.

Another reason that makes it important to scan daily is that hackers are constantly innovating to come up with sneakier attacks. Attacks can be hard for you to recognize. The best way to keep up with hackers is to scan a WordPress site for malicious code as often as every single day. 

Where do you start? What do you need to do? And is it a lot of work? The rest of this article has all the answers. Let’s get started!

Where do you check for Malicious Code?

Depending on the type of attack, hackers can infect various parts of your WordPress website. These parts include:

  • The Core WordPress files and folders
  • WordPress plugin files
  • WordPress theme files
  • WordPress database tables

Essentially, you need to perform a WordPress scan for malicious code in each of these areas. Basically, you need to scan your complete WordPress website. Next, let us discuss the two main methods used to do this.

WordPress Scanning Methods

Cameras: Scan a WordPress Site for Malicious Code
Scan daily, scan thoroughly

Depending on your technical skills and WordPress know-how, you can opt for either of the following scanning methods:

  • Manual scanning (recommended for more advanced users)
  • Automatic scanning using a security scanner

Manual Scanning

Manual scanning is best recommended for those with an understanding of and experience with WordPress and its backend files. It also needs you to have a working knowledge of tools like FileZilla (an FTP manager) and the phpMyAdmin database (a tool to manage a database). 

You’ll see in the next section how manual scanning needs to be performed separately for each of the three elements – Core WordPress, Plugins/Themes, Databases – that could be infected.

How to manually scan your WordPress Site for Malicious Code

The first step to manual scanning is to check for any malicious code on your Core WordPress installation files. This includes the following steps:

  1. Download a fresh copy of the WordPress version (same as your installed version).
  2. Using an FTP tool like FileZilla or WinSCP, connect to your WordPress installation folder.
  3. Check for any recently modified files (by date and time) in your WordPress installation.
  4. Compare the contents of any modified file with the corresponding file from your fresh WordPress copy.
  5. If you find any suspicious code, this means that your original WordPress file has been corrupted.

The next step is to check your installed WordPress plugin and theme files for any malicious code. You need to repeat the same process of comparing your plugin and theme files with a fresh copy of the same plugins and themes. 

The final step to manual scanning is to scan the WordPress database for malicious code. This includes the following steps:

  1. Log into your WordPress host account and launch the phpMyAdmin tool from the Database section.
  2. Export your current WordPress database as an SQL file.
  3. Next, open the SQL file using any text editing tool and search for malicious code in the following:
    • PHP functions like base64_decode, gzinflate, and eval are usually targeted by hackers.
    • Any unknown web links or iframes that could be inserted by hackers.
  4. If your host does support SSH or SFTP access, you may also be able to access databases using a database tool in your computer, such as HeidiSQL or TablePlus (Mac) and perform the steps mentioned in 3.

As you can see, manual scanning is a considerable investment of time and effort on an ongoing basis, especially if you’re looking to run a WordPress for malicious code every single day. And that’s where security plugins come in.

Automatic Scanning using Security Scanners

If you’re looking to save both time and effort in your WordPress security plans, the best option is automatic scanning using a security scanner or plugin. Security scanners are designed to be used even by beginners and offer automated and scheduled scans.

For instance, MalCare is one such WordPress security plugin that lets you set up daily scheduled scans and even offers a one-click method for website cleanups if it finds any malware. Other notable plugins that can help with malware scanning are Wordfence, iThemes Security en Sucuri.

The best feature about security scanners like MalCare is that in a single click, you can scan your WordPress files, installed plugins/themes, and database tables in just a few minutes. As you can see, WordPress malicious code scanners are a good investment if you’re looking to make malware scans a part of your website maintenance activities.

How to Scan WordPress for Malicious Code and Clean it 1
The malware scanner screen for Wordfence, a WordPress security plugin

As the process is different for each plugin, it is outside of the scope to explain how this is exactly done for each plugin. However, usually, such a plugin adds a couple of settings in your WordPress dashboard where you can set up what to scan and how often.

Next, we shall look at how to remove malicious code from WordPress sites.

How to remove malicious code from your WordPress site?

Once you have found the malicious code, how do you go about removing it and cleaning your site? Just like scanning, you can remove the malicious code through the following methods:

  • Manual clean-up
  • Automatic clean-up using a security plugin

There’s also a third option though, and that is using an external expert to manually clean up your site. And some WordPress hosting providers, such as Kinsta, also offer hack fix guarantees.

Manual Clean-ups

Before going for a complete manual clean-up, make sure you take a complete backup of your WordPress installation files and database tables. You can use a backup plugin like BlogVault if you’re looking for an easy way to do this. 

If you find any malicious code in your core files or your plugins/themes, you can fix the problem by replacing it with the corresponding files from a fresh WordPress installation or plugin/theme files of the same version. Make sure you do not modify or overwrite the wp-content folder and the wp-config.php file of your current WordPress installation. For customized files, open them with any text editor and manually remove any suspicious code from them. 

Additionally, to prevent detection, hackers insert hidden backdoors into WordPress sites. They are often embedded in new files that appear like core files but are in a separate folder. 

Besides that, hackers can also inject backdoors into valid files like the wp-config.php or the wp-content folder. Backdoors are commonly found in PHP functions like base64, str_rot13, and eval. As these PHP functions are also used by installed plugins, take the utmost precaution when removing any malicious code from these functions – as any additional code deletion could potentially break your website.

If you locate any malicious entries in your WordPress database, here is how you can manually remove the infection:

  1. Connect to your database through your WordPress database admin panel.
  2. Open each table containing the malicious code and remove them manually.
  3. Additionally, if you find any new users that you have not added, remove them from the database.
  4. For safety purposes, reset the passwords of all your user accounts, so that hackers do not exploit them in the future.

After completing the manual clean-up, test your WordPress site to see if it is performing as before. If not, then it is time to restore the stored backups before repeating the clean-up process.

Automatic Clean-ups using a Security Plugin

Besides being risky, manual clean-ups also demand advanced technical knowledge and may not work to remove all types of malicious code.

Automatic clean-ups that rely on security plugins are far more effective and efficient since they combine both malware scanning and removal. For instance, a solution like MalCare can help you with instant removal of malicious code in a few clicks, complete clean-up of your core files, plugins/themes, and database tables, and removal of all backdoors thus preventing any future attacks. Some of the other security plugins mentioned before also have these functionalities.

How to Scan WordPress for Malicious Code and Clean it 2
The MalCare security plugin

MalCare is also integrated with Cloudways, a cloud-based hosting company that supports WordPress.

How to stop Hackers from adding Malicious Code

In other words, how do you keep your WordPress site safe and secure? Now that you have learned how to scan and remove malicious code from your WordPress site, it is important to understand why a website can be infected in the first place and how to prevent that.

Apart from investing in a reliable security plugin like MalCare, make sure you perform the following security measures regularly to protect your site:

  1. Take regular backups of your WordPress site.
  2. Switch to a safe and reliable WordPress hosting platform.
  3. Keep your website updated to the latest versions.
  4. Install the SSL certificate to encrypt your website data.
  5. Configure a WordPress firewall to block unwanted requests.
  6. Implement 2-Factor Authentication (2FA) to protect your login page.
  7. Implement hardening measures recommended by WordPress. Plugins like MalCare have this built into their dashboard so you can run them in a few clicks. 
  8. Restrict the number of users with administrator privileges.

Later on, I will write an elaborate series on security where I will explain a couple of these steps in detail.

I hope you found the steps and tips in this article helpful.  Questions or suggestions? Let me know in the comments below!