WordPress.org

WP-MalWatch is a WordPress security plugin scanner designed to help alert you when hackers have been at work inside your blog.

When hackers infiltrate a blog, the first thing they do is plant hidden files, disguised .PHP, and malicious .HTACCESS files in various directores. Their goal is to litter your WordPress installation and theme with links to their sites.

WP-MalWatch performs a security scan of your WordPress installation nightly looking for evidence of foul play and if WP-MalWatch finds it, a dashboard widget will tell you were you should take a closer look. WP-MalWatch's detailed report also provides you a very easy interface for looking at the contents of these files right from within WordPress so you don't have to get into messy FTP clients and editors looking at potential problems.

Version 2.1.2 of WP-MalWatch is based on 2.0.2 which was a complete rewrite of the original WP-MalWatch plugin and provides efficient malware scanning. Version 2.1.2 looks for hidden files, HTACCESS files, configurable file patterns, keywords in theme files, encode 64 calls in key WordPress files, and .PHP files in the uploads directory.

Does WP-MalWatch protect your blog?

NO! WP-MalWatch is a scanning plugin that allows a blogger to easily identify the presence of files in a blog installation and provides a simple viewer for examining them.

If WP-MalWatch finds files in my blog, does it mean I have a problem?

Not necessarily but it does mean you need to take a look at them. The plugin has several links to explanations of what WP-MalWatch is looking for. Any file that WP-MalWatch reports, you should look at and be comfortable that it is there for a purpose.

Why PHP files in the uploads directory? Because they shouldn't be there and are clear evidence of foul play.

What are configurable file patterns?

Hackers love to drop multiple extension files into a blog hoping that you won't notice them. The default setting for WP-MalWatch are the file extension patterns for the somewhat clever "pharma attack". These include patterns like *.old.php and *.bak.php. You can configure these for whatever you are looking for.

Why .HTACCESS files? .HTACCESS files are specific for UNIX and you will generally have one at the root of your website. WordPress actually uses this file for things like Permalinks. Hackers love to drop .HTACCESS files into other parts of your WordPress installation to do malicious things such as implement 301 redirects to trick users or even search engines. Still, some plugins use .HTACCESS files for their functionality. That doesn't mean that a hacker can't get into those. If you have more than one .HTACCESS file in your installation, you'll want to take a look at it and ensure that there are no redirects to sites you aren't aware of.

Will WP-MalWatch scans impact the performance of my blog?

We tested WP-MalWatch on one of our blogs while there were over 2,000 active users online. We were impressed with its performance and the fact that it didn't impact server performance. If you see something different with your hosting, report it to us but we can assure you we paid close attention to the efficiency of scanning in this plugin.

If My Blog Is Clean, Should I leave WP-MalWatch installed?

YES! It only runs once per night and is very efficient. Leave this plugin installed. You can turn modules on/off as well.

WP-MalWatch Features:

• Automated nightly scans with the option to manually invoke.
• Efficient detection of PHP files in your Uploads directory.
• Efficient detection of multiple .HTACCESS files in your installation.
• Detection of files based on configurable file patterns.
• Detection of hidden files.
• Detection of configurable keywords in theme files.
• Detection of encode64 calls in key WordPress files
• Configurations including turning modules on and off.
• A easy to use viewer for any files detected during a scan.
• Symbolic link friendly file scanning.
• Dashboard widget for easy notification.
• Efficient and high performance scanning.
• A very well written, modularized plugin architecture for future expansion.