Plugin Review: wp-malwatch

A plugin I have found recently is wp-malwatch, and it has quickly gone onto my must have list of plugins.  Let me tell you about it and urge you to get it installed on your system.

What is wp-malwatch?

It’s like an anti virus scanner for the files on your WordPress install.  So if someone has hacked your site and installed malware code on your system, wp-malwatch will help you find it.


wp-malwatch is much like any other plugin, you can either search for it and install it or download it from here http://wordpress.org/extend/plugins/wp-malwatch/


Once installed there are a number of config options, plus one special hint I will give you.

To configure the plugin goto the wp-malwatch-> configure option.

bizarrely, not all of the options are enabled, I say switch everything on.  See the screen dumps.

Keyword scan – this check inside of your WordPress files for particular strings, as you can see from the screen dump I have added base654_decode.  An increasingly popular way to hide hackers code is to encrypt it, if you see files with base64_decode and huge strings, this is probably malware code.

Hidden files scan – hackers often setup hidden files which contain suspect code, this option will find those files.

.htaccess scanning – another trick is to add malicious re-directions to .htaccess files, wordpress normally has these files, but you should be wary of the contents of these files, and any additional .htaccess files you find

uploads directory – this is a favoured technique to hide php script files deep within your upload file structure, this is not an easy thing to find, but this excellent plugins searches for the miscreants.  This has found issues on a couple of my clients sites and saved me hours of searching.

File pattern scanning – like virus signatures, some hack attacks have specific file patterns, these are the known attack signatures.

Locale scanning – the file locale.php is often targeted by hackers and rogue redirects added, this needs to be scanned

Running the Scan

A widget is added to the dashboard home page of your site, or you can run the scan from wp-malwatch->detailed report.


The plugin will now return a list of files which are suspicious, review each file, and view it’s contents.

False Positives

WP-Malwatch errs on the side of caution and brings back anything matching  your search patterns, which is good, but requires that you have the ability to review and understand what it has returned.  There will be some false positive results.

For example there will be a .htaccess file in the root of your site, this will be flagged up.

Remove Malware Files

If you have been infected, I recommend re-installing a clean version of WordPress, and any plugins or themes that have been infected, and deleting any files which should not be there for example in the uploads directory.

Then change all of your passwords; database, ftp and WordPress users.

How Often should Your Test Your Site

I recommend once a week, it does not take very long.  A function I would like to see on the plugin is an automated weekly or monthly check that send you an email of the results, but hey you cannot have everything in a free plugin.

My  Results Are Freaking Me Out!!

If you need help translating the results of wp-malwatch to see if you have been infected, why not book a coaching session with me and I can take you through the results.

Image by jlwalker

Leave a Reply

Your email address will not be published. Required fields are marked *