Earlier this year I received an email from a reader of one of my websites that advised me that my website was being blocked by their anti virus as it wasn’t safe. After checking all of my files, I realized my website had been hacked. The hackers had placed malicious files in one of my WordPress folders.
Website security is something a lot of us take for granted. I’m guilty of this myself and only became pro active on the issue when my own website was hacked.
It isn’t always clear when your website has been hacked. My website had been exploited for over a month without my knowledge. Thankfully, there are a lot of WordPress plugin solutions available that will scan your website and inform you of anything malicious on your website. Today I’d like to show you three good plugins which will help scan your WordPress installation and let you know if anything is afoul.
Please note that these plugins only reports suspicious files, they don’t remove them. Once you know which files are malicious, you can delete them (or replace them if applicable).
Look-See Security Scanner is a simple plugin that searches your whole installation for missing, modified or unexpected files. It’s a useful way of seeing whether your website has been hacked.
You can verify core files, wp-admin, wp-includes and your uploads folder. You can also compare files to the last time the scan was run.
Once the scan has completed you will see a report which lists anything suspicious. I noticed that it showed a lot of files from plugins I had installed so you may need to verify all unexpected files yourself.
Look-See Security Scanner is a quick way of checking whether your WordPress files have not been tampered with.
Download Link: Look-See Security Scanner
Sucuri is a malware monitoring company that lets you scan your website online. Their plugin checks for malware, spam, blacklisting and other security issues like htaccess redirections.
In addition to Malware, the scanner also reports blackhat SEO spam and checks that your domain is safe to browse on many services such as Google Safe Browsing, Norton and SiteAdvisor. The WordPress installation is also checked.
The plugin also has a ‘1 click Hardening’ section that will make your uploads folder more secure. It also has an admin username changer though this feature didn’t work for me during testing (I recommend using Admin username changer for this instead).
Securi offers a malware removal service for free. This can be done via their main website, not via the plugin.
Download Link: Sucuri Sitecheck Malware Scanner
The report will show the number of clean files, potentially suspicious files, suspicious files and malicious files.
Download Link: Quttera Web Malware Scanner
I recommend all users periodically run a scan of their WordPress website to check for malicious files. All of the above plugins have been tested on WordPress 3.4.2 and work well. There are other solutions available but many do not work. For example, I Exploit Scanner appeared like it was going to work but then didn’t actually scan anything. Detectify For WordPress seemed like a great plugin but they didn’t email me the verification email with the code that was necessary to use the plugin.
If you know of any other good malware scanners for WordPress, please share them in the comment area.
Thanks for reading
Michael Scott has been working with WordPress themes and websites in varying capacities since 2007. It was mainly as a project manager where he quickly developed a love for their simplicity and scalability. As a strong advocate of all things WordPress, he enjoys any opportunity to promote its use across the Interweb and on WPHub.com .