How to Scan WordPress Sites for Malware (No Plugins)

Let's learn how to scan WordPress sites for Malware manually without installing plugins. This is the most practical and easy way.

In this journey, access.log files are the essential navigation tools, keeping you on course and alert to potential cyber threats, primarily malware or PHP Web Shells.

Understanding the process of how to locate, download, and examine these files is critical, and we're here to guide you step by step!

Step 1: Embark on the Server Access Voyage

Before you begin, you need to gain access to your server, much like boarding a ship. Your hosting provider will typically grant this access. Some common tools to get on board include Secure Shell (SSH) or File Transfer Protocol (FTP). If these terms seem a little daunting, fret not! Your hosting provider can give you a helping hand.

I highly recommend choosing Linux VPS providers for hosting your WordPress websites with full root access. This type of server will give you the possibility to manage and scale your website easily.

Step 2: Hunt for the Log Files

Log files can be quite elusive. They love to hide in specific locations, usually /var/log/httpd/ or /var/log/apache2/. For NGINX servers you can find it here: /var/log/nginx/

If they're being particularly tricky, consult your hosting provider or server administrator for guidance.

Step 3: Secure the Treasure (Log Files)

Once you've spotted the access.log file, it's time to bring it home to your local machine for closer inspection. These files can be hefty, so ensure your local drive has ample space to accommodate them.

Step 4: Decipher the access.log File

Now, it's time to analyze the access.log file treasure you've procured. We're searching for signs of malware, specifically PHP function names often associated with harmful scripts. These names include:

"shell_exec", "system", "CMD", "exec", "passthru", "popen", and "proc_open()"

The method to perform this search depends on your operating system.

For Windows users:

1. Open your access.log file using a text editor like Notepad.
2. Use “Ctrl + F” to open the ‘Find' dialogue box.
3. Enter each function name one by one. If any of them exist in the document, it will be highlighted.

For macOS users:

1. Use a text editor or a log viewer to open the file.
2. Use “Cmd + F” to initiate the ‘Find' function.
3. Type in each function name individually. Any matches will be highlighted.

For Linux users:

1. Open your terminal.
2. Utilize the ‘grep' command to search for these function names in your access.log file, e.g.

grep 'shell_exec' /path/to/your/access.log

If any of these function names pop up in your search, it suggests you might have a malware problem. There you will find files that are backdoors or web shells that execute the functions that I mention above.

Remember, these PHP functions are not inherently harmful but can be exploited for malicious purposes.

If you discover malware, it's time to spring into action! Remove any malicious scripts, update your WordPress themes and plugins, and change all passwords. Consult with a cybersecurity professional if necessary.

Read More: WordPress Security Guide For Beginners 2023

Stay proactive in your journey by regularly monitoring your access.log files and keeping your WordPress up-to-date. Safe travels on your WordPress voyage!