How to detect Malicious ( Exploit ) code on WordPress July 20, 2011Posted by Tournas Dimitrios in Wordpress - 3.
With over 30 Million blogs having WordPress installed it’s a major target to spammers , a good example is the “Pharma hack ” that came in front a year back . The concept is as follows : A bad – hacker attacks your block and embeds malicious ( exploit ) code into core files , and in the database of your site in order to work evil . Malicious code often looks like long strings of encoded gibberish that acts as a backdoor into your website . There is a plugin , Exploit Scanner , that does an incredible job of actually finding this ” stuff ” . It does not remove anything ( that is left to the user to do ) , a good practice would be to make a fresh installation of the core files , drop the database and recover the content with a previous backup . You have a backup policy , do you ???
Unfortunately it’s impossible to catch every hack and it’s all too easy to catch false positives (show a file as suspicious when in reality it is clean). If you have been hacked, this script may help you track down what files, comments or posts have been modified. On the other hand, if this script indicates your blog is clean, don’t believe it. This is far from foolproof.
For the paranoid…
To prevent someone hiding malicious code inside this plugin itself and to check that the signatures file hasn’t been changed , access the control panel of the plugin Dashboard -> Tools -> Exploit Scanner and compare the MD5 hash with the original signature of the plugin’s home site .
- Install / enable the plugin
- To run the scan go to Dashboard -> Tools -> Exploit Scanner
- As the scan completes , the results are displayed . The 3 levels of results are :
1) Level Severe : strong indication of a hack or exploit code .
2)Warnings : not as bad as Severe , but treat with caution .
3)Notes : lowest priority , results commonly used and probably safe .
There is criticism for the effectiveness of scanning malicious code , but my belief is that not all malicious code is as cleverly written , and so some basic scanning is indeed somewhat effective . Of course the best effective way to protect your website is by hardening the security roles on your configuration files . That’s a subject for a future article :) .