Defender doesn't detect malware

My Defender says my site is bug free. When I run the File Scan, however, sucuri says my site is infested with a lot of bugs, especially with javascripts.
Here is the report:

Why doesn't Defender detect this malware?

  • Nastia

    Hello Cody

    Hope you are doing well!

    The Defender scans only files with .php extensions, if a .php file is infected, the Defender will show it in scan results. Current Malware is javascript malware.

    Please scan your site and remove malware with this plugin:

    Before proceeding with scan, run a full backup of your site. You can create back up with the Snapshot Pro plugin. Make sure to create a back up of your .htaccess file and download it.

    If the above plugin will not detect the malware, please re-upload WordPress installation, plugins and themes.

    To re-upload WordPress, follow the steps from here:

    Make sure not to replace:
    - wp-config.php file
    - wp-content folder
    - wp-images folder
    - wp-includes/languages/ folder--if you are using a language file do not replace that folder
    - .htaccess file
    - robots.txt

    To re-upload plugins and themes, please download a fresh copy for each plugin that is installed on your site. With your FTP program, upload the Plugin folder to the wp-content/plugins folder one by one and replace the folders that are already there.

    Please let us know if you have any further questions!

    Kind regards,

  • Cody

    I am sorry but the solution provided isn't helpful. It is not able to detect javascript.

    Upon further investigation, I noticed that all of the payloads are located in the cache directory of the website:

    I've flushed the cache, but the payloads were re-generated, which means that there is still malicious .js code which is still present on the website and generating the malicious looking payload.

  • Dimitris

    Hello there Cody,

    hope you're doing good today! :slight_smile:

    I can see that your website isn't accessible at the moment (I'm getting a warning screen from hosting provider). Is this happening due to the infected website or are you migrating servers?

    Have you tried to re-upload WP core files, as well as all plugins and themes, after re-downloading them from their trusted sources, like my colleague Nastia mentioned above?

    Please advise!
    Warm regards,

  • Cody

    My host has taken down my site because of the infection. I can request access to your IP if you provide one. I don't think I have technical capabilities to re-install everything without breaking something. For now, I need a solution that can atleast javascript problems. If we can't even detect on any of the solution provided, I am not sure how to get it fixed. I wouldn't understand paying for the service at WPMU either when I am assuming it is a solution that I am paying for.

  • Nastia

    Hello Cody

    Hope you're doing well!

    Cache folder is a temporary saved files of your site, deleting them it will recreate the copy of your site again. The malware's code is located in a different location so clearing the cache files will not delete the malware.

    Any file can be compromised on your installation, it can be injected in a plugin or a theme that is installed on your site. Please see the steps that you need to take:

    The first step is to back up your full site folders and database. Plese give it a name so you could separate it from other backups, so you will not accidentally restore it. The backup can be done from the cPanel.

    Then please check with your hosting provider. This might be a serverside hack so if you are on a shared hosting, the sites that are located on the same server might be infected too; your hosting provider might check for the infected files.

    Next step is to download clean Wordpress file from Unzip the folder and using FTP application replace all the old WordPress files with the new ones in the wp-includes and wp-admin directories and sub-directories, and in the root directory (such as index.php, wp-login.php and so on).

    Do not delete wp-content folder, instead upload the individual files from the fresh wp-content folder to your existing wp-content folder, overwriting existing files.
    Please see this video for detailed instructions:

    Then please re-install all the plugins. You may delete them from the plugins list and install from the wp-admin again. Or you can download a fresh copy from the source and manually replace the plugin in
    /wp-content/plugins/ folder.

    Please see this video that shows how to re-install the plugin via File Manager from your cPanel:

    Repeat the same process for the themes, by re-uploading the freshly downloaded file.

    If after the above steps the malware still is loading on your site, please check the image folder for any leftover code. Sometimes supposed image files can contain code, so open all your image files, and ensure they really are images & don’t contain code.

    Please check the WordPress guide too:

    If you have a recent backup, please restore it and check if the site is infected.

    Hope this will help!

    Kind regards,

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.