Check the topic. How to remove a virus or malicious code from WordPress? Check the word WordPress

Before you understand how to clean the WordPress site, you need to understand, and with what, in fact, we will deal. In a broad sense, the concept of "virus" means malicious software that can apply one or another damage to the owner of the web resource. Thus, in this category, almost any code built by intruders in the engine scripts can be attributed. It can be hidden references leading to pessimization in search results, backdors providing Hakera admin access, or complex structures that turn the site into a zombie node, and even Mainer Bitcoins. On how to identify and eliminate viruses of various caliber, as well as defend themselves from them, we will talk.

Many tips mentioned in previous articles are able to protect the site from infection. For example, "infection" can be found in pirate templates and plugins, a complete refusal of this kind of components is an important step in terms of security. However, there are a number of more specific nuances.

1. Install reliable antivirus

Malicious program can be implemented not only from the outside - the source of infection is quite capable of being the computer from which the project is being administered. Modern Trojans can not only kidnap the password from FTP, but also independently download executable code, or modify CMS files, which means that the security of the web resource directly depends on the security of your work machine.

The IT market offers many antiviruses. Nevertheless, the most reasonable choice - products of large companies:
● Among domestic leading positions occupy Kaspersky Lab offers and Dr. Web.
● Among foreign commercial solutions, you can highlight the Norton line from Symantek Corporation and a popular ESET NOD;
● If we talk about free options, the Avast and Comodo are unconditionally leading here.

2. Scan the site using online services

If suspicious activity is detected (engine errors, brakes, the appearance of pop-up windows and third-party banners), the simplest thing is that you can come up with - to drive a resource through an online scanner capable of determining the fact of infection. The undisputed leader here is Virustotal, located at Virustotal.com. To use them, just go to the "URL" tab, drive the link of interest and click on the "Check!" Button

After some time, the system will issue the following content:

It should be clarified: Virustotal is not an independent project, but a kind of aggregator of antivirus scanners. In this regard, it is possible to check WordPress to viruses simultaneously in 67 systems. The undoubted advantage is a detailed report in which data is given for all supported services. After all, antiviruses love to beat false alarm very much, so even if the identification indicator differs from the ideal (for example, 3/64), this does not mean that the resource is infected. Focus, first of all, on large players (Kaspersky, McAfee, Symantec Nod32 and others), small offices often determine certain sections of the code as dangerous - you should not take it seriously!

3. Use Yandex.Vebmaster

You probably draw attention to that some references in search results are provided with a warning message: "The site can threaten your computer or mobile device." The fact is that the search engine has its own malware detection algorithms, notifying users of potential risk. To be aware of what is happening and receive notifications first, it is enough to register with the webmaster service. You can view all the necessary information on the Safety tab:

If the threat is detected, information about infected pages will be displayed here. Unfortunately, the selective WordPress check for viruses is impossible - Yandex is scanning independently, moreover, not all loaded web documents fall into the sample, but only their part, determined randomly.

4. Check with Google Reports

The most popular search engine in the world offers an even easier monitoring method - just follow the google.com/transparencyReport/SaFebrowsing/Diagnostic/?Hl\u003dRU, and drive the address of the site to the appropriate field. You will receive comprehensive resource data, and see whether Google has any claims from the point of view of detecting malicious scripts:

How to clean the site water from viral links?

From general recommendations, we turn to private. We begin with the common variants of the malicious code - the introduction of foreign URLs and redirects to the target web resource. Unfortunately, black CEO is still popular, and therefore hackers do not sit idle, the benefit of this task is one of the easiest. Let's deal with the order.

1. Redirect for third-party resources

Imagine the situation: You go to your own website, but you immediately reckon at the next leisure catalog, or Landing offering to make money on Forex. Almost certainly this means that the web resource was hacked, and V.HTaccess appeared several new lines. Treatment is elementary: open the file, find directives containing the address to which redirection goes, and then delete them. So, for conditional malwareesite.com, the desired structures may be as follows:

< IfModule mod_alias. c> Redirect 301 https: // Site / http://malwaresite.com/

< IfModule mod_rewrite. c> RewriteEngine on RewriteBase / RewriteCond% (http_host)! ^ Tekseo \\. SU [NC] Rewriterule ^ (. *) http: //malwaresite.com/$1.

RewriteEngine on RewriteBase / Rewritecond% (http_host)! ^ Tekseo \\ .su rewriterule ^ (. *) Http://malwaresite.com/$1

A more sophisticated option is a permanent redirect written in PHP. If you checked, but did not find anything suspicious, most likely the snag lies in the index.php file. Redirection here is carried out by sending to the visitor of the desired headlines:

include ("redirect.php"); exit ();

Remember - in the original index.php there are no such fragments, so you can safely remove them all. Also find and eliminate the plug-in file (in our example it will be redirect.php located in the root folder).

More cunning move - redirect for mobile gadgets. When entering your resource from a personal computer, you never identify the fact of infection, however, users of smartphones and tablets will be unpleasantly surprised by hitting another page. Such redirection can be implemented:

1. .htaccess.
The easiest way that is easily calculated. The device is determined by the User Agent. It may look like this:

< IfModule mod_rewrite. c> RewriteEngine On RewriteBase / RewriteCond% (http_user_agent) ^. * (IPod | iPhone | Android). * [NC] Rewriterule ^ (. *) $ Http: //malwaresite.com/

RewriteEngine On RewriteBase / RewriteCond% (http_user_agent) ^. * (IPod | iPhone | Android). * Rewriterule ^ (. *) $ Http://malwaresite.com/

2. PHP.
Similarly, the redirect is implemented on PHP. The design specified below can be found in the index file. Again, do not forget about the ubiquitous include:

3. javascript.
The screen resolution is checked here if the width is 480 pixels, or less, the visitor is transferred to a malicious site. If your project uses a similar method, be sure to check this unit to change the address.

< script type= "text/javascript" > if (screen. width<= 480 ) { window. location = "http://malwaresite.com" ; }

2. Check outgoing links

However, redirect is too rough and explicit way. Where more often you can find the implementation of URLs hidden by CSS tools and other methods. With what you do not see, it is almost useless to fight. However, using the wonderful Xenu Link Sleuth utility, you can evaluate WordPress's reference profile. The latest version of the program came out in 2010, nevertheless it is relevant to this day, and even works wonderfully under Windows 10.

By installing and running Xenu, click File - Check URL. You will see the window:

Here it is enough to enter the project domain, and click OK. It is also possible to add a mask filters:
● Consider URLs Beginning WITH THIS AS 'INTERNAL' - count addresses containing a given fragment internal;
● Do Not Check Any URLs Beginning WITH This - eliminates certain links from checking (for example, if you want to see only outgoing links, it is worth the site domain here).

Upon completion of the procedure, the utility will suggest checking the WordPress for the presence of so-called orphan files - web documents that are not a single URL.

If you answer the affirmative, the data entry window for FTP authorization will appear:

This feature may be useful if the site is old, and threw a lot of changes during its existence: with the help of it, you can clear the directories from the "garbage". However, we are more interested in the scan results:

Thus, if there are viruses on WordPress, which is the cause of the appearance of hidden urlons, Xenu will help identify the fact of their presence. The only question is how to act further.

3. Find and destroy

Imagine that Xenu found active references to conditional malwaresite.com. How to find them and remove? Sometimes the task turns out to be extremely simple. Non-professionals are rude, limited only to hide the URL from prying eyes, but the address itself can be registered in the code explicitly. The following options are possible:
1. Accommodation of the urla in the footer instead of copywrites;
2. Using the file-orphan files described above (for example, the HTML document is loaded into the directory with images - search engines can also index it);
3. Manipulations with cascading style sheets:
● TEXT-INDENT: -99999999995PX / Position: Absolute; left: -99999999995px - shift the reference beyond the display limits;
● Display: None / Visibility: Hidden - make text invisible;
● Font-Size: 1px; - single-pixel URLs that can not be searched.

To find and remove the virus from WordPress, it is enough to scan the entire engine for the presence of a lines containing "malware.com". In Windows, this can be done using the Free File Manager Unreal Commander:

1. Unload all project files to the local folder on your computer using FileZilla, as described in the previous material;
2. Start Unreal Commander and click on the icon in the form of a pickpipe pipe to go to the search interface;

3. Select the desired folder, check the box in the "Text" field, enter "malwareesite.com", specify all encodings and click "Start Search".

The result will be a list of files in which the phrase is found. Now it remains to edit them, removing the line of the code responsible for the output of the link.

Using PHP antiviruses for WordPress

Cases described above are only the vertex of iceberg. Professional hacker can find a non-standard approach even to such a simple task as the placement of the hidden baclish. As a rule, you can not find anything on your own, without the help of the appropriate software. Fortunately, such solutions exist, many of them, besides, are free. Let's analyze the most efficient.

1. AI-BOLIT

Probably the most popular antivirus product from Revisium. Available in two versions: to work directly on hosting, and a local machine running Windows (compatible with 10, does not require installation). Unfortunately, the * Nix version does not have a web interface and is only suitable for a VDS or Dedicated server, so we will analyze how to work with a PC tool.

1. Download the link on the Revisium.com/kb/scan_site_windows.html link and unpack any convenient place on your computer. Please note: in the way to the directory there should be no Russian letters, so the easiest way is to place it in the root of the disk;
2. Inside the archive, you will see the following: folder with the antivirus "AIBOLIT", "SITE" (here you need to copy the checked web documents, all of which will be scanned, regardless of the nesting level), as well as three BAT files:
● Start - for quick check;
● start_paranoic - deep scanning with identifying any suspicious code fragments;
● SCAN_AND_QUARANTINE - The script will place all dangerous files to the archive.
3. To start work, perform a double click on any of the presented BAT files, depending on which result you want to receive. Scanning will begin, based on the results of which the AI-bolit-report.html report will be formed (can be viewed in any browser). In quarantine mode, it will be in the archive with suspicious scripts

Of course, no Malware is actually no in mom. And, as can be seen in the screenshot, the developers themselves are warned about the probability of errors.

2. Manul

In addition to monitoring, Yandex offers everyone to use free antivirus of its own development. The Manul utility written in PHP can be running almost on any web server and is compatible with the majority of popular CMS. In addition, the script can not only detect, but also delete a dangerous code. Below is a step-by-step instruction for identifying and treating viruses.

1. Download the program at https://download.cdn.yandex.net/manul/manul.zip;
2. Unpack the archive into the root directory of your site;
3. Follow the link_name / manul / index..php_name link);
4. Come up with a password. The script makes serious safety requirements: the code phrase should be a length of at least 8 characters, contain capital letters, numbers and special signs.
5. Now you can start scanning by clicking the button of the same name. You can also configure the script by setting the query interval. The greater this value (in seconds), the more time to check. The coefficient can be set at zero, however, it can lead to a significant increase in the response time, up to the unavailability of the resource.
6. After that, check is started - do not close the tab before it is completed!
7. Upon completion of the scan, a window will appear with the report button. Click on it to download scan_log.xml.zip.

8. In another browser tab, open the analyzer located on https://antimalware.github.io/manul/. Click the Upload File button and send the received archive to check.

9. At this stage, we proceed directly to the removal of viruses from WordPress. You will open a window in which you can select operations over dangerous files (depending on the degree of threat, they are marked with a red, yellow, or green flag). The quarantine button allows you to archive suspicious files, and "Delete" - get rid of them forever.

10. After making the desired actions, scroll down the page down and copy the code appeared in the "Prescription" field

11. Now go back to the Manul tab, go to the "Treatment" section, insert the received code into the field that appears and click "execute".

Https: \u003d "" Lazy \u003d "" Lazy-Hidden \u003d ""\u003e

13. Upon completion of all procedures, a window with a magazine will appear on the screen. You can also download files placed in quarantine if any available

3. Santi

A young project designed to detect and eliminate viruses on WordPress. Currently, the product is in beta testing and is free, the only paid service is an SMS tolerant of the owner of the detected threats. In addition to the monitoring module itself, the script offers consumers a variety of tools to eliminate the effects of intruders. But about them later, first will understand the installation.

1. Download distributions from the official site of Santivi.com. The contents of the archive are unpacking in a previously created folder in the root directory, for example: / var / www / site / Public_html / Santi_AV

The above is a simple name, but it is best to use a random sequence of lowercase latin letters and numbers.

2. Go to the Anti-Virus page. In our example, the address will look like this: https: // Site / public_html / santi_av

4. When you first start, you must configure the script, checking the parameters automatically installed, and making adjustments, if necessary. Also be sure to change the data for authorization:

5. Go on the product on the product site, then fill in the "Personal Information" section by entering the resulting Santi ID, e-mail address and mobile phone (optional - needed for SMS-mailing). Subsequently, enable preferred alert methods on the Informing tab.

6. On the Files and DB tab, you must specify information for connecting to MySQL, as well as select a method for backing the web resource files. The following options are supported:

● Creating a local copy;
● Using the FTP server;
● Yagdex.Disk;
● google.drive;
● DROPBOX.

7. After the completion of the above manipulations, click the "Finish" button. If everything has passed successfully, the following will appear on the screen:

You can change the settings in the program section of the same name.

Santi has an intuitive interface and contains everything you need to effectively remove viruses from WordPress. Tools are distributed over thematic sections. Consider each of them:

1. Home.

Here are collected the most necessary information about the status of protection. From the notifications section, you can give commands about actions with detected threats.

2. Autopilot

Allows you to configure the actions implemented by the script in automatic mode. Among them:
● File monitoring - scans the integrity of web documents, except for dynamic (access logs, errors, etc.). Checks the date of change, hash sum, the emergence of new directories and files.
● Database monitoring - fixes suspicious activity in MySQL.
● Bacuping - completely archives the site after certain intervals, saving a copy on the server or in the cloud storage. You can configure the parameters through the appropriate tool in the "Utilities" section (it is possible to select a selective selection of directory and files). At the output, you will receive an archive in a specific format.sabu - only Santi himself can handle it, as well as a branded program for a Windows PC.
● Checking the site through the eyes of search engines - uses the information of Yandex and Google about the threats detected on the resource.
● Checking the site through the eyes of desktop antiviruses - scanning based on signatures provided by the largest solutions in the field of cybersecurity solutions for PCs.

3. Utilities.

Here is a set of auxiliary tools designed to help in servicing the site and ensure its safety. Consider the most interesting:
● Date search. It is useful if the period of infection is approximately known. Using filters, you can set a time range, as well as transfer file extensions and indicate how to process them (exclude from or checking).
● Configurator.FTPACESS. It is used to configure FTP servers based on PROFTPD and PURE-FTP.
● Remove malicious inserts. It will be useful if the WordPress site suffered from the virus, and your code is accurately known. You can specify the beginning and end of a dangerous fragment, list the types of files that need to process / eliminate and select the "looking for", or "looking for and treating". In the latter case, the specified sequence will be automatically removed when detected.
● File Editor. Supported operation in several encodings, row numbering, elementary syntax backlight.

Specialized Avtivirus for WordPress

In addition to the listed, there are more narrow-controlled solutions made in the form of plug-ins for CMS. We will analyze the most effective.

1. Antivirus.

How to check WordPress templates for viruses? The answer lies in a small module with an extremely uncomplicated name and a very ascetic interface. The settings window invites us to run manually (Manual Malware Scan), or enable automatic project monitoring (Check theme templates for malware). The second tick allows you to connect Google Safe Browsing databases. It is also possible to enter an email address - in this case reports will be sent to your e-mail.

If you press the "Scan Theme Templates Now" button, all templates installed in the system will be immediately scanned. A page will appear:

Suspicious fragments of the utility highlights the red frame. Of course, false responses are possible - in this case, Antivirus has allocated a block of code that is responsible for prohibiting the output of erroneous authorization messages. In such cases, it is enough to click on the "TheRe IS No Virus" button.

2. TAC.

Another narrow-controlled module - Theme Authenticity Checker. After installation, it will appear in the "Appearance" section of the admin. Here, at all, it is not necessary to configure anything and run - the plugin holds fully automatic scanning and issues a conclusion without any details:

3. Quttera.

A more advanced module that scans the entire engine. Two types of checks are available: external - using online service:

and internal - using the plugin itself. To start them, it is enough to click on the "Scan Now" button.

The result of the check will be the following report:

As you can see, the antivirus shares all the files found are divided into potentially dangerous, suspicious and malicious. This classification is largely conditional - as well as analogs, Quttera tends to raise a false alarm. It is best to put the plugin on a deliberately clean site and run the primary monitoring, which add all the "rejected" files to the white list. To do this, it is enough to go to the "Detected Threats" tab and click "Whitelist File" under each warning.

4. Sucuri Security

This plugin is the most advanced of specialized. The disadvantages include mandatory registration on the official resource of developers and receiving an API key, otherwise the functionality will be limited. The corresponding warning will appear immediately after activation.

By clicking on the button, you will see the following window:

The domain name and mail of the administrator are determined automatically, but the last can be changed. Tick \u200b\u200bin Checkbox DNS Lookups should be put only if you are using CloudProxy.

Before dealing with how to protect WordPress from viruses, you must properly configure the extension in the Settings section. Here you will see several tabs at once. In General, you can install the main parameters:
● Plugin API KEY - allows you to enter the API key;
● Data Storage Path - Specifies the path to the directory in which SUCURI Security stores logs, a list of proven files and other service information (default - / Uploads / Sucuri;
● Reverse Proxy and IP Address and IP ADRESS DISCOVERER - Activate if external proxy services are connected, or firewall;
● Failed Login Password Collector - includes tracking unsuccessful attempts by authorization on the site;
● User Comment Monitor - checking the contents of comments added by users. Helps protect both spam and malicious inserts;
● XML HTTP Request Monitor - Filters AJAX requests, can adversely affect the response time of the site;
● Audit Log Statistics - Displays event statistics, here you can specify the number of records analyzed (by default - 500);
● DATE & TIME - allows you to change the time and date if they are defined incorrectly;
● RESET OPTIONS - Reset default settings (useful if you have become problems with the performance of the site, or the work of the scripts after installing the plug-in, but can not understand what's the matter).

The SCANNER tab allows you to:
● Run forced check with the "Fast Scan" button;
● Select one of three algorithms (SPL - the fastest, Global is the slowest and thorough, or OpenDir - Golden Middle);
● Set the check frequency (by default - 2 times a day);
● Enable and manage the file system scanner (FS Scanner);
● Configure report analyzer, as well as clear logs.

On the Alerts tab, you can specify an email address to send notifications, as well as set the message template by selecting from the proposed or entering your own in the "Custom" field.

Also here you can set the frequency of sending letters and parameters to determine the bruthet attacks.

Below is the possibility of fine alert configuration. In addition to the checkboxes made by default, it is worthwhile to activate all the checkboxes associated with user actions - this will help to successfully catch spammers and bruthent.

It is also worth incorporating all points related to the status of plug-ins (marked with a plug) and templates (marked with a brush). It will not load the system, but will help identify the actions of an attacker who has access to the project and made changes to its configuration.

The "Ignore Scanning" section allows you to specify directories that do not need to be verified (you must specify the absolute path to the folder). This is where the location of video and audio files is worth: their check is meaningless, and it will take a lot of server resources that will negatively affect performance.

"Ignore Alerts" makes it possible to exclude from alerts to change the content of a specific type (Post-Types).

TRUST IP tab allows you to set the ranges of IP addresses, which will not be recorded by the system. Conveniently, if work with the project is carried out by a group of people from one subnet.

"Hearbeat" helps to configure the API of the same name used for a bilateral browser server. It is mainly used in working groups, and if you are the sole owner of the site, it is better to turn it away at all. This will remove additional vulnerability, as well as increase the engine performance.

After making all the edits, you can run the scan in the Malware Scan section of the corresponding button:

In addition to the actual scanner, Sucury SecuryTi has a number of useful tools that allow WordPress from viruses before the site is hacked. All of them are collected in the section Hardening. List the capabilities:
● Verify Wordpress Version - monitors the relevance of the kernel of the engine and allows you to start a compulsory update;
● WebSite Firewall Protection - Connecting CloudProxy (must be pre-configured by the WAF on the corresponding tab);
● Remove WordPress Version - Deletes the display of the CMS version;
● BLOCK PHP FILES - blocks access to service files through.htaccess (for Apache), or offers recommendations for setting up NGINX;
● Verify PHP Version - checks the relevance of the version of the installed interpreter;
● Security Key - will give you to know if you forget to update security keys in WP-config.php;
● Information LEAKAGE (README.html) - deletes the ReadMe file containing information potentially useful for hacker;
● Default Admin Account - checks if the ADMIN login is used for the Super Minister account;
● Plugin & Theme Editor - blocks the built-in template editor in one click;
● Database Table Prefix - Reminds the need to replace the prefix of MySQL tables on a unique, instead of the default WP_.

The Post-Hack section will be useful after you cleared WordPress site from viruses. Here are three tools:
● Security Keys - allows you to create a new set of security keys and replace compromised;
● Reset User's Password - will help make a massive reset of passwords of registered users according to your choice;
● RESET PLUGINS - rolls back all the installed plugins to obviously safe versions, with the exception of premium add-ons.

Suitable

After reading the article, you were convinced that the fight against malicious software is not at all something out of the rank. Thanks to the availability of specialized solutions, operations such as checking the WordPress template for viruses, monitoring the CMS kernel and the cleaning of the site in the case of infection can even perform non-professional. But as in medicine, in the sphere IT key to success is not a treatment, but prevention. Remember - hackers pose a threat not only for you and your brainchild, but also for visitors to the web resource. Often, it is they turn out to be under the blow, visiting infected pages. This is fraught with the loss of the most important thing - confidence from users, which will inevitably fall into the loss of permanent readers, and even customers. Therefore, it is very important to take care of security issues as early as possible, minimizing the likelihood of hacking.

One of the most important steps when creating a blog is the choice of a high-quality template. There are many sites as extra charge and free. However, caution should be taken here, since there is a great probability along with the file to get viruses, malicious scripts and hidden links.

But even if the template is clean in terms of security, and its design, usability and functionality you are completely satisfied - this does not mean that everything is in order. The topic must have valid HTML and CSS code, as well as meet all CMS WordPress standards. With the latter there are problems even with paid topics and templates made to order.

The engine developers are constantly developing it, and the authors of the templates do not always sleep for them using outdated functions when creating them.

Today I will show 2 ways to check whether WordPress for compliance with standards. These tools are used when adding them to the official directory https://wordpress.org/themes/

WordPress Topics and Joomla templates for compliance with standards

ThemeCheck.org is a free service that allows you to check the security and quality of templates for CMS Wordpress and Joomla before installing the site.

To check the theme, download its archive from your computer by clicking the "Select File" button on themecheck.org. If you do not want the test results to be saved on the service and are available to other users, check the box " Forget Uploaded Data After Results". Now click the "Submit" button.

For example, I took the topic Interface.which downloaded on the official website. 99 out of 100 - 0 critical errors and 1 warning. This is a very good result.

For comparison, the template of my blog received an estimate 0 (14 errors and 23 warnings). I think that many results will not be particularly different, especially if the topics are already outdated. All comments with explanations, indicating the files and lines where they are detected are located on the same page below.

To confess, I understood little there, it will rather be useful for the authors, and it is easier for me to change the pattern than to correct everything. I do not know only when I decide on it.

The main one has a large selection of previously proven WordPress and Joomla webwood with the possibility of adding or evaluating time. When you click on them, you can see detailed information and links to the author's website and the download page.

If you are a developer and your validna theme 100%, you can report it to users by installing a special assessment icon on it.

The value of themecheck.org service is that any webmaster can use it to choose a high-quality topic before it is installed on the blog.

Plugin Theme Check.

You can check the already installed templates on compatibility with the latest WordPress standards using Theme Check plug-in. Link to download the latest version: https://wordpress.org/plugins/theme-check/

The functions of the plugin is similar to the service that I told above. No settings after the standard installation and activation are not necessary. Verification procedure:

Go to the admin desk on the "Appearance" menu page - "Theme Check".
Select the desired topic from the drop-down list if several are set.
Install the SUPPRESS INFO checkbox if you do not want to send information.
Click the "Check IT" button.

The results will be shown on the same page.

As you can see, the standard theme Twenty Ten. either not ideal, but, for example, Twenty Fourteen. Errors has no.

After checking the plugin can be turned off, and it is better to delete at all until the next time.

Output. Before installing a new WordPress template, check it not only for hidden references and malicious TAC plugin code, but also using themecheck.org service or theme check plug-in for compliance with the latest CMS standards.

P.S. Recently browsing Topsape Reader, I saw a new SEO-blog Zenpr.Ru, which holds 1 place among the transition bloggers for the month. If we consider that his age is a little more than a month, then the result is worthy of respect. Design in the style of minimalism, if not to say that there is no one at all, but the author writes - read it. Everything in business and without water. Just like in the title of the blog - "zero extra characters". I recommend to read, you will find a lot of useful information.

WordPress is the most popular engine to create various information sites and blogs. The safety of your site is more than the security of your data. It is much more important because it is the security of all users who read your resource and trust it. That is why it is so important that the site is not infected with viruses or any other malicious code.

How to protect WordPress from hacking We will look at in one of the following articles, and now I want to tell how to check the WordPress site for viruses and malicious code to make sure that everything is safe.

The very first option that comes to mind - you hacked hackers and built their backdoors into your site code to be able to send spam, put links and other bad things. So sometimes it happens, but this is a rather rare case if you update the software on time.

There are thousands of free topics for Wordpress and various plugins and here can be a threat. It's one thing when you download the template from Wordpress and is completely different when you find on the left site. Unfair developers can embed various malicious code into their products. Even more risk, if you download free Premium Templates, there are no risks there, there are no longer risking any hole in security, through which then can penetrate and do what they need. That's why the WordPress test site for viruses is so important.

WordPress Site Check for Viruses

The first to what to contact when checking the site is not viruses, these are WordPress plugins. Quickly and just you can scan your site and find suspicious sections of the code that you should pay attention to, whether they are in the topic, the plugin and the most Wodpress core. Consider some of the most popular plugins:

1. TOC.

This very simple plugin checks all the themes installed on your site for the presence of malicious code in them. The plugin reveals hidden links encrypted using Base64 code insertion, and displays detailed information about problems found. Most often, the found parts found are not viruses, but they can potentially be dangerous, so you should pay attention to them.

Open "Appearance" -> "TAC" Then wait until all the topics are checked.

2. VIP Scanner

Very similar to the TOC scanner for topics, but displays more detailed information. The same capabilities for detecting links, hidden code and other malicious inserts. Just open the VIP SCANER item in the Tools section and analyze the result.

It is possible to delete unnecessary files, for example, desktop.ini. Or you need to see what happens in the files using BASE64 in more detail.

3. Anti-Malware from Gotmls.net

This plugin allows not only to scan the topics and the core of the site for the presence of viruses, but also protect the site from passwords and various XSS, SQLINJ attacks. The search is performed on the basis of known signatures and vulnerabilities. Some vulnerabilities can be eliminated on site. To start scanning files open "Anti-Malvare" in the side menu and click "RUN SCAN":

Before you can run the scan, you need to update the signature databases.

4. WordFence

This is one of the most popular plugins to protect WordPress and scanning for malicious code. In addition to the scanner, which can find most of the bookmarks in the WordPress code, there is a constant protection against various types of attacks and password generation. During the search, the plugin finds possible problems with various plugins and themes, reports the need to fulfill WordPress.

Open tab "WPDefence" in the side menu, and then go to the tab "Scan" and press "Start Scan":

Scanning may take a certain time, but upon completion you will see a detailed report on the problems detected.

5. Antivirus.

This is another simple plugin that scans your site template for malicious code. The disadvantage is that only the current template is scanned, but the information is displayed in sufficient detail. You will see all the dangerous functions that are in the subject and then you can analyze in detail whether they represent any danger. Find "Antivirus" In the settings, and then click "Scan Theme Templates Now":

6. INTEGRITY CHECKER.

It is also desirable to check the integrity of WordPress files, in case the virus has already written anyway. To do this, you can use the INTEGRITY CHECKER plugin. It checks all the kernel files, plug-ins and templates to change. At the end of the scan, you will see information about the modified files.

Online services

There are also several online services that allow you to check the WordPress website for viruses or check only the template. Here is some of them:

themeCheck.org. - You download the topics archive and you can watch all warnings about possible malicious functions that are used in it. You can not only watch information about your theme, but also about other topics downloaded by other users, as well as about different versions of the topic. All that find plugins can find this site. Verification of WordPress theme is also very important.

virustotal.com. - All the well-known resource, where you can check your site or template file for viruses.

Rescan.pro. - Checking a WordPress site for viruses with this service is free, static and dynamic analysis is performed to detect possible redirects scanner opens the site pages. Checks the site on various black lists.

siteCheck.sucuri.net. - Simple service for scanning the site and theme for viruses. There is your plugin for WordPress. Detects dangerous links and scripts.

Manual check

Nothing can be better than manual check. In Linux there is such a wonderful GREP utility that allows you to search for arbitrary lines in a folder with files. It remains to understand what we will look for:

eVAL - This feature allows you to perform an arbitrary PHP code; it does not use self-respecting products, if one of the plugins or the theme use this function almost with one hundred percent probability can be said that there is a virus;

base64_Decode. - encryption functions can be used with EVAL to hide malicious code, but they can also be applied for peaceful purposes, so be careful;
sha1 - Another method of encryption of malicious code;
gzInflate. - compression function, the same goals, along with EVAL, for example, GzInflate (Base64_Decode (code);
strrev. - turns the row by the ass in front of how the option can be used for primitive encryption;
print - Displays information to the browser, along with GzInflate or Base64_Decode is dangerous;
file_Put_Contents. - WordPress itself or plugins can still create files in the file system, but if this makes the topic, it is already worth alerting and check why it can be installed viruses;
file_Get_contents. - in most cases used for peaceful purposes, but can be used to load malware or reading information from files;
curl - the same story;
fopen. - opens a file for recording, you never know why;
system. - The function executes the command in the Linux system, if this makes the topic, plugin or WordPress itself, most likely, there is a virus;
symlink. - Creates symbolic links in the system, perhaps the virus is trying to make the basic file system available from outside;
copy. - copies the file from one place to another;
getcwd. - Returns the name of the current working directory;
cWD. - changes the current operating folder;
iNI_GET. - receives information about PHP settings, more often for peaceful purposes, but it is not possible;
error_Reporting (0) - disables the output of any error messages;
window.top.location.href. - JavaScript feature used for redirects to other pages;
hacted "So, just in case, check, suddenly, the hacker decided to tell us himself.

You can apply each individual word in such a command:

grep -r "hacted" / var / www / path / to / files / WordPress / WP-CONTENT /

Or use a simple script that will look for all words at a time:

values \u200b\u200b\u003d "Base64_Decode (
Eval (Base64_Decode.
GZINFLATE (Base64_Decode (
getcwd ();
Strrev (
CHR (ORD (
CWD.
INI_GET.
Window.top.location.href.
Copy (
Eval (
System (
symlink (
Error_Reporting (0)
Print
File_Get_Contents (
File_Put_Contents (
Fopen (
Hacked "

cD / VAR / WWW / path / to / files / WordPress / WP-CONTENT /
$ FGREP -NR --include \\ *. PHP "$ Values" *

You once wondered what the paper uses one or another site?

Often, in search of an ideal topic, we look at other implemented projects to find something similar or make your website on the same topic, only with your individual design.

In this lesson, we will show which tools and tricks can be applied to find out what the paper uses this site on WordPress.

Method 1. ISITWP check site

The easiest way is to go to isitwp.com and check there the site that interests you.

This is an online tool that will show you what topic does WordPress use, and is it used in general WordPress on this site.

If the site stands WordPress, Isitwp will try to find out the name of the current theme of the decoration.

He will also try to find out what active plugins are used on the site:

If you are lucky, and this is not a custom or a subsidiary, then ISITWP will give its name, and then you can find this topic in search engines.

Method 2. Determine manually

Sometimes site owners or developers change the name of the native WordPress themes. In this case, the tools like isitwp will not be able to help you.

But even if so, in the site code, different tips can still be left, which will help calculate what the topic is installed.

Let's see.

Each topic of design WordPress is obliged to have a file style.css.. This file contains inside the header (header), in which, as a rule, is indicated the name of the topic, the author of the topic, version and website-developer theme. Also, there are other CSS-styles templates that use the topic.

To find this file, first you need to go to the site itself. Right click somewhere on the main page and go to view the source code ( View Page Source).

In the browser, the source code of the main page of the site will open in the new tab.

Now you need to find a line of code that looks like this:

To facilitate the task, you can search for this tab with a snag code " themes.". This is part of the directory where it lies style.css..

Thus, you will find the path to which the STYLE.CSS file lies, and you can open this file directly in the browser in the new tab.

At the top of the style.css will be a hat with a heading (about which we talked above). This is a service information about the topic of registration. It looks like this:

/ * Theme Name: Https://example.com Author: ThemeAuthorname Author URI: Https://example.com Description: My Theme Is A Flexible Wordpress Theme Designed for Portfolio Websites Version: 1.1.47 License: GNU General Public License V2 Or Later License URI: http://www.gnu.org/licenses/gpl-2.0.html Text Domain: Hestia Tags: Blog, Custom-Logo, Portfolio, E-Commerce, RTL-Language-Support , Post-Formats, Grid-Layout, One-Column, Two-Columns, Custom-Background, Custom-Colors, Custom-Header, Custom-Menu, Featured-Image-Header, Featured-Images, Flexible-Header, Full-Width -Template, Sticky-Post, Theme-Options, Threaded-Comments, Translation-Ready * /

From this unit you can find out the name of the topic and address of the developer. Then it remains only to find this topic on the Internet.

Method 3. How to find a parent topic

Many sites use child themes for custom design settings. And this is quite the right approach.

In this case, if you find the file style.css. From a subsidiary, in his cap will be indicated information about the parent topic:

/ * Theme Name: Just A Child Theme Author: Peter Smith Author URL: Write Here Author "S Blog Or Website URL Template: Hestia Version: 1.0 License: GNU General Public License V2 or Later License URI: http : //www.gnu.org/licenses/GPL-2.0.html Text Domain: My-Child-Theme * /

In the example above, the parent topic indicates the parameter " Template.", that is, for this subsidiary, the parent topic" Hestia "is used.

Also about the parent topic you can learn from the source code described in the method 2. In the code you will find a reference to the STYLE.CSS file not only from the subsidiary, but also from the parent topic.

But do not forget that the developer could try and change all the headlines for the style.css on his own, in this case, to determine the original theme will be very difficult.

Theme Check Plugin Is An Easy Way to Test Your Theme and Make Sure It's Up to Spec with the Latest Theme Review Standards. With it, You can Run All The Same Automated Testing Tools on Your Theme That Wordpress.org Uses for theme Submissions.

The Tests Are Run Through A Simple Admin Menu and All Results Are Displayed AT Once. This Is Very Handy for theme Developers, Or Anybody Looking to make sure That Their Theme Supports The Latest Wordpress Theme Standards and Practices.

How to activate Trac formatting

Theme Review Team Use This Plugin While Reviewing Themes and Copy / Paste The Output Into Trac Tickets, The Trac System Has Its Own Markup Language.
To Enable Trac Formatting In Theme-Check You Need to Define A Couple of Variables in WP-config.php:
TC_PRE. And. TC_POST. Are USED AS A Ticket Header and Footer.
Examples:
Define ('TC_PRE', 'Theme Review: []
- Themes Should be Reviewed using "Define (\\ 'WP_DEBUG \\', TRUE);" IN WP-CONFIG.PHP []
- Themes SHOULD BE Reviewed using the Test Data from Theme Checklists (TC)
——
‘);

Define ("TC_POST", "Feel Free to Make Use of the Contact Details Below If You Have Any Questions, Comments, OR FEEDBACK: [] * * Leave A Comment On This Ticket [] * Send An Email to theme Review Email List [] * Use the # WordPress-Themes IRC Channel ON FREENDE. ");

If. either Of these Two Vars Are Defined a New Trac Tickbox Will Appear Next To the Check IT! Button.

Frequently asked Questions

What's WITH THE VERSION NUMBERS?

The Version Number Is The Date of the Revision of the Guidelines Used to Create IT.

Why Does IT Flag Something AS Bad?

It's Not Flagging "Bad" Things, AS Such. Theme Check Is Designed to Be a Non-Perfect Way to Test for Compliance with Theme Review Guidelines. NOT ALL THEMES MUST ADHERE TO THESE GUIDELINES. The Purpose of themes Uploaded to the Central Wordpress.org Theme Repository Meet Themes of Will Work on A Wide Variety of Sites.

Many Sites Use Customized Themes, And That's Perfectly Okay. But Themes That Are Intended for Use On Many Different Kinds of Sites by The Public Need to Have A Certain Minimum Level of Capabilities, in Order to Ensure Proper Functioning in Many Different Environments. Theme Review Guidelines Are Created with That Goal in Mind.

This Theme Checker Is Not Perfect, And Never Will Be. IT Is Only A Tool to Help Theme Authors, Or Anybody ELSE WHO Wants to make their theme More Capable. All themes submitted to Wordpress.org Are hand-Reviewed by a Team of Experts. The Automated Theme Checker Is Meant to Be a Useful Tool Only, Not An Absolute System of Measurement.

This Plugin Does Not Decide The Guidelines Used. Any Issues with Particular Theme Review Guidelines Should Be Discussed on The Make Themes Site.

Reviews

This Is A Great Plugin for Everyone That Really Likes to Develop A Wordpress Theme and Make SuccessFully Tests for the Basic Wordpress Standards. The Errors Separated in "Required", "Warning", "Recommended" and "info". Also Provide The Basic Information of this Error and Makes You Understand Where The Problem is.

Participants and developers

"Topic Check" is an open source project. The following participants contributed to the development of the plugin:

Participants

Magazine Amendments

20190801.1

Fix Missing Nonce and Nonce Check ON ADMIN Page. Props Steven Stern for Reporting The Issue to the Pugins Team. Though This Is Technically A CSRF, There Is No Vulnerability Arising From It, As The Only Thing That Could Be Done with the Form Is to Scan a Theme.

20190208.1

Add New Styles for the Block Editor. See https://meta.trac.wordpress.org/ticket/3921

20160523.1

Fix for Theme-Names with Dashes inham
Comments Stripping Changes.
Many Changes by Theme Review Team and Others. See GitHub for Full Change List.

20151211.1

Full Sync With Github and All The Changes That Have Happened There.
Release for 4.4 Deprecated Functions.

20140929.1

Added New Checks and Updates From Frank Klein At Automattic. Thanks Frank!
Updated Deprecated Function Listings
Customizer Check: All Add_settings Must Use Sanitization Callbacks, For Security
Plugin Territory Checks: Themes Must Not Register Post Types or Taxonomies Or Add Shortcodes for Post Content
Widgets: Calls to Register_sidebar Must Be Called from the Widgets_init Action Hook
Title: Tags Must Exist And Not Have Anything In Them Other Than A Call To WP_TITLE ()
CDN: CHECKS FOR USE OF COMMON CDNS (RECOMMEDED ONLY)
Note: Changed Plugin and Author Uris Due to Old Uris Being Invalid. These May Change Again in The Future, The Uris to My Own Site Are Temporarily Only.

20131213.1

Corrected Errors Not Being Displayed by The Pass And Incorrectly Giving A "Pass" Result to Everything.

20131212.1

Updated for 3.8.
MOST Files Have Changed for Better I18n Support, So The Language Files Were Removed Temporarily Until Translation Can Be Redone.

20121211.1

Updated for 3.5
Remove PayPal Button.

20110805.1

Timthumb Checks Removed.
Screenshot Now Previewed in Results, with filesize and dimensions.

20110602.2

New File List Functions Hidden Folders Now Detectable.
Better Fopen Checks.
Timthumb Version Bump.

20110602.1

DOS / UNIX LINE Ending Style Checks Are Now A Requirement for Proper Theme Uploading.
Timthumb Version Bump.
SEVERAL FIXES REPORTED by Garyj
3.2 Deprecated Functions Added

20110412.1

Fix Regex's.
Added Check for Latest Footer Injection Hack.
Fix Tags Check To Use New Content Function Correctly
Sync of All Changes Made for WPORG UPLOADER THEME-CHECK.
Updated Checks POST 3.1. Added Screenshot Check to SVN.
Fix Links Check To Not Return A False Failure in Some Cases
rM One of the Checks That Causes Problems on WPORG UPLOADER (and Which Is Also Unnecessary)
Move Unneeded Functions Out of Checkbase Into Main.php.
MINOR FORMATING CHANGES ONLY (SPACING AND SUCH)
Add Check for WP_LINK_Pages () + Fix Eval () Check

20110219.2

Merged New UI Props Gua Bob
Last Tested Theme Is Always Pre-Selected in Themes List.
Fixed PHP Error in Admin_Menu.php

20110219.1

See Commit Log for Changes.

20110201.2

UI Bug Fixes Forum Post Props Mamaduka.
TextDomain Checks for Twentyten and No Domain.
Fix Div Not Closing Props Mamaduka.

20110201.1

i18n working
sR_RS DE_DE RO_RO LANGS PROPS DANIEL TARA AND EMIL UZELAC.
Child Theme Support Added, Checks Made Against Parent and Child At Runtime.
Trac Formatting Button Added for Reviewers.

20101228.3

Last Revision For 3.1 (Hopefully)
Chips Suggestion of Checking for Inclusion of SearchForm.php (not
Perfect Yet, Need More Examples to Look for).
add_Theme_page Is Required, All others Flagged and Displayed with Line
Numbers.
Mostly internationalized, Needs Translations Now.
Bug fixes.

20101228.2

Added Menu Checking.
Themeuri Authoururi Added to Results.
Lots of Small Fixes.
Started Translation.

20101228.1

Fix Embed_Defaults Filter Check and StyleSheet File Data Check.

20101226.1

Whole System Redesign to Allow Easier Synching with Wordpress.org Uploader. Many Other Additions / Subtractions / Changes as well.
Wordpress 3.1 Guidelines Added, To Help Theme Authors Ensure Compatibility for Upcoming Release.