Someone on the Manchester WordPress User Group mailing list recently asked about checking their WordPress site for malware, and as I’ve spent some time decontaminating a WordPress site which was fairly riddled with malware recently, I thought I’d write up some quick pointers which might help you (or me in the future). I’ve broken them down into detection and prevention, and noted which are paid and which are free.
Free, detection: Use a Sucuri free scan to give your website the once over for malware; this will check a sampling of pages on your site, including JS files, for malware, and check a few blacklist services for your web address.
Paid, detection: Sucuri run a paid for service which regularly scans your site and emails you when something nasty is found. I believe they also offer help remove any malware found, though I’ve never used that aspect of their service. Update: Sucuri now have a WordPress security plugin, which allows them to scan the PHP source files inside your WordPress site.
Paid, detection: Automattic run a service called VaultPress, which at minimum backs up all your source code (plugins and themes), uploaded files and database. VaultPress higher priced subscriptions also scan your backed up files for compromised code.
Free, detection: Install the Exploit Scanner plugin which allows you to run one off scans for common malware. Once found, however, it’s up to you to remove it… your local WordPress User Group (Google for “[your town] wordpress user group”) or the WordPress Support Forums may be able to help with that.
Free, preventative: Install the Limit Logins plugin, this plugin will stop somebody (or some automated script) from sitting on your login page trying each and every username/password combination they can think of/calculate. It does this by only allowing you so many (number configurable) login failures before locking you out for twenty minutes.
Free, preventative: Downgrade all unnecessary administrator level users to editors. This is particularly relevant if your WordPress instance can write files (e.g. if the theme and plugin editor work, or if you can upgrade plugins without entering FTP details) as in this situation a malicious hacker with access to an admin account can effectively write code (backdoors, malware, general PITA code) into your plugins and theme. The fewer administrators you have, the fewer accounts the bad guys can hack. Most people don’t really need to be administrators, being editors will suit them just fine once their egos settle down. ;)
Free, detection: Install the Admin IP Watcher plugin, this will email each user every time someone logs into their account from a new email. Initially there will be a flurry of emails, while the system gets to know everyone’s home and work IP, but things will settle down. You will need to make your users aware that this is installed, to expect the emails, and your users will need to know forward the mails to you if someone logs into their account who isn’t them. (You also need to be aware that this emails when a user of any level logs in, so if you have Subscribers who just log in to comment then they will get the login emails as well.)
Free, preventative: Make sure you use a strong password. Remember, kids, the best password is so complex you can’t remember it (seriously).
Some tips on looking for compromised code, most of which require some HTML/PHP knowledge unfortunately, but there’s not much getting round that!
- Load your web page up in Safari or Firefox with Firebug  installed. Search the source code for “iframe” and check each iframe: do they all look legit, do they have a src attribute that you don’t recognise, if you paste the src attribute does the page redirect once or several times?
- It takes a while, but it’s also worth skimming through all your plugin and theme code. I know, I know, there’s so much of it, but if you’re sure you’re infected then you need to root out the problem or it will get worse. The things I mention above about searching for nasty injected JS code also applies here to PHP.
- One last resort will be overwriting your plugins with known good code freshly downloaded from WordPress.org. Beware of overwriting plugin and theme files which you’ve customised if you do this (however you ideally shouldn’t be editing core plugin files).
Warning: No scanning service will be 100.00000% accurate in identifying malware issues. I’ve found several patches of malware which the above services didn’t detect; but they were all super responsive and helpful in accepting reports of anything they missed, and the more people send them reports, the better they get for everybody.
Update: Check out the Hardening WordPress article on the WordPress.org codex.
Update: You can lock down the theme and plugin editors so they can’t be used to inject malicious code (note that someone would need to have gained access to your admin area by cracking a user’s username and password for this to happen), found in the Appearance and Plugins sections of your admin area respectively, which has appeared to stop a repetitive attack I experienced one time. If you don’t know PHP and don’t want to edit your theme or plugins, this is a no brainer.
I’m by no means an expert in these things, but the above points and services have helped me out. If anyone has any useful suggestions or corrections, I’d be happy to hear them… so please, comment away.