Best WordPress Malware scanning and Clean up plugins

Posted by & filed under Malware, Troubleshooting.

WordPress malware

Once you have your WordPress site optimized and running well and getting the traffic you need, the last thing you need is for your WordPress site to get a Malware infection. Malwares can bring down your site and your business if you do not act against it quickly.

Before we get started with comparing the WordPress malware plugins for detection or clean up, let’s talk about the common mistakes / vulnerabilities which cause WordPress security issues. You can also say that these points should be kept in mind in order to avoid getting malware on your WordPress site:

  • Weak Admin Password : One of the most common and most unforgivable mistake is setting a weak login password for your WordPress site. having a weak password can expose your site’s admin section. This can be very easily avoided by simply setting a strong and unique password. Some points that you should keep in mind while setting the password for your WordPress site
  1. Choose a password which is long (at least 8 characters) and contains alphabets (both upper and lower case), numbers and symbols as well.
  2. Make sure the same password is not used for any other account outside of WordPress, i.e the WordPress login password should be specific to the WordPress site only.
  3. Try using a reCaptcha or 2FA (two factor authentication) plugin for added security.
  • Outdated Plugins / Themes or WordPress version : Another big reason due to which we see a high amount of malware of WordPress sites, is keeping outdated or vulnerable versions of Plugins. Plugin and theme author’s work hard to keep there product decure and keep pushing new updates frequently and if these are not updated by the users, then are at a high risk of getting malware on there site. Along with plugins and themes, the WordPress core should also be kept up to date to avoid malware.
  • Using NULLED themes and plugins : One might be tempted to download and use nulled versions of premium themes and plugins, but there is always a fine print. Almost all of the nulled themes and plugins and we checked had a malware hidden in them. A lot of the times users install malware on there sites themselves by installing nulled themes and plugins.
  • Shared Hosting : Sometimes when a lot of sites are hosted on a single shared hosting server, if one of the site gets a malware it can very easily spread to the other sites if the server is not configured well.

 

7 Easy way to protect your WordPress site from getting hacked

 

Quttera Web Malware Scanner

WordPress malware
Active Installs: 10,000+
Rating: 4 / 5
Price: Free – $599 / Year

Quttera Web Malware Scanner plugin is a great plugin to improve the security of your website . It helps in scanning your site for malwares. What makes Quttera different is that it can scan for JavaScript code complication, malicious iframes, auto-generated malicious content, hidden eval code and many other things. Moreover, it also helps in checking if your website is blacklisted by Google.

How Quttera works

Quttera has one of the largest if not the largest number of suspicious code patterns with which it checks all the wp-content files with. It uses PHP regex matching to scan all the files. All the suscious code samples are base64 encoded and can be found in the ‘patterns.db’ file in the plugin. Along with regex matching Quttera also runs the site domain names through it’s external malware scanner to scan the site’s front end as well.

Some of its security features are:

  • Detection of unknown malware
  • Checking blacklist status
  • Easy scanning
  • Finding external links
  • Scanning of WordPress files
  • Provides detailed report
  • Reveals injected PHP shells
  • Finds the files that are attacked by PHP malware
  • No signature updates
  • Artificial intelligence scan engine.

Sucuri Security

WordPress malware
Active Installs: 300,000+
Rating: 4.5 / 5
Price: Free – $499.00 / Year

Sucuri  is one of the most popular malware detection and clean up platforms available today. They offer paid services starting from $16.66 per month. They also offer a free WordPress plugin, Sucuri Security, which is one of the most popular security plugins for WordPress. This plugin is widely used for all sorts of security. It is a great choice for hardening the existing security of your site. The plugin provides you wide range of security features that will have a positive effect on your security.

How Sucuri works

Sucuri basically works in 2 steps. In the first step, it creates a hash for the plugin and theme files and runs them through it’s own database and compares it with existing entries. If it finds that any plugin/theme hash does not match with the one in it’s DB, then it marks that file as suspicious.

In the 2nd step the domain is run through the Sucuri Site Scanner SiteCheck. This basically extracts all the URLs present in the front end files of the site and extracts it’s contents and checks it against it’s malware database.

Some of the features of includes:

  •  Integrity monitoring of files
  • Firewall for your website
  • Blacklist monitoring
  • Auditing of security activity
  • Malware scanning
  • Notifications of security breach
  • Security action after hack

Users choose this plugin for monitoring any change in the activities that can be damaging to your website. This is a good choice for developers and admins who have an understanding of the codes and systems. Though the Sucuri Security plugin is free to download, but some features can be acquired only by subscription. The feature of the firewall is an additional service that is available in the premium versions.

WordFence Security

WordPress malware
Active Installs: 2,000,000+
Rating: 5 / 5
Price: Free – $99 / Site

The most popular WordPress security plugin, which is also available free. WordFence is one of the most comprehensive and powerful WordPress security plugin available today. It has one of the largest database of malware sample to compare from, which is updated quite frequently. The premium version of WordFence includes features like a real-time IP blacklist, firewall rules etc.

How WordFence Works

WordFence scans the WordPress core files against the hash codes for each file which are stored in the WordFence Malware signature database. Along with the core files, it also checks the plugins and themes against the Malware signatures in it’s database. The malware signatures cover a lot of malwares like backdoors, phishing URLs, trojans and suspicious codes.

Some of it’s top features are :

  • Blocking of complex and brute force attacks through Firewall
  • Security Scan alerts you quickly in the event of a security issue
  • Threat Defense Feed keeps Wordfence up to date with the latest security data
  • Robust login security features
  • Configurable security alerts
  • Gain insight into traffic and hack attempts
  • Security incident recovery tools

AntiVirus

WordPress malware
Active Installs: 90,000+
Rating: 4 / 5
Price: Free

Another good choice in WordPress security / malware plugins is the AntiVirus. This plugin is best for strengthening your security against any spam injections, exploits, and malware. It has a user-friendly interface that will enable you to set the plugin to perform daily scans. In case the plugin detects anything suspicious or threatening, it will send a security notification to your email address.

Furthermore, it is a plugin as it will help you protect against hacking attempts. If your website is hacked, it will notify you immediately, so you can take action accordingly. The AntiVirus plugin will also send notification if someone tries to hack your website. The plugin has 2 languages available, English and German.  There are extensive features of this plugin that makes it the right choice.

How AntiVirus Plugin Works

The plugins matches the RegEx for know Malware signature from it’s database. We found that AntiVirus plugin has a limited number Malware signatures with which the plugins and theme files are check against. Along with the malware comparison, it also checks and reports back the SSL status of the domain.

Here are the features of this plugin.

  •  Alerts when the plugin detects virus
  •  Clean up after plugin removal
  •  It has whitelist option
  •  Safe Google Browsing for malware and monitor phishing
  •  Scan every day and sent email notification
  •  Can be translated into various languages
  •  It is WordPress 4.x ready
  •  Scans the database tables and templates of theme

Exploit Scanner

WordPress malware
Active Installs: 50,000+
Rating: 3.5 / 5
Price: Free

If you want to make sure your website is free from virus and malware, Exploit scanner is the best option. It scans the files on your website along with post and comments. Additionally, it will search the list of active plugins for suspicious and unusual file names. This plugin will not stop the attack from the hacker, but it will help you find the files hacker planted. The plugin will search your site for any change in the database records and files. Exploit Scanner is a security plugin that will keep your site safe from viruses and malware.

How Exploit Scanner WordPress plugin works

Exploit Scanner matches the plugins and theme files against known malware regex signatures which are present in it’s code. For the Core files, it compares the hash codes for the files.

Anti-Malware Security and Brute-Force Firewall

WordPress malware
Active Installs: 200,000+
Rating: 5 / 5
Price: Free

One of the most used security plugins is the Anti-Malware Security and Brute-Force Firewall. It will perform a complete scan that will get rid of security threats. Along with it, the plugin will eliminate the backdoor scripts and will block the malware like SoakSoak. It will update the susceptible versions of timthumb scripts. This will download the updates that will protect your site against new threats. The free version of the plugin doesn’t include all the features, some of them are available in premium features. The premium version will improve the WordPress login in order to limit the DDoS and Brute-Force attacks. Moreover, it will monitor the integrity of the core files of your WordPress. The plugin will download the definition update when compete scan will be running. Therefore, this plugin is a great choice to keep your website protected.

In the end, your website will never be safe completely. The online threats are rapidly changing and will test your defenses continuously. This doesn’t mean that you are helpless and you can’t do anything to keep your site safe. With the help of these security plugins, you can strengthen your security protocols. They will help you prevent potential security threats and avoid any long-lasting damage. Most of the plugins are safe, free, and easy to use.

Real World Test and Performance

Now lets test these plugins on a compromised site infected with malware. The test will be run on the same WordPress site and each plugin will run there scan one by one. The site is compromised in 4 places :

  1. An Extra File in added in the WordPress core files
  2. One core file is modified to imitate a malware
  3. A backdoor added in one of the Theme’s file
  4. An infected file in one of the plugin’s folder

Each scan will also be tested to check how much load they add on the server while scanning the files and folders and also the time taken for each scan

Lets start with the results :

Plugin

1
 2
 3
 4
 WordFence
         
 Quttera
       
 Sucuri
       
 Anti Virus
       
 Exploit scanner
       
GOTMLS
       

In the above table the numbers in the first row correspond to the malware / infected code, mentioned above the table which are added in the site. We can see from the results that WordFence performed the best having detected all the 4 issues in it’s scan. Quttera could not catch the changes in the WordPress core files but managed to catch the malware in the plugin and themes folders. Sucuri site scan managed to catch the WordPress core file changes, but failed to catch the infection in the plugin and theme folders. AntiVirus was able to find just the backdoor in the theme folder and failed to catch the core file changes and the extra file in the plugin. Another good performer was the Exploit Scanner plugin which just failed to catch the backdoor but was able to detect the core file changes and the extra infected file in the plugin folder. The Anti-Malware Security and Brute-Force Firewall (GOTMLS) could not detect any of the four changes / infections but it did manage to show the extra file in the WordPress core folders but it skipped it from scanning and did not flag it as a malware or an infection.

Catching the Malware might be the considered the most important factor while judging  a WordPress malware detection plugin, but it is not the only factor that we should look into. The site used for testing was a small site with less than 50 posts and 10 plugins, but there are a lot of WordPress sites with a very large number of posts and plugins which increases the site and database size considerably. Running a malware scan on these sites can take up a lot of time as well as resources of the server, which can lead to the site getting slow or even crashing and giving errors during the scan. This is why it is important to also factor in the server load and scan time while picking a good malware detection plugin.

Here we can see the time taken to serve each request during each plugin’s scan. The normal site load was around 133 ms/request.

Plugin

Peak  Request Time
Scan Time
 WordFence
   1,810 ms/req  11 mins
 Quttera
 1690 ms/req  7 mins
 Sucuri
 6,270 ms/req  5 mins
 Anti Virus
 1,580 ms/req  5 mins
 Exploit scanner
 1,530 ms/req  6 mins
GOTMLS
 2,800 ms/req  10 mins

 

Test Results : So which is the Best WordPress malware Plugin

Let’s discus each plugins performance very briefly individually

WordFence : The Plugin was the best in detecting the malware / infections on the site and caught all 4 malware issues, but it took the most time in conducting the scan and also put the second most amount of load on the server during the scan among all the plugins tested.

Quttera : It was not able to detect the changes or malware in the WordPress core files and folders but it did pick up the infections in the plugin and theme files. The server load increased a lot with this plugin as well but the scan time was less than that of WordFence at 7 minutes.

Sucuri : The sucuri plugin was only able to detect the WordPress core files and folders changes and did not detect the malware in the theme and plugin folders. This plugin increased the server load the most out of all the plugins and that too by a considerably high number at 6270 ms/req. The time for which the scan ran was at 5 minutes.

Anti Virus : The plugin was unable to detect 3 out of the 4 malware issues for which we tested for, but the server load did not increase as high as the other plugins and had a scan time of 5 mins

Exploit scanner : The Exploit scanner plugin performed fairly well but was unable to detect one infected code in the theme folder. The server load increased was the least out of all the other plugins and also had a lower time taken to complete the scan at 6 minutes

GOTMLS : Being a very popular plugin, we were very surprised to see this plugin not fair well at all. It was unable to detect any of the 4 malware tests that we put it up to and also took one of the longest time to complete the scan at 10 minutes along with a high server load as well during the scan.

Which malware plugin should you use ? This really depends on the type of site you have and the site size as well. If you have a large size then you might want to use a plugin which does not increase the server load that much. The better performing plugins out the lot for our test conditions were WordFence and Exploit scanner, but you might see different results for the same plugins for your site.

We will be happy to hear your experience with these plugins and if there are any other plugins which you liked but we did not cover here

 

Leave a Reply