This plugin searches the files and database of your website for signs of suspicious activity. It will not stop someone hacking into your site, but it may help you find any uploaded or compromised files left by the hacker.

When a website is compromised, hackers leave behind scripts and modified content that can be found by manually searching through all the files on a site. Some of the methods used to hide their code or spam links are obvious, like using CSS to hide text, and we can search for those strings.

The database can also be used to hide content or be used to run code. Spam links are sometimes added to blog posts and comments. They’re hidden by CSS so visitors don’t see them, but search engines do. Recently, hackers took advantage of the WP plugin system to run their own malicious code. They uploaded files with the extensions of image files and added them to the list of active plugins. So, despite the fact that the file didn’t have a .php file extension, the code in them was still able to run!

This plugin searches through your site and attempts to find those changed files and db records. It’s far from perfect, so if you have suggestions for improving it, I’d like to hear them!

You can find the Scanner admin page linked off the Dashboard. This is the screen you’ll see. You can search in numerous ways:

  1. Files and database.
  2. Files only.
  3. Database only
  4. Search files by custom keyword.

All fairly self explanatory I think. The custom keyword form allows you to search your files for whatever you like. Be careful with that one because a search for a common keyword like “php” will takes ages and generate an extremely long list of files.

Warning! Searching through the files on your site will take some time. Even a clean WordPress install with no plugins will probably take a noticeable length of time. It’s also heavy on your server. Only run the file check when your server is idling and not busy.

Download

The latest version of the plugin can always be found on the WordPress.org plugin page.

Install

  1. Download and unzip the plugin.
  2. Copy the exploit-scanner directory into your plugins folder.
  3. Visit your Plugins page and activate the plugin.
  4. A new menu item called “Exploit Scanner” will be made off the Dashboard.

Security

Security is an important issue of course. If this plugin was somehow writable by the webserver it could be modified. For that reason it displays an md5 checksum of itself. That checksum is listed above, and also in the README file in the plugin zip file. Compare the checksums if you’re paranoid. If you’re really paranoid, run the script through md5sum just in case!
It also uses file checksums to rule out some false positive results which is one reason why a specific version of WordPress is needed. Newer versions of WordPress may create more false positive results.