WordPress is a great CMS, but like all things digital, it can have some security flaws. We’ve covered common and uncommon-sense steps that you can take to prevent and fix hacking in the past, and we’re always on the lookout for new tools. We’ve recently found ourselves using a new plugin that makes fixing hacks dramatically easier.
It’s called WordPress Exploit Scanner (WEP), and we recommend it for personal and professional use. It’s very easy to run, and there aren’t a lot of confusing options up front, either. Simply install it and it’ll pop up in your Tools menu. Select it there and click “Run the Scan”. WEP crawls through your website looking for bits of potentially malicious code. Once it finds them, you can investigate further (the plugin doesn’t remove anything) and clean the code where it sits.
The plugin’s author, Donncha O Caoimh, explains the need for such a tool these days:
The database can also be used to hide content or be used to run code. Spam links are sometimes added to blog posts and comments. They’re hidden by CSS so visitors don’t see them, but search engines do. Recently, hackers took advantage of the WP plugin system to run their own malicious code. They uploaded files with the extensions of image files and added them to the list of active plugins. So, despite the fact that the file didn’t have a .php file extension, the code in them was still able to run!
We should add that WordPress Exploit Scanner is, by design, extra cautious. On a sweep of our site, we found numerous false positives, and even then, it could have missed something. No scanner is perfect, but WordPress Exploit Scanner represents an easy-to-use and helpful tool that can help you get more familiar with your site’s security. As always, Spotted Koi is here to help.