Find Out if You’re Hacked: How to Find and Delete Suspicious Code with Defender

Detecting suspicious code within a site isn’t always that simple and can easily go unnoticed. Thankfully, our 5-star Defender plugin is well equipped to find malware, let you know about it, and eliminate it with brute force. See how it’s done in this tutorial.

Looking for a convenient and hassle-free way to locate and delete suspicious code from your sites?

In this tutorial we’re showing you, step-by-step, how Defender‘s vast suite of security features can help banish and keep suspicious code at bay.

You’ll also learn how to keep your sites protected from these kinds of issues going forward.

For reference, here are the 7 talking points we’ll be covering (feel free to jump to any specific section!):

  1. How to Scan Your Site for Malicious Code
  2. Deleting and Ignoring Issues
  3. Taking Care of Issues in Bulk
  4. Watching Out for False Positives
  5. Control Which Files To Scan With ‘Scan Types’
  6. Notifications of Suspicious Activities
  7. How to Schedule Regular Scans of Your Site

Let’s get into it.

1. Start By Scanning Your Site for Malicious Code

Scanning your site for malicious code can be achieved through Defender’s dashboard under Malware Scanning. Here, you can see when your last scan was, any issues, and more.

The New Scan button kicks things off. Defender will then scan your WordPress core files for any suspicious code modifications or additions.

Where to click for a new scan.
Where to click for a new scan.

Once started, it generally only takes a few moments, depending on the size of your site.

The status of the scan in Defender.
The status of the scan.

Defender discloses the exact issue(s) and tells you what they are under the Issues tab.

Issues that were spotted.
Issues that were spotted.

From here, you’ll see a dropdown of each issue to get specific information, including:

  • Issue Details: Consists of a brief explanation of the issue.
  • Error: Showcases a snippet of the suspicious code.
Example of suspicious code.
An example of suspicious code.
  • Location: Where the issue’s file path is located.
  • Size: The size of the suspicious file.
  • Date Added: Displays the date and time that the code was added to the WordPress site.

You can also perform additional scanning with Defender Pro. In this case, the other areas that will be scanned for vulnerabilities and suspicious code include:

Plugins & Themes: Plugins and themes will be scanned for known, publicly-reported vulnerabilities.

Suspicious Code: This takes scanning up a level by scanning all site files for suspicious PHP functions and code.

The two new searches with Defender Pro: Plugins & themes and Suspicious code.
The two new searches with Defender Pro: Plugins & themes and Suspicious code.

The results are then organized by WordPress core, Plugins & themes, and Suspicious code.

2. Delete or Ignore Detected Issues

Defender makes getting rid of suspicious code as easy as possible. We’re literally talking one-click.

To get rid of the issue immediately, the Delete button is all that needs to be hit.

With one click, you can delete the suspicious code with Defender.
With one click, you can delete the suspicious code.

With that, the code will be deleted.

There’s also an option to Ignore an issue if you would like to remove a specific issue from the Issues tab.

Once you do this, they’ll no longer appear in the Issues tab, but will be moved to the Ignored tab.

One note of caution: It’s strongly recommended to be 100% certain that something is harmless before deleting and/or ignoring it. You can ask our 24/7 WordPress experts at WPMU DEV using live support to find out if you’re unsure or need advice.

3. Resolve Multiple Issues in Bulk

If you have multiple issues, you can bulk action the items by selecting either Bulk Update or Ignore in the dropdown.

Bulk action area.
Bulk action area.

If you click Bulk Update, all the issues will be removed.

Like previously demonstrated, any actions that are ignored show up in the Ignored tab and will no longer be identified as issues by Defender.

You can always restore them back to the Issues area with the Restore button, or by performing a bulk action on all the issues.

Restore button.
Restore button.

4. Minimize The Chance of False Positives Occurring

WordPress allows for a vast amount of customization, and this can lead to legitimate code being flagged as suspicious due to its resemblance to malicious code.

This can happen for various reasons, including if a function is modified by a plugin, theme, or if something is modified directly in the file or theme editor.

Luckily, Defender was designed to minimize false positives occurring. However, malicious code is typically written to resemble legit code and it’s almost impossible to completely avoid.

To help verify suspicious code, here are a couple of steps you can take:

  1. Verify custom edits: Check with a developer to verify the questionable code.
  2. Contact our support: If you didn’t add the code, and you’re certain no one you know did either, feel free to contact WPMU DEV support for feedback and share what you’ve found to be malicious code.

5. Control Which Files You Scan With ‘Scan Types’

To track down malicious code, you can control what files are scanned in the Scan Types area.

It’s all done with a simple click in Settings. With Defender, the option to turn off and on is the WordPress core switch.

This is where you can also enter the maximum size that you want Defender to skip by entering in the Mb number.

Defender basic settings.

6. Enable Notifications of Suspicious Activity For Even More Assurance

Setting up notifications is a snap in the Malware Scanning Notifications section.

Here, you can flip-on notifications “on” to enable notifications when a manual file scan has been finished.

Where you can enable notifications.
Where you can enable notifications.

Once you’ve done this, you have several options for tweaking your settings accordingly. Such as sending notifications when no issues are determined and recipients’ emails of notifications.

Area to further set up notifications.

Plus, you can edit the email templates of your notifications for when issues are found and when they’re not.

Clicking the pencil will allow for customization.
Clicking the pencil will allow for customization.

Finally, you can customize the wording and information accordingly.

Email template that can be edited however you’d like.
Email template that can be edited however you’d like.

Just like that you have customized notifications.

 7. Schedule Automated Site Scans

Another handy option that comes with Defender (Pro only) is the ability to run automated site scans.

This simple adjustment can be made through the Enable Reporting feature. Simply click “on” and you’ll be in business.

Enable reporting section.
Enable reporting section.

From this point, features such as emails to send notifications to, frequency, day of the week, and time of day that the report will be sent.

Where you’ll change the report settings.
Where you’ll change the report settings.

Defender’s customized report is created and set up exactly how you want and you (and any added recipients) will be emailed the results.

Finding and Deleting Suspicious Code Just Got Easier With Defender

As you can see, suspicious code is no match for Defender and it really just takes one click to remove.

Beyond finding malicious code and the ability to delete it, Defender can stop SQL injections, prevent hackers from exploiting WordPress vulnerabilities, prevent PHP execution, and much more.

To learn more about WordPress security, check out our Ultimate Guide to WordPress Security. And for more information on how Defender works, be sure to view the plugin’s documentation.

Leave a comment

Your email address will not be published. Required fields are marked *