WordPress Malware Scanners – A first hand account

Nov 14, 2014

WordPress Malware Scanners – A first hand account

Nov 14, 2014

As a WordPress site owner, security has always been top concern for me and also a tad overwhelming. The knowledge that new vulnerabilities are exposed every day only makes it that much scarier. I decided that having a good scanning solution in place for my site would be the way to go forward. Once I have a reliable scanner, I can bank on it to detect any malware and other known issues on my site quickly and thus minimize the damage that it can cause. So far, so good; but how do I narrow down on that one good scanner? Should I trust the popular reviews or go by user rating? Even then how do I know for sure that the scans are really effective? If a scanner doesn’t pull up any issues on my site, can I safely assume that my site is malware free? Or is it just creating a false sense of security?

The best way to put my mind at rest, I realized, was to subject the scanners to a test. I picked the most popular names associated with WordPress scans – Sucuri, Wordfence, WPScan, and Exploit Scanner. I then introduced two known issues into my site –

While I added the TimThumb script into my current theme, I introduced the malware into the index.php file. I was all set for the final test – the scan itself. I could now check if the scanners were efficient, without having to rely on other reviews.

Sucuri Sitecheck

You can talk about WordPress security without mentioning Sucuri. So what better place to start our test with than Sucuri SiteCheck? It is free tool that checks your site for malware, blacklisting status, website errors, and out-of-date software. What’s even better is that I didn’t have to install anything to try this tool out. All I did was enter my URL into the space provided, clicked Scan, and waited for the scan results to be displayed. The interface is simple and easy to use. It took just a few minutes for the scan to complete, but that may vary depending on the size of your site.

WordPress Malware Scanner - Sucuri Sitecheck

The status of the scan caught me by surprise – no malware was detected. This was a little scary as well as disappointing considering it was coming from Sucuri. Adding to all this was the fact that I had picked the malware from their own site.

Wordfence Security

Wordfence is another popular name when it comes to WordPress security. It is available as a security plugin that needs to be installed on your site. The plugin comes with an in-built scanner along with a host of other security features. The scan mainly covers the following points –

  • Checks for known malware
  • Compares WordPress core, plugin, and theme files against the repository
  • Scans file content for infections and vulnerabilities

Some features like checking if your site generates spam is restricted to paid customers. The time taken for the scan to complete depends on what you’ve included in the options section. I went ahead and checked almost everything on the list. Why leave out parts of your site to save on a few minutes? Unknowingly, we may even omit files that are potentially infected rendering the scan useless.

WordPress Malware Scanner - Wordfence

Though the scan took a while to complete, I was thrilled that it was able to detect both the issues on my site. Users also have the option of scheduling scans as per their needs. Wordfence is definitely a potential candidate for my site.

WordPress Malware Scanner - Wordfence

WPScan

The WPScan  team refers to their product as a black box scanner that detects known security issues in WordPress sites. There is an online version similar to Sucuri’s Sitecheck that takes in a URL and gives us the results. The tool also comes pre-installed in many of the popular Linux distributions. Apart from basic security checks, the tool also has the ability to enumerate plugins, themes, and users to identify possible issues on your site. However, these advanced options are only available in the installed version and not in the online one. The main challenge that I saw right away was interpreting the scan results. The results are in pure text format with minimal formatting, making it hard to read through quickly.

WordPress Malware Scanner - WPScan

What mattered in the end, however, is that the scanner couldn’t detect the issues on my site.

Exploit Scanner

Exploit Scanner is another WordPress security plugin that checks your site for signs of suspicious activity. Unlike plugins like Wordfence, this is a pure scanning utility. Once installed, you can use the Run Scan option to initiate a scan. It’s really that simple, without too many options to play around with.

WordPress Malware Scanner - Exploit Scanner

Now for the good news, the scanner was able to catch both my issues. Apart from that, the scanner listed hundreds of other files that looked potentially suspicious. While it is a good thing that the scanner goes through all the file content in detail and lists the code snippet that it deems malicious corresponding to the file. However, the list looked to be including many false positives that have to be eliminated through manual inspection of code. Now this may seem easy for a developer, but not for a regular WordPress user like me who had little idea about code. The interface too can do with a little bit of structuring.

Conclusion

At the end of the whole exercise I realized there is no perfect solution when it comes to scanners. Especially with many of them putting up disclaimers stating 100% accuracy isn’t guaranteed (e.g. Sucuri and Exploit Scanner), I wondered for a fleeting instant if I should install a scanner at all. In the end, I decided to go with Wordfence as it was most effective and easiest to use. Plus, it brings added features that’d help improve my site’s security. Wordfence is my choice, what’s yours? Share your scan story in the comments section.

4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Jim Walker
Jim Walker
6 years ago

Scanners of the sort described above are what I call, “bread crumb” tools.
You likely will not find the gold ring (by using them), but they may help lead you down the path to the prize…

Robert Abela
Robert Abela
6 years ago

Hi Shylaja,

Good tests as usual 🙂 I think one of the main problems with Sucuri and WPScan is that they are both blackbox scanners, hence it is difficult for them to find these specific issues (although timthumb should have been caught easily.

Also one important thing to point out is that as we can see scanners are not enough, hence why you need a complete solution which includes hardening, scanning and monitoring which as such there is no single solution for this. That is why ideally WordPress users should use a variety of solutions.

Jan Koch
Jan Koch
6 years ago

Nice roundup!
I’ve already included WPScan and WordFence in my daily business, but didn’t know about the Exploit Scanner plugin.

Will definitely give this a try!

Ron Bray
Ron Bray
4 years ago

Very informative post. We must be vigilant against hackers all the time.

You’ve made some great points here. Glenn Shepherd actually talked about

this in one of his first Techy Thursday webinars. Yes, I’m an iPro partner.

There are two free plugins that we can get to cover a lot of what you mentioned and some things not mentioned here:

Acunetix WP Security

All In One WP Security

You can install them from your WP back office in the plugins section.

One of the things not mentioned has to do with the changing the login page URL from the standard one provided by WP when you first install it. This can stop a lot of brute force login attempts because it’s not easily identifiable by the robots that hackers use. It can be done in the All In One plugin listed above.

I hope this helps you and your readers to protect the websites.

Share via
Copy link
Powered by Social Snap