Exploit scanner thoroughly scan your blog’s plugin and theme files (including CSS), along with core database tables of WordPress like wp_comments, wp_links, wp_posts, wp_postmeta etc. for malicious code that may compromise your installation or the computer of your blog visitors.
The plugin also scan your installation for hidden spam and phishing URLs, which are invisible to humans, but are visible to bots of popular search engines like Google, Bing etc. If search engines discovers bad links in your installation, then you as well as your site visitors may start seeing something like following error in your/their web browser:
If a malware or a bad link is present in your installation, then the plugin will notify you about them in its scan results. However it won’t remove anything from your installation! Either you have to remove the malicious code/link manually yourself or you may want to contact your web host. In some critical cases, you may also want to restore your whole account using a clean backup file available either with you or with your host.
Install the plugin for your self-hosted installation and then head over to Tools >> Exploit scanner in your Dashboard. You will be able to see following options before you can start running a thorough scan:
- Search for suspicious styles: display:none and visibility:hidden can be used by a hacker to hide malicious links (even iFrames) in the HTML code of your site. The plugin thoroughly scans your installation for this type of HTML code, where a particular link has been made invisible using display:none or visibility:hidden CSS style. If the plugin show you suspicious URLs in its scan results, then you can always perform a scan on these URLs using Sucuri Scanner (http://sitecheck.sucuri.net/). Keep in mind that after enabling this option, you may see lots of false positive errors in the scan result.
- Upper file size limit: This option allows you to set an upper file size limit in Kilobytes (KB). All files which are larger than this limit are skipped during the scan process and you will be able to see a list of all skipped files at the end of the scan process. This option can be considered very useful if you have uploaded lots of CLEAN documents (.doc, .docx, .pdf) and media files (images and videos in different formats) to your installation and you do not want to scan them, so that resource consumption on your server and scan time can be reduced.
- Number of files per batch: Select total number of files that you’d like to scan in a single batch. You can select from 100, 150, 250, 500 and 1000 from the drop-down menu. If you opt for lower number of files that can be scanned in a single batch, then it may help in reducing memory errors that the scan process may create.
Click on Run the Scan button and the plugin will start scanning your installation. The scan result may show you security alerts for following files/folders of your installation:
- and more.
- You should carefully analyze the scan results and don’t hesitate to take help from your host and theme/plugin developers. Before you remove anything from your installation, always create a backup file first.
- If your website is hosted on a server with very low amount of available resources (RAM and CPU) for your account, then the plugin may generate lots of memory limit errors. Initially the plugin tries to allocate 128 MB of memory for itself, but sometimes this amount of memory is not sufficient to complete the whole scanning process. If you see memory limit errors then you may either want to increase the amount of PHP memory allotted to your account or contact your hosting provider.
- If you are using cache plugins like WP Super Cache, W3 Total Cache etc. with your installation, then you should clear the cache directory (like /wp-content/cache/), so that the plugin don’t scan the cached HTML pages unnecessarily. You may also want to temporarily disable the cache plugin during the scanning process.
- If a hacker has uploaded a malicious code in your installation using a different file type instead of *.php, then this plugin can also determine those file types for you during the scan process.
- If you start seeing suspicious external URLs, BASE64 encodings etc. in scan results then you should immediately contact your host and tell them the findings of the plugin.
- The main page of the plugin also show you a list of all those users who have full rights of an administrator in your installation.
What if the hacker has targeted the plugin itself?
Of course! A knowledgeable hacker can target the core files of the plugin itself and after this your scan results will start showing EVERYTHING FINE for your compromised installation!
To solve this problem, the plugin developers have listed the MD5 checksum of exploit-scanner.php file at the very bottom of the plugin’s settings page:
When in doubt, you can compare your plugin’s hash value with the hash values listed on this page: https://wordpress.org/plugins/exploit-scanner/. If both the value matches, then there’s no problem with exploit-scanner.php file and if the values don’t match, then the file has been compromised and you should uninstall and re-install a fresh copy of the plugin and try to re-scan your installation.