Malware Scanning

Malware scanning is the continuous detection and removal of malicious code, backdoors, web shells, credit-card skimmers, SEO spam, cryptominers, and phishing injections across your site’s files, database, and dependencies. It combines signatures, heuristics, integrity checks, and behavior analysis to catch both known and novel threats before they impact users or revenue.

Threats it targets (examples)

Backdoors & web shells: Hidden PHP/JS loaders, obfuscated eval/base64 payloads.
Magecart-style skimmers: JS injected into checkout to steal card data.
SEO spam: Cloaked links, pharma keywords, injected iframes/redirects.
Defacements & cryptominers: Modified templates serving malicious content or CPU-draining scripts.
Persistence: Rogue cron jobs, .user.ini/php.ini overrides, must-use plugin abuse.

Where scanning happens

File system: Themes, plugins, wp-content/uploads, mu-plugins, vendor libraries; detect obfuscation, suspicious functions, unexpected PHP in uploads.
Database: wp_posts, wp_options, widget/meta tables for <script>, event handlers (onload, onclick), and malicious domains.
Process & network: Odd PHP children, outbound beacons to known C2 hosts, unexpected mail bursts.
Integrity checks: Compare WordPress core, plugin, and theme files against known checksums to spot tampering.
Client/edge signals: CSP report-only + SRI failures to reveal skimmers that only execute in browsers.

Detection techniques

Signatures/YARA: Known patterns/hashes for fast identification.
Heuristics: Obfuscation, long entropy strings, dynamic function creation, file writes in runtime paths.
Behavioral: Unexpected file changes, cron/task creation, outbound requests after form submits.
Integrity: Verify against canonical sources; alert on drift.

WordPress / WooCommerce playbook

Verify core & plugins (WP-CLI): wp core verify-checksums wp plugin verify-checksums --all wp theme verify-checksums --all
Block PHP in uploads:
Nginx location ~* /wp-content/uploads/.*\.php$ { deny all; } Apache (.htaccess in uploads) <FilesMatch "\.(php|pht|phtml|phar)$"> Require all denied </FilesMatch>
Harden admin: Disable file editor (define('DISALLOW_FILE_EDIT', true);), enforce 2FA, restrict XML-RPC, limit login attempts.
Scan database content: Search for suspicious <script src=…>, data: URIs, and known bad domains; sanitize widgets and options.
Checkout protection: Pair scanning with CSP/SRI and WAF allow-lists for PSP webhooks to avoid blocking good traffic.

Remediation & recovery

Isolate: Put the site in maintenance/edge read-only; snapshot disks and DB.
Identify scope: Diff against checksums; list recently changed files; review scheduled tasks.
Clean safely: Replace core/plugins/themes from trusted sources; surgically remove injected code; quarantine unknown files.
Rotate secrets: WP salts, DB creds, SFTP/SSH keys, API tokens; invalidate sessions.
Patch the root cause: Update vulnerable extensions, fix weak permissions, close exposed endpoints.
Validate & release: Re-scan files/DB, clear caches/CDN, and monitor logs for recurrence.

Automation & ops

Frequency: Daily full scans + real-time file integrity monitoring on hot paths.
Alerting: Slack/Email with diffs and severity; auto-open incident tickets.
CI/CD gates: Run YARA/secret scanners before deploy; block artifacts containing malware or embedded credentials.
Retention: Keep clean, immutable backups (off-site) for at least 30 days to avoid reinfecting on restore.

KPIs

MTTD (mean time to detect) and MTTR (to remediate).
Reinfection rate within 7/30 days.
Coverage: % of files/DB tables scanned; checksum drift rate.
False positive rate and analyst time per alert.

Common pitfalls

Cleaning files but not the database or cron jobs (infection returns).
Restoring an infected backup.
Signature-only scanners missing new variants.
Leaving PHP executable in uploads or writable webroot paths.
Not rotating credentials/salts after cleanup.