Find Out if You’re Hacked: How to Find and Delete Suspicious Code with Defender
Detecting suspicious code within a site isn’t always that simple and can easily go unnoticed. Thankfully, our 5-star Defender plugin is well equipped to find malware, let you know about it, and eliminate it with brute force. See how it’s done in this tutorial.
Looking for a convenient and hassle-free way to locate and delete suspicious code from your sites?
In this tutorial we’re showing you, step-by-step, how Defender‘s vast suite of security features can help banish and keep suspicious code at bay.
You’ll also learn how to keep your sites protected from these kinds of issues going forward.
For reference, here are the 7 talking points we’ll be covering (feel free to jump to any specific section!):
- How to Scan Your Site for Malicious Code
- Deleting and Ignoring Issues
- Taking Care of Issues in Bulk
- Watching Out for False Positives
- Control Which Files To Scan With ‘Scan Types’
- Notifications of Suspicious Activities
- How to Schedule Regular Scans of Your Site
Let’s get into it.
Scanning your site for malicious code can be achieved through Defender’s dashboard under Malware Scanning. Here, you can see when your last scan was, any issues, and more.
The New Scan button kicks things off. Defender will then scan your WordPress core files for any suspicious code modifications or additions.
Once started, it generally only takes a few moments, depending on the size of your site.
Defender discloses the exact issue(s) and tells you what they are under the Issues tab.
From here, you’ll see a dropdown of each issue to get specific information, including:
- Issue Details: Consists of a brief explanation of the issue.
- Error: Showcases a snippet of the suspicious code.
- Location: Where the issue’s file path is located.
- Size: The size of the suspicious file.
- Date Added: Displays the date and time that the code was added to the WordPress site.
You can also perform additional scanning with Defender Pro. In this case, the other areas that will be scanned for vulnerabilities and suspicious code include:
Plugins & Themes: Plugins and themes will be scanned for known, publicly-reported vulnerabilities.
Suspicious Code: This takes scanning up a level by scanning all site files for suspicious PHP functions and code.
The results are then organized by WordPress core, Plugins & themes, and Suspicious code.
Defender makes getting rid of suspicious code as easy as possible. We’re literally talking one-click.
To get rid of the issue immediately, the Delete button is all that needs to be hit.
With that, the code will be deleted.
There’s also an option to Ignore an issue if you would like to remove a specific issue from the Issues tab.
Once you do this, they’ll no longer appear in the Issues tab, but will be moved to the Ignored tab.
One note of caution: It’s strongly recommended to be 100% certain that something is harmless before deleting and/or ignoring it. You can ask our 24/7 WordPress experts at WPMU DEV using live support to find out if you’re unsure or need advice.
If you have multiple issues, you can bulk action the items by selecting either Bulk Update or Ignore in the dropdown.
If you click Bulk Update, all the issues will be removed.
Like previously demonstrated, any actions that are ignored show up in the Ignored tab and will no longer be identified as issues by Defender.
You can always restore them back to the Issues area with the Restore button, or by performing a bulk action on all the issues.
WordPress allows for a vast amount of customization, and this can lead to legitimate code being flagged as suspicious due to its resemblance to malicious code.
This can happen for various reasons, including if a function is modified by a plugin, theme, or if something is modified directly in the file or theme editor.
Luckily, Defender was designed to minimize false positives occurring. However, malicious code is typically written to resemble legit code and it’s almost impossible to completely avoid.
To help verify suspicious code, here are a couple of steps you can take:
- Verify custom edits: Check with a developer to verify the questionable code.
- Contact our support: If you didn’t add the code, and you’re certain no one you know did either, feel free to contact WPMU DEV support for feedback and share what you’ve found to be malicious code.
To track down malicious code, you can control what files are scanned in the Scan Types area.
It’s all done with a simple click in Settings. With Defender, the option to turn off and on is the WordPress core switch.
This is where you can also enter the maximum size that you want Defender to skip by entering in the Mb number.
Setting up notifications is a snap in the Malware Scanning Notifications section.
Here, you can flip-on notifications “on” to enable notifications when a manual file scan has been finished.
Once you’ve done this, you have several options for tweaking your settings accordingly. Such as sending notifications when no issues are determined and recipients’ emails of notifications.
Plus, you can edit the email templates of your notifications for when issues are found and when they’re not.
Finally, you can customize the wording and information accordingly.
Another handy option that comes with Defender (Pro only) is the ability to run automated site scans.
This simple adjustment can be made through the Enable Reporting feature. Simply click “on” and you’ll be in business.
From this point, features such as emails to send notifications to, frequency, day of the week, and time of day that the report will be sent.
Defender’s customized report is created and set up exactly how you want and you (and any added recipients) will be emailed the results.
As you can see, suspicious code is no match for Defender and it really just takes one click to remove.
Beyond finding malicious code and the ability to delete it, Defender can stop SQL injections, prevent hackers from exploiting WordPress vulnerabilities, prevent PHP execution, and much more.