Malware Scan
Malware Scan analyzes files within your WordPress site using pattern matching to detect malware, backdoors, and malicious scripts.
Why Malware Scanning Is Necessary
When a WordPress site is infected with malware, the following types of damage can occur:
- SEO Spam: Spam links appear in search results
- Redirects: Visitors are forwarded to malicious websites
- Data Theft: Users' credit card information and login credentials are stolen
- Botnet: The server is used as a launchpad for DDoS attacks
- Blacklisting: Google marks the site as "dangerous" and removes it from search results
Detection Patterns
PHP Malware Detection
The following common malware patterns are detected:
| Pattern | Description | Severity |
|---|---|---|
eval(base64_decode(...)) | Obfuscated code execution | 🔴 Critical |
eval(gzinflate(...)) | Compressed malicious code | 🔴 Critical |
preg_replace('/.*/e', ...) | Code execution via regex | 🔴 Critical |
$_GET/$_POST + eval | Remote Code Execution (RCE) | 🔴 Critical |
file_put_contents + external URL | Dropper (installs additional malware) | 🔴 Critical |
str_rot13, chr() concatenation | String obfuscation | 🟠 High |
| Long single-line obfuscated code | Suspicious low-readability code | 🟠 High |
PHP inside .ico files | PHP code disguised as images | 🔴 Critical |
WebShell Detection
Signatures for WebShells (malware used to remotely control a server) are also detected:
- FilesMan, WSO, r57, c99
- China Chopper
- Other known WebShell patterns
PHP Files in the Uploads Directory
If executable PHP files are found in the wp-content/uploads/ directory, there is a high probability they are malware. This directory normally contains only images and documents.
Running a Scan
- Navigate to SentinelSecurity → Malware Scan
- Select the scan scope:
- Quick Scan: PHP files in the uploads/ directory only
- Standard Scan: Themes + Plugins + Uploads
- Full Scan: Entire WordPress installation
- Results are displayed in a list
Responding to Detection Results
When malware is detected, the following response options are available:
Review and Investigate
- View File Contents: Review the detected code with syntax highlighting
- Report False Positive: Add to the exclusion list if it is a false positive
Take Action
- Quarantine: Move the file to a quarantine directory (renders it non-executable)
- Delete: Permanently delete the file
- Restore: For WordPress core files, overwrite with the official clean version
Important: Always create a backup before deleting or repairing files.
Scheduled Scan Settings
Automated scheduled scans help you detect new malware early.
| Frequency | Recommended Use |
|---|---|
| Daily | Critical sites such as e-commerce or membership sites |
| Weekly | General business websites |
| Monthly | Personal sites with low update frequency |
Difference from File Integrity Monitoring
| Aspect | Malware Scan | File Integrity Monitoring |
|---|---|---|
| Detection Method | Pattern matching | Hash comparison |
| Purpose | Detect known malware patterns | Detect any changes |
| Target | File contents | File hash values |
| Strength | Identify infected files | High-precision tampering detection |
| Weakness | Difficult to detect unknown malware | Cannot determine if changes are legitimate |