How to Detect and Clean Malware in WordPress

To detect and clean malware in WordPress, we’re going to use a plugin that helps analyze the health of our installations.
​

It’s essential to identify and understand the different vulnerabilities that can affect your WordPress services. There is no infallible and quick rule to eradicate vulnerabilities, but there is a set of procedures and precautions you can take as a user or website administrator that will lead to a more secure system.

We’re going to use the Anti-Malware and Brute-Force Security by ELI plugin, developed by Eli Scheetz and focused on thoroughly scanning the files of the installation where it’s installed and detecting recognized threats or possible patterns of unrecognized threats.
​

This plugin was created to help WordPress administrators clean infections on their websites. It was inspired by the author’s own need to clean one of his hosting accounts. The plugin is currently offered completely free of charge, although you can get some extras by making a donation to support the project.

Once installed, the plugin must be registered at gotmls.net to access new definitions of known threats and additional functions such as auto-renewal, as well as patches for specific security vulnerabilities like older and vulnerable versions of TimThumb.

Go to the website mentioned above and fill out the form with your details to register:

Updated definition files can be automatically downloaded from the admin once you’ve registered and obtained the key. Otherwise, this plugin only scans for potential threats and leaves it up to you to identify and remove malicious code.

To download the latest virus definitions, click at the top right and follow the instructions.

The download process will start, showing the current progress.

Note: This plugin uses a “phone home” function to check for updates. This is no different from what WordPress already does with all its plugins. Staying up to date is essential for security, so check frequently for available definition updates.

It’s important to use good judgment when evaluating the results of suspicious files and not delete anything unless you clearly understand its function and legitimacy.

For example, if Anti-Malware and Brute-Force Security indicates in the log results that it detected the file /wp-admin/press-this.php as suspicious, it would be useful to search on Google, Yahoo, etc., about this file to understand its function in WordPress.

The Press This function allows quick publishing with a special bookmarklet from the browser. You can create a post quoting some text, images, and videos from any web page.

A

pplying the appropriate action in each case involves individually evaluating each file detected as suspicious, reviewing the code linked in the warning [1], [2], etc., and filtering it as a legitimate file for future scans using the Whitelist this file button.

Some of the most important actions to harden WordPress involve good CMS usage practices and strict policies for updates and alternate daily, weekly, and monthly backups. In addition:

There’s no formula to make WordPress 100% secure, but by limiting vulnerable vectors you’ll repel many malicious attacks or malware infections.