[Defender] Defender needs to add Malware Scanning of the Database

One of my websites was hacked this week. The bot found a vulnerability in a search and replace plugin and had used that to insert javascript redirect code in most of pages and posts on the site.

Defender still said that the site was fine ... but it wasn't. I have had this same thing happen on a few old sites I have inherited that had a plugin or theme with a vulnerability. The hacking bots inject javascript into the site - Defender scans the php files, and says everything is fine.

I'm currently looking for alternative security plugins that will have a malware scan and database scan built-in. But it is annoying to pay for an alternative product when I'm already paying for WPMU which has Defender as part of the subscription.

Feature request is:
- Please add malware scan and database scan to Defender.
At a basic level it should identify javascript that has been saved in the WYSIWYG editor (with the ability for us to mark a specific line as safe, in case we have actually put it in there ourselves). A more advanced level would be determining whether the javascript was malicious (e.g. redirecting users to another site).

Another site I know of had SEO links injected into the site, which had inline CSS with a big negative margin-top and margin-left so that the links weren't visible to users, but only to search engines. That type of thing could also be picked up in a database content scan.

Over the last year I have fixed about 10 Wordpress sites that have had this type of hack. In previous years I've cleaned up sites that have had loads of files dumped onto the server. But the more recent wave of hacks seems to be focused on injecting content or javascript redirects into the post content. So would be great if Defender could help us identify when that happens.

  • Josh
    • Design Lord, Child of Thor

    Here's a screenshot of some of the nasty javascript that was inserted - the section in blue is a single piece of javascript, from start to finish. This same code was inserted multiple times throughout each each post.

  • Kasia Swiderska
    • Support nomad

    Hello Josh,

    Thank you for proposing this feature - I had a quick chat with developer about it and seems that Defender team is preparing something similar to scan the content of the site. At the moment I can't give any details about the implementation or ETA, but it is on the plugin road map.

    kind regards,
    Kasia

    • Josh
      • Design Lord, Child of Thor

      The issue is that Defender is focused on keeping our sites secure ... but it isn't identifying one of the most common attacks that I've seen over the last year or so.

      Yes, the problem is that some plugins must have a vulnerability that allows the hack ... but since we often can't identify what plugin is causing the vulnerability, having Defender automatically scan the database content will help to alert site owners if a site gets this type of content inserted. At the moment, without this scanning, the only way we find out is that the site owner or a customer reports the problem ... or the site gets added to a blacklist.

      Great to hear the Defender team have this on the road map.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.