How to Scan and Detect Malware in WordPress Themes
There are few things worse than putting your heart, time, and a fair bit of your budget into creating a website only to find it infiltrated by hackers and malware. You can add antivirus software and put firewalls in place, but the real problem may be coming from inside your website.
Themes and plugins have become a blessing for developers and DIY site owners alike. They make creating a functional, aesthetically pleasing website easy, and they’re great for SEO. However, many come with built-in vulnerabilities by design or they’re just plain badly constructed and unsupported.
The Dangers Hidden in Themes
WordPress (WP) is one of the most popular content management systems around, powering nearly two-thirds of all websites on the internet. It’s also one of the most frequently hacked website building platforms. Although there’s no centralized support team, WP has a large and thriving community and many developers.
This is where part of the problem with WordPress security lies. There’s a large depository of free and premium themes and plugins on the WP website, but the majority of infected themes and plugins come from third-party libraries that do little to protect people who download the software they distribute.
The danger with themes, especially many free themes, is that they can leave your website open to hacking and malware infections. Some contain relatively benign coding that acts like spyware or marketing trackers. Others contain malicious code that redirects your traffic to another website, trigger annoying pop-ups and banner ads, or infect your website with malware that can, in turn, infect the devices of your visitors.
An infected site could even result in losing your hosting account and being punished by Google.
Old themes pose one of the largest risks for WP sites. Public vulnerabilities are exposed on bug forums and malicious third parties can easily set up scripts to exploit these. WordPress.org has gone out of its way to ensure that all users understand the importance of updating themes and plugins.
Third-party plugins are one of the world’s culprits for these. A recent bug in OneTone exposed thousands of sites to backdoor vulnerabilities. Research by hosting review expert Alex Williams has shown that shared hosts are particularly at risk for these kinds of breaches. Certain bugs can allow root access to the server which can allow hackers to install malware on additional accounts. Alex recommends keeping plugins to a minimum, not using freeware products, keeping auto-updates on, and paying for third party protection like WordFence.
All in all, your best defense against these problems is to check out any themes and their developers before you install them, and delete rather than disable any unused, nulled, or unsupported themes from your directory. You should also set up a solid defense to prevent exploitation after you’ve installed your theme and plugins. Then, you can monitor your site to make sure the defenses you put in place are doing their job.
How Themes Spread Malware Infections
Software is more vulnerable to attack than hardware and accessories, but an infected website or network can play havoc with your computer by draining your resources and erasing files. Ransomware will even hold them, hostage, until you pay up. The UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA) even warned about developing threats such as mobile ransomware and ransomware-as-a-service in a recent report. Others inject code that creates backlinks in your content or mine data to resell to criminals or marketers.
Not all signs of hacking are obvious. Some can only be uncovered after they’ve embedded code into infrastructure or caused chaos.
Some tell-tale clues include:
- Continual crashes or excessive downtime; with good hosting, you should experience less than an hour of unplanned downtime annually.
- “/White screen of death” when trying to access your website; this can be caused by a bad plugin or plugin incompatibility with your theme, but it could also be from malware injected into your files.
- Error messages or redirects when you load a page; this could mean that the WordPress .htaccess has been hijacked by a hacker.
- Warning messages from Google that your site has been infected; this may result in temporary or permanent banning if not addressed right away.
How to Scan Themes for Malware
There are several approaches to detecting and removing malware from your website. You can also find many tools created by WP developers and available in their plugins directory. Some techs recommend a plugin called Theme Authenticity Tracker (TAC), but that plugin hasn’t been verified by WordPress recently, and the WP directory page for TAC states that it may no longer be supported.
Scanning a Theme Before Installation
Although the majority of flawed or infected WP themes come from outside the WordPress directory, it’s still better to scan any theme you select before installation. Themes that are accessible from via Add new function under Themes on the WordPress admin dashboard are automatically installed with one click from there, but we want to scan the theme to check for problems before installation.
That means you’ll have to download your theme as a zip file and install it from your hard drive so you can scan it for viruses first. One of the best tools for that is called VirusTotal.
It’s really simple. You just go to their website home page and choose the file you want to be scanned. You can also choose a URL if you want to scan your site after it’s up and running, which we recommend.
The scan takes just a few minutes, and you’ll receive a report about the state of your theme when it’s done. Once it receives a clean bill of health, you can go ahead and install it on your host server. This tool can also be used to check for Trojans, worms, and other malicious apps.
Scanning and Site Monitoring
If you already have a server and website, whether it’s live or you’re still building it, you can scan your active theme to make sure it’s virus-free. Any unused themes or plugins should be deleted from your directory because they’re one of the top ways WP websites are hacked. You’ll have to disable it first from your theme directory, then send it to the trash bin. Do the same with any used or unsupported plugins.
One of the first steps to keeping your theme free from malicious code and viruses is to make sure it’s updated. I check mine daily because there seems to be a notice that I need to update my themes and plugins several times a week. I also get site monitoring free with my hosting plan.
If your hosting company offers this, even if you have to pay a fee, the 24/7 monitoring is worth the investment.
In addition to updates and host-initiated site monitoring, there are tools and plugins that will scan your theme and other website components for viruses and malware. We recommend one from Google Webmaster Tools called Google Safe Browsing.
To check a site with this tool, you type the URL and add your own URL at the end. It looks like this:
After adding your own domain at the end, it will look like this:
Just type that into the web bar and hit Enter, and you’ll get a Safe Browsing status if any portions of your site are infected.
You can look for potentially malicious files manually by conducting a cross-file search for eval. If any files with that name turn up, they contain hidden trackers or other problem code. This tutorial will walk you through the steps to fix that problem.
Free Tools and Scanners
In addition to the above-mentioned tools and techniques, there are a number of free malware scanners that you can use to check your theme and website for viruses.
- PCRisk is a free online tool that will check themes, plugins, and files for malware by simply entering your web address into the bar on their homepage and clicking the Scan for malware button below it.
- Sucuri has a free scanning tool on their website that has a similar interface to PCRisk and works in much the same way.
- SiteGuarding is another free checker platform that scans for malware. You can also use the free tools available on their site to check for spam, scan outbound links, and check for blacklisted domains. The sire is a little cluttered and confusing, though. It also contains some banner ads, and they won’t guarantee 100 percent detection unless you purchase a service. Save this as a last resort.
WordPress Security Plugins
As mentioned before, WP no longer recommends TAC. They do still have some anti-malware scanners in their directory that will keep your site safer. All of these can be found by searching the WP plugin directory or from your dashboard by going to Plugins and selecting Add New and searching from there.
The first is simply called WP Antivirus Site Protection. This will not only check your themes, but any files uploaded to your site. You could also try the
Quttera Web Malware Scanner plugin.
Bulletproof Security is a plugin that scans all the files on your website. On top of that, it offers .htaccess Security WordPress Protection (Firewalls), anti-spam, login security, and database backups.
Speaking of firewalls, you can get more multifaceted protection from the WP Anti-Malware Security and Brute-Force Firewall
You could spend a fair bit of time and money choosing the best theme for your content type or business model. Before you write one piece of content or launch your eCommerce site. make sure that the theme you choose is well-constructed and comes with support. You can keep your website infection-free by following the above suggestions.
How do you keep your website safe? Tell us about your challenges and success stories.